Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe
Analysis ID:1503237
MD5:e9521ec55c41641cc645a0223b1e9ac1
SHA1:ef63f2a2d918925b8b44ec9a9b848e919cc6a22a
SHA256:2c49cd770976c10d5f65114ce71ce14817e3ffaa74cf3bed2fa24f588b13ebf2
Tags:exe
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for dropped file
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe (PID: 4708 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe" MD5: E9521EC55C41641CC645A0223B1E9AC1)
    • setup.exe (PID: 6444 cmdline: "C:\Users\user\AppData\Local\Temp\setup.exe" MD5: 2B4BA70B5C6115ADD73FDEF28AAEAA8A)
      • GamePall.exe (PID: 5408 cmdline: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
        • GamePall.exe (PID: 4396 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3256 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2 MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
        • GamePall.exe (PID: 5684 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3720 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
        • GamePall.exe (PID: 5148 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3796 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
        • GamePall.exe (PID: 4408 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1725339558529135 --launch-time-ticks=6350788134 --mojo-platform-channel-handle=3836 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
        • GamePall.exe (PID: 3596 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1725339558529135 --launch-time-ticks=6350826709 --mojo-platform-channel-handle=3940 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
        • GamePall.exe (PID: 4480 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --time-ticks-at-unix-epoch=-1725339558529135 --launch-time-ticks=6357847939 --mojo-platform-channel-handle=2060 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
  • GamePall.exe (PID: 2848 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
    • GamePall.exe (PID: 2384 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
      • GamePall.exe (PID: 3364 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
      • GamePall.exe (PID: 6524 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
      • GamePall.exe (PID: 6412 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
      • GamePall.exe (PID: 5752 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
      • GamePall.exe (PID: 3924 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
      • GamePall.exe (PID: 3588 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
      • GamePall.exe (PID: 7200 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
      • GamePall.exe (PID: 7328 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
    • GamePall.exe (PID: 7144 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
      • GamePall.exe (PID: 7320 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
    • GamePall.exe (PID: 3892 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
    • GamePall.exe (PID: 3340 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
      • GamePall.exe (PID: 7352 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
    • GamePall.exe (PID: 4336 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
    • GamePall.exe (PID: 4524 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
    • GamePall.exe (PID: 5768 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
    • GamePall.exe (PID: 6116 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
    • GamePall.exe (PID: 2284 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
    • GamePall.exe (PID: 5596 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
    • GamePall.exe (PID: 5764 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
    • GamePall.exe (PID: 5264 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
    • GamePall.exe (PID: 6128 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
    • GamePall.exe (PID: 2000 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
    • GamePall.exe (PID: 7300 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\setup.exe, ProcessId: 6444, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GamePall

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeAvira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeAvira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].datAvira: detection malicious, Label: HEUR/AGEN.1359405
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeReversingLabs: Detection: 18%
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeVirustotal: Detection: 21%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GamePall\Del.exeJoe Sandbox ML: detected
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePallJump to behavior
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: GamePall.exe, 0000000B.00000002.3455415643.0000000008487000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exeePallll source: setup.exe, 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: GamePall.exe, 0000000B.00000002.3455415643.0000000008487000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: D3DCompiler_47.pdb source: d3dcompiler_47.dll.5.dr
Source: Binary string: libEGL.dll.pdb source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdbH source: GamePall.exe, 00000006.00000000.3106489932.0000000000442000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 00000006.00000000.3106489932.0000000000442000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, GamePall.exe, 0000000C.00000002.3238499916.0000000005082000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: D3DCompiler_47.pdbGCTL source: d3dcompiler_47.dll.5.dr
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 0000000C.00000002.3238023410.0000000004C12000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 0000000C.00000002.3238499916.0000000005082000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, GamePall.exe, 0000000C.00000002.3238023410.0000000004C12000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: `OTHER`TEMP`PACKED<%s return value>hlslFlagshlslTargethlslEntryhlslDefinesinternal error: failed to write debug data to pdb streaminternal error: failed to add section contributioninternal warning: PDB Error string is "%S"internal error: failed to close debug infointernal error: failed to close PDBinternal error: failed to open PDB for writing in streaminternal error: failed to create debug info in PDBinternal error: failed to add code section to debug infointernal error: failed to add module to debug infointernal error: failed to create type info in PDBinternal error: failed to create inline type info in PDBinternal error: failed to create source file store in PDBinternal error: failed to close source file store in PDBinternal error: failed to close module in debug infointernal error: failed to commit type info in PDBinternal error: failed to commit inline type info in PDBinternal error: failed to add section header to debug infointernal error: failed to append section header to pdbinternal error: failed to close section header in debug infointernal error: failed to close debug info in PDBinternal error: failed to commit PDBinternal error: PDB data too largeinternal error: PDB stream truncatedinternal error: failed to close source file storeinternal error: failed to close type infointernal error: pdb append failedfxl_4_0too many arguments to target TXtoo many outputs to target TXclip not supported in texture shadersinvalid reference to input semantic '%s%d'invalid reference to output semantic '%s%d'0123456789abcdef.pdbVPosSV_ViewportArrayIndexColorFailed to log error, redirecting to debug output: source: d3dcompiler_47.dll.5.dr
Source: Binary string: libGLESv2.dll.pdb source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 00000005.00000002.3219319308.000000000070A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 00000005.00000002.3219319308.000000000070A000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeDirectory queried: number of queries: 1695
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeCode function: 0_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405B4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeCode function: 0_2_004066FF FindFirstFileA,FindClose,0_2_004066FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeCode function: 0_2_004027AA FindFirstFileA,0_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 5_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,5_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 5_2_004066FF FindFirstFileA,FindClose,5_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 5_2_004027AA FindFirstFileA,5_2_004027AA
Source: Joe Sandbox ViewIP Address: 139.45.197.238 139.45.197.238
Source: Joe Sandbox ViewIP Address: 139.45.197.238 139.45.197.238
Source: Joe Sandbox ViewIP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
Source: Joe Sandbox ViewIP Address: 104.18.66.57 104.18.66.57
Source: GamePall.exe, 00000023.00000002.3574652326.0000000002F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/activity
Source: GamePall.exe, 00000023.00000002.3574652326.0000000002F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/installs
Source: GamePall.exe, 00000023.00000002.3574652326.0000000002F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/installs(
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000003.3220395763.00000000004E2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000002.3221156533.00000000004E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://glokh.com/
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000002.3221197069.00000000004EA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000002.3221029443.0000000000478000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://glokh.com/22_556/huge.dat
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000003.3220395763.00000000004E2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000003.3220680147.00000000004E8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000002.3221197069.00000000004EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://glokh.com/22_556/huge.datC2$
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://glokh.com/22_556/huge.datYFCUZSz5etjXgIpLd4/6g==
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000002.3221029443.0000000000478000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://glokh.com/22_556/huge.date
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000003.3220395763.00000000004E2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000003.3220680147.00000000004E8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000002.3221197069.00000000004EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://glokh.com/22_556/huge.datl
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000002.3221029443.000000000049F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://glokh.com/22_556/huge.datp
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000002.3221029443.000000000049F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://glokh.com/22_556/huge.datr
Source: GamePall.exe, 0000000B.00000002.3455415643.000000000847F000.00000002.00000001.01000000.0000000E.sdmp, GamePall.exe, 0000000C.00000002.3455238148.00000000082B6000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
Source: GamePall.exe, 00000023.00000002.3574652326.0000000002F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jiugeyou.bond
Source: log4net.xml.5.drString found in binary or memory: http://logging.apache.org/log4j
Source: GamePall.exeString found in binary or memory: http://logging.apache.org/log4ne
Source: GamePall.exe, 0000000C.00000002.3238023410.0000000004C12000.00000002.00000001.01000000.0000000C.sdmp, log4net.xml.5.drString found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
Source: log4net.xml.5.drString found in binary or memory: http://logging.apache.org/log4net/schemas/log4net-events-1.2&gt;
Source: setup.exe, setup.exe, 00000005.00000000.2862204034.000000000040A000.00000008.00000001.01000000.00000008.sdmp, setup.exe, 00000005.00000003.3106273329.0000000000769000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmp, SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: sl.pak.5.drString found in binary or memory: http://primer.com
Source: GamePall.exe, GamePall.exe, 0000000C.00000002.3238023410.0000000004C12000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.apache.org/).
Source: GamePall.exe, GamePall.exe, 0000000C.00000002.3238023410.0000000004C12000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.apache.org/licenses/
Source: GamePall.exeString found in binary or memory: http://www.apache.org/licenses/LICEN
Source: GamePall.exe, 0000000C.00000002.3238023410.0000000004C12000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: log4net.xml.5.drString found in binary or memory: http://www.connectionstrings.com/
Source: log4net.xml.5.drString found in binary or memory: http://www.faqs.org/rfcs/rfc3164.html.
Source: log4net.xml.5.drString found in binary or memory: http://www.iana.org/assignments/multicast-addresses
Source: GamePall.exe, 0000000C.00000002.3238809751.0000000005720000.00000002.00000001.00040000.0000001C.sdmpString found in binary or memory: http://www.unicode.org/copyright.html
Source: GamePall.exe, 0000000B.00000002.3620414098.0000000009010000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://app.optimizely.com/js/innie.js
Source: devtools_resources.pak.5.drString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=745678
Source: GamePall.exe, 0000000B.00000002.3620414098.0000000009010000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://cdn-assets-prod.s3.amazonaws.com/js/preview2/26310650654.js
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr, sl.pak.5.dr, fr.pak.5.dr, uk.pak.5.dr, hi.pak.5.drString found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: en-GB.pak.5.drString found in binary or memory: https://chrome.google.com/webstore?hl=en-GB&category=theme81https://myactivity.google.com/myactivity
Source: en-GB.pak.5.drString found in binary or memory: https://chrome.google.com/webstore?hl=en-GBCtrl$1
Source: GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
Source: fr.pak.5.drString found in binary or memory: https://chrome.google.com/webstore?hl=fr&category=theme81https://myactivity.google.com/myactivity/?u
Source: fr.pak.5.drString found in binary or memory: https://chrome.google.com/webstore?hl=frCtrl$1
Source: hi.pak.5.drString found in binary or memory: https://chrome.google.com/webstore?hl=hi&category=theme81https://myactivity.google.com/myactivity/?u
Source: hi.pak.5.drString found in binary or memory: https://chrome.google.com/webstore?hl=hiCtrl$1
Source: sl.pak.5.drString found in binary or memory: https://chrome.google.com/webstore?hl=sl&category=theme81https://myactivity.google.com/myactivity/?u
Source: sl.pak.5.drString found in binary or memory: https://chrome.google.com/webstore?hl=slCTRL$1
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, tr.pak.5.drString found in binary or memory: https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u
Source: tr.pak.5.drString found in binary or memory: https://chrome.google.com/webstore?hl=trCtrl$1
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, uk.pak.5.drString found in binary or memory: https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, uk.pak.5.drString found in binary or memory: https://chrome.google.com/webstore?hl=ukCtrl$1
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=urCtrl$2
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=viCtrl$1
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-CNCtrl$1
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-TWCtrl$1
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr, sl.pak.5.dr, fr.pak.5.dr, uk.pak.5.dr, hi.pak.5.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr, sl.pak.5.dr, fr.pak.5.dr, uk.pak.5.dr, hi.pak.5.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr, sl.pak.5.dr, fr.pak.5.dr, uk.pak.5.dr, hi.pak.5.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr, sl.pak.5.dr, fr.pak.5.dr, uk.pak.5.dr, hi.pak.5.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr, sl.pak.5.dr, fr.pak.5.dr, uk.pak.5.dr, hi.pak.5.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr, sl.pak.5.dr, fr.pak.5.dr, uk.pak.5.dr, hi.pak.5.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr, sl.pak.5.dr, fr.pak.5.dr, uk.pak.5.dr, hi.pak.5.drString found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: devtools_resources.pak.5.drString found in binary or memory: https://developer.mozilla.org/en-US/docs/SpiderMonkey/Parser_API
Source: devtools_resources.pak.5.drString found in binary or memory: https://github.com/acornjs/acorn/issues/575
Source: devtools_resources.pak.5.drString found in binary or memory: https://github.com/estree/estree/blob/a27003adf4fd7bfad44de9cef372a2eacd527b1c/es5.md#regexpliteral
Source: GamePall.exe, 0000000B.00000002.3454502741.00000000080BA000.00000004.10000000.00040000.00000000.sdmp, GamePall.exe, 0000000B.00000002.3454502741.00000000080B7000.00000004.10000000.00040000.00000000.sdmp, GamePall.exe, 0000000B.00000002.3259772234.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lps.plarium.com/en/desktop/raid/rdo/media/asgard_f058_prelp_jt3423_v2?plid=1541456&pxl=ppl_-
Source: GamePall.exe, 0000000B.00000002.3667994194.0000000020302000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://lps.plarium.comE2E727008E27CB0832C0A6F2025AA03B
Source: GamePall.exe, 0000000B.00000002.3667994194.0000000020302000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://lps.plarium.comE2E727008E27CB0832C0A6F2025AA03B-
Source: GamePall.exe, 0000000C.00000002.3396150654.00000000078D7000.00000004.10000000.00040000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3237025793.0000000002561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://my.rtmark.net/img.gif?f=merge&userId=0080cc945c4543c5ff4e3fd22f0fe675&z=4472886&p_rid=829643
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr, sl.pak.5.dr, fr.pak.5.dr, uk.pak.5.dr, hi.pak.5.drString found in binary or memory: https://myactivity.google.com/
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, uk.pak.5.drString found in binary or memory: https://passwords.google.com
Source: fr.pak.5.drString found in binary or memory: https://passwords.google.comCompte
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr, hi.pak.5.drString found in binary or memory: https://passwords.google.comGoogle
Source: sl.pak.5.drString found in binary or memory: https://passwords.google.comRa
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passwords.google.comT
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr, sl.pak.5.dr, fr.pak.5.dr, uk.pak.5.dr, hi.pak.5.drString found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr, sl.pak.5.dr, fr.pak.5.dr, uk.pak.5.dr, hi.pak.5.drString found in binary or memory: https://policies.google.com/
Source: sl.pak.5.drString found in binary or memory: https://primer.com.Uporaba
Source: devtools_resources.pak.5.drString found in binary or memory: https://raw.githubusercontent.com/rust-lang/rust/
Source: GamePall.exe, 0000000C.00000002.3396150654.00000000078DD000.00000004.10000000.00040000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3237025793.0000000002561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rouonixon.com/4/4472886/?ymid=854365871177474048&var=4472885&price=
Source: GamePall.exe, 0000000B.00000002.3454502741.00000000080BA000.00000004.10000000.00040000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3237025793.0000000002561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rouonixon.com/?z=4472886&syncedCookie=true&rhd=false
Source: GamePall.exe, 0000000C.00000002.3396150654.00000000078D7000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://rouonixon.com/afu.php?zoneid=4472886&var=4472886&rid=ksX-wKK1z8yLZCaWKyzJyw%3D%3D&rhd=false&
Source: GamePall.exe, 0000000C.00000002.3237025793.0000000002561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rouonixon.com/async_log/add?cid=1db9169f-90f4-4b2d-b517-bc47aab19c1f&ruid=82964382-5459-43e7
Source: GamePall.exe, 0000000C.00000002.3396150654.00000000078D7000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://rouonixon.com/favicon.ico
Source: GamePall.exe, 0000000C.00000002.3514368501.0000000024BC2000.00000004.00001000.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3237025793.0000000002561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rouonixon.com/log/add?cid=1db9169f-90f4-4b2d-b517-bc47aab19c1f&ruid=82964382-5459-43e7-8b80-
Source: GamePall.exe, 0000000C.00000002.3396150654.00000000078DD000.00000004.10000000.00040000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3237025793.0000000002561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rouonixon.com/sftouch?userId=0080cc945c4543c5ff4e3fd22f0fe675&z=4472886&p_rid=82964382-5459-
Source: GamePall.exe, 0000000C.00000002.3514076200.0000000020782000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rouonixon.comBE0179B13D3B93B5365CDB8DA729680E
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, tr.pak.5.dr, sl.pak.5.dr, fr.pak.5.dr, uk.pak.5.dr, hi.pak.5.drString found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr, sl.pak.5.dr, fr.pak.5.dr, uk.pak.5.dr, hi.pak.5.drString found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr, sl.pak.5.dr, fr.pak.5.dr, uk.pak.5.dr, hi.pak.5.drString found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: GamePall.exe, GamePall.exe, 0000000C.00000002.3238106157.0000000004C56000.00000002.00000001.01000000.0000000C.sdmp, GamePall.exe, 0000000C.00000002.3238023410.0000000004C12000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Atom
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClass
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlLetter
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Quantifier
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-RegExpUnicodeEscapeSequence
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-AtomEscape
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassEscape
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape
Source: devtools_resources.pak.5.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-term
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, uk.pak.5.dr, hi.pak.5.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&
Source: fr.pak.5.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&AideG
Source: sl.pak.5.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&Pomo
Source: GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&r
Source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, tr.pak.5.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlYar&d
Source: GamePall.exe, 0000000B.00000002.3455415643.0000000008487000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: GamePall.exe, 0000000B.00000002.3455415643.0000000008487000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeCode function: 0_2_004055E7 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004055E7
Source: GamePall.exeProcess created: 63
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeCode function: 0_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,0_2_100010D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeCode function: 0_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034CC
Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 5_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,5_2_004034CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeCode function: 0_2_00406A880_2_00406A88
Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 5_2_00406A885_2_00406A88
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 10_2_00C54F5810_2_00C54F58
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 11_2_01664F5811_2_01664F58
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 11_2_0166F5C811_2_0166F5C8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 11_2_0166386011_2_01663860
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 11_2_0166104911_2_01661049
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 11_2_0166F44A11_2_0166F44A
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 11_2_0166F4D711_2_0166F4D7
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 12_2_00AE4F5812_2_00AE4F58
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 12_2_00AEF66012_2_00AEF660
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 13_2_03054F5813_2_03054F58
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 13_2_0305104913_2_03051049
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 26_2_01234F5826_2_01234F58
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 26_2_0123386026_2_01233860
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 26_2_0123104926_2_01231049
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 35_2_01264F5835_2_01264F58
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 35_2_0126386035_2_01263860
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 35_2_0126104935_2_01261049
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 37_2_0119104937_2_01191049
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameinetc.dllF vs SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000002.3221434715.0000000002731000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameinetc.dllF vs SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Ionic.Zip.dll.5.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformBlock'
Source: Ionic.Zip.dll.5.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformFinalBlock'
Source: Ionic.Zip.dll.5.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: GamePall.exe.5.dr, Program.csBase64 encoded string: 'IjjDC+Kzky7h6dahkgx7zKqwbX4x+VN/YxyiRIgqR+rWDRoupoPgC2U+14kzkKfq', 'j7KZk1ZqPmRFwIRGPamNQR6L6TOlPCFL2+jwkLqgE7LkWax6DLVnn4LlnTlhONEmzPM4FweuWRNzXqAzJmt6rWQ5WN3UuB8jj+RXLH9II/ob9f3l1ouC/3GDBUY5We4W6xMbVl+3eu1xXlsw7wTEhnqWijhhKVJ5COeJC6YOkgQXTZe9zuDdir8ybKTCa2BTIjQhAZWiNyCAvIdnZfJwW8SVw8sn3jRoEWZtlVexgz+k7ewIDDCPt5iQyZ5FN7Qgf7kVAdjNaKxBgFeCC2U1Lx9wJyjOdJSoYtQwnYhwn4wjVKcvauwtZSlhrZHPdt35TOgV9AOsU/NWgCjpVH99OeErfd6cllX4ndpMWnRPFKVOBgIUB+OJMl3Bkn8a4xTi+jmPEUctuWoEl77ssxyjCkRXN1YqQLM9hfR0FCM2aQRxjr5bcI2syaZQDrwimgfuR3QsA4M038V1IuSgI0f5i3H7N3InL4z45n95AemgCpLvm0E+Rm1lzqJxBMO9WC7y47eYHEb07kIYxv1rlXoQZ2KdSPL73HFe0Q9haF+wdT7WoqtRbMy4ontfazMR8RuUgGvamRsAtcIsq3cez3lkpB2DL2CirqdIvZjni9/M9GoZKZagMYDx2ioe+e/XZ3JGP+I5AMk2aDFUy9XfeaWm04gRp7xyi4MYeX/E23j5z0i89BHSCS8VouFMEZHu32e/Mu9nSa+CWDwW9abygPK0lVPtTEQqmKjLRg95CLmfdxue1wudhZs6KslldKbHtO8E/ZnjxXEMO2CmWbq49VK0ao2d9j2FbS5ACPh2qQdG7oXeTldz98EXNPZA0SXdf63d', 'mJuUnBwb6afFGOev7LmkGEG6Dgkm7JniAaWSPskowCjZrOStQl1TloeRt2KE1QbyCGVrvoSzPooPdhXSNHDoduWPcWkQwlpFGfV6jv0BX3fksQwVtSyeNTevSqAYcVJjr4oMt00z3+f5o7AEiK0cy/DWhrCY8qwoG2CVbcUi6Khn6iA0jw01tyBp1Jp36OuxJ/NQsW5xFJ0datXzo10qRmLDgRY9/Ks82by/9Ii0gwOm7maDDuRBaIbZc6ziSTaNXGT0lJj7lj7gMK29aqloaSb8tOKwHuYb8pJyiMP/UhVlaoqV81rnO2v0uExo3YRFTucDCsmBzhvPJAM2cT9Caf9LsMb+qnHtikC0zBq2mPmbQzEL8mIPrsrjpkUjlkE0rJXB9BChfestEFQM/KD91GnTxAc6gQcUrML6aO9Ule0Yz07rP6DnW0UJVXFAIikYxkx6+CxKCJiyblU9sX9oa1dmq5WW7pazdishWL7Cy1l6F3nUzIfVinfywSJQ3ZaJbSuEB9ATfp3iQ7wJBvRf93MDD9ulBMTec356UMGRa5TclbFD6bioRKe3Q1AC4ph6uUj1Wvi4Wl9vmM3yoRDSRdaCz6LyIdlwyRugoEfRJEYSdANWvw8lXlOm1u5K5nGnY1Ywunt/XQ9Fly3+qXSloCXIL04tADu5i3OEbTwBS4Y=', 'glGVjSjXAiG8Bkwam1OVr+DBCJei4cowbUnNLIcGCUhYMbP0Ttk4qLOmKNKZV79FQ9jwJrzNnLeSn9eR+gw59Wco8TI4lbg4/uMB1nYtHNehEtqsEAamWSqEIypV6ocs16ZDt88WOEUcWsgHMFz57fn25+xBLj5rV1BAAhUDZzecCzlSPJxO6Q6g2CaxRyRNk0+e4gNl7cBNplFNOkF/CMvPGqa0PLoLshlPmgzcjaRslhglJjlQn4S4EP6osfk/A0c4MiEq2gTYF1intUQol9+8iUIt1zkoAdADcIKs1ZtSUUX9/VJ8RP/py+xZIIDOHs16zcTRRuOEMZhwBDugrA==', 'X17tbUw8s77O1n80PpLHNqVsMhgzIWJ8q9LqzeDbkZrXXXgfV04DLoNYXd36btaIMOnRcYzkr81S6lRErzYLeLVzcKiaBHxz1R45ZnqCLzQ=', 'Jf/Fh+O3gmErKt8f+iuyUgRD7tfJrXeEfkM8ewFgXuzQdmeWdntKrm3PM/z+usg7', 'KftLQYCzACGydUPkPY7pfH7FXB2roz9nOS9nmr7lSafs3pcoVVVU2X3MjsPCSS6Vtug+Fms9/a9lx5p1k9H8ajqaqPqvXRKeBL28KfGcYI6jFXhe15mg3mOq44rkcvfhCJhs4b8BykAVQ6Pw8HZ7QPnbA6fhjaFITDrTjsFlv6kQGHrdAhjmAOPBYK5/Ut/4+Mtrmaz+m3RpYlxP3y84IxDbVKxIKY61T5DQcV9wW8xxm0riB2Oy18JDfgV0AgtrRDZSCeUloIuT8jEnU3yzXg==', 'glGVjSjXAiG8Bkwam1OVr7knjj9WTZaARSMVdWOR5vIqGi8Gh4pdOv19CFBlRUIN4rlLoS1iTZQ89vwVweLarze0XdQO1SEqVaZgiWsuXm0=', 'QqQVQFG7bPgYKPhQuwuJY53/PFMd4YECmco3LEi4qQNUcAnP1u8JRn4RRmvWZ5An', 'uEoar2s6eJoCFZnXecA1bDZN1C7ZwVm/uL/0b/zsoprAywI45jjbwzmkTowBfKBD', 'LHmAqxeOA2eHknM1hWFp3ULQhNFU4oYanb83xANGDVaXuBwVFsxv+WvGmgeLkqz2', 'rTgV+2PYc7cTXdhZZxupVqxWeoM8K3/ornPrV+OJIIbbq0aPEDzkwCDo99uMb2QA', 'rAFEUL5t/PcYsixu221Y6UnpIRmwKGNJVoRTcgQWj9itwydh50UvncjeAA4QxIF7', 'SKJdcMIFItICh/EPbGgSg0H3TiezSMacUvvxNHeUqHfO8SgJEu8Gc6n1fM6hzHQD157e8KtCue+hTJbkJ+yQxrW7HWzpEhK/Fq0Eub56nNQ=', 'glGVjSjXAiG8Bkwam1OVr1wt/Jd73lf
Source: classification engineClassification label: mal72.winEXE@296/110@0/10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeCode function: 0_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034CC
Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 5_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,5_2_004034CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeCode function: 0_2_00404897 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404897
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeCode function: 0_2_00402173 CoCreateInstance,MultiByteToWideChar,0_2_00402173
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeFile created: C:\Users\user\AppData\Roaming\GamePallJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMutant created: NULL
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_mainLog.txt
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_rendLog.txt
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeFile created: C:\Users\user\AppData\Local\Temp\nsw46EE.tmpJump to behavior
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeReversingLabs: Detection: 18%
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeVirustotal: Detection: 21%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeProcess created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"
Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3256 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3720 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3796 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1725339558529135 --launch-time-ticks=6350788134 --mojo-platform-channel-handle=3836 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1725339558529135 --launch-time-ticks=6350826709 --mojo-platform-channel-handle=3940 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --time-ticks-at-unix-epoch=-1725339558529135 --launch-time-ticks=6357847939 --mojo-platform-channel-handle=2060 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeProcess created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3256 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3720 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3796 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1725339558529135 --launch-time-ticks=6350788134 --mojo-platform-channel-handle=3836 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1725339558529135 --launch-time-ticks=6350826709 --mojo-platform-channel-handle=3940 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --time-ticks-at-unix-epoch=-1725339558529135 --launch-time-ticks=6357847939 --mojo-platform-channel-handle=2060 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: fwpolicyiomgr.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mmdevapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: audioses.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasman.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscms.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coloradapterclient.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mdmregistration.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mdmregistration.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: omadmapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dmcmnutils.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iri.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.gaming.input.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: xinput1_4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: xinput1_4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: hid.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mf.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mfplat.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rtworkq.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePallJump to behavior
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: GamePall.exe, 0000000B.00000002.3455415643.0000000008487000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exeePallll source: setup.exe, 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: GamePall.exe, 0000000B.00000002.3455415643.0000000008487000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: D3DCompiler_47.pdb source: d3dcompiler_47.dll.5.dr
Source: Binary string: libEGL.dll.pdb source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdbH source: GamePall.exe, 00000006.00000000.3106489932.0000000000442000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 00000006.00000000.3106489932.0000000000442000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, GamePall.exe, 0000000C.00000002.3238499916.0000000005082000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: D3DCompiler_47.pdbGCTL source: d3dcompiler_47.dll.5.dr
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 0000000C.00000002.3238023410.0000000004C12000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 0000000C.00000002.3238499916.0000000005082000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, GamePall.exe, 0000000C.00000002.3238023410.0000000004C12000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: `OTHER`TEMP`PACKED<%s return value>hlslFlagshlslTargethlslEntryhlslDefinesinternal error: failed to write debug data to pdb streaminternal error: failed to add section contributioninternal warning: PDB Error string is "%S"internal error: failed to close debug infointernal error: failed to close PDBinternal error: failed to open PDB for writing in streaminternal error: failed to create debug info in PDBinternal error: failed to add code section to debug infointernal error: failed to add module to debug infointernal error: failed to create type info in PDBinternal error: failed to create inline type info in PDBinternal error: failed to create source file store in PDBinternal error: failed to close source file store in PDBinternal error: failed to close module in debug infointernal error: failed to commit type info in PDBinternal error: failed to commit inline type info in PDBinternal error: failed to add section header to debug infointernal error: failed to append section header to pdbinternal error: failed to close section header in debug infointernal error: failed to close debug info in PDBinternal error: failed to commit PDBinternal error: PDB data too largeinternal error: PDB stream truncatedinternal error: failed to close source file storeinternal error: failed to close type infointernal error: pdb append failedfxl_4_0too many arguments to target TXtoo many outputs to target TXclip not supported in texture shadersinvalid reference to input semantic '%s%d'invalid reference to output semantic '%s%d'0123456789abcdef.pdbVPosSV_ViewportArrayIndexColorFailed to log error, redirecting to debug output: source: d3dcompiler_47.dll.5.dr
Source: Binary string: libGLESv2.dll.pdb source: setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 00000005.00000002.3219319308.000000000070A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 00000005.00000002.3219319308.000000000070A000.00000004.00000020.00020000.00000000.sdmp
Source: Newtonsoft.Json.dll.5.drStatic PE information: 0xF68F744F [Mon Jan 31 06:35:59 2101 UTC]
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeCode function: 0_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,0_2_100010D0
Source: chrome_elf.dll.5.drStatic PE information: section name: .00cfg
Source: chrome_elf.dll.5.drStatic PE information: section name: .crthunk
Source: chrome_elf.dll.5.drStatic PE information: section name: CPADinfo
Source: chrome_elf.dll.5.drStatic PE information: section name: malloc_h
Source: libEGL.dll.5.drStatic PE information: section name: .00cfg
Source: libGLESv2.dll.5.drStatic PE information: section name: .00cfg
Source: libcef.dll.5.drStatic PE information: section name: .00cfg
Source: libcef.dll.5.drStatic PE information: section name: .rodata
Source: libcef.dll.5.drStatic PE information: section name: CPADinfo
Source: libcef.dll.5.drStatic PE information: section name: malloc_h
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 37_2_01196770 pushfd ; ret 37_2_0119677E
Source: Ionic.Zip.dll.5.drStatic PE information: section name: .text entropy: 6.821349263259562
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\libcef.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\libEGL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\log4net.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Del.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].datJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeFile created: C:\Users\user\AppData\Local\Temp\nsb470F.tmp\blowfish.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Local\Temp\nscD224.tmp\liteFirewall.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeFile created: C:\Users\user\AppData\Local\Temp\setup.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeFile created: C:\Users\user\AppData\Local\Temp\nsb470F.tmp\nsProcess.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeFile created: C:\Users\user\AppData\Local\Temp\nsb470F.tmp\INetC.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePallJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePallJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: DF0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 27F0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2610000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3150000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3390000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 31D0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2B00000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2D70000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2B90000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: C50000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2A90000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: F60000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1660000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2FB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4FB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: AD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2560000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4560000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3050000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3200000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 5200000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1660000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3350000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2F80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 11A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2CA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1200000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: C90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2770000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2680000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1270000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2E70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2CC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: CB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2A70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 11B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 960000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 24E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 44E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 22E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2480000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4480000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 920000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 26E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 25A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3050000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3200000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 5200000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 8E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2440000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: A60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: A60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2640000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4640000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2C20000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2FA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2CA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1230000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2E20000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2D30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 7B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 23E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 43E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: BC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2670000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4670000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1500000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3250000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2F70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: B20000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 27A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: C70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1340000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2DA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1340000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: D50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 27D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2530000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: FE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2A00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: FE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: A70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2660000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 24A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1260000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2F00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1470000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1550000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 31C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1780000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1190000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2CA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1230000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: FD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 29B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 49B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2BE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2E00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2C00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libcef.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb470F.tmp\blowfish.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libEGL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\log4net.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nscD224.tmp\liteFirewall.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb470F.tmp\nsProcess.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Del.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb470F.tmp\INetC.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 4444Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 6820Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 4844Thread sleep count: 34 > 30
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeCode function: 0_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405B4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeCode function: 0_2_004066FF FindFirstFileA,FindClose,0_2_004066FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeCode function: 0_2_004027AA FindFirstFileA,0_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 5_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,5_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 5_2_004066FF FindFirstFileA,FindClose,5_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 5_2_004027AA FindFirstFileA,5_2_004027AA
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeThread delayed: delay time: 600000Jump to behavior
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000003.3220585340.0000000000507000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000002.3221197069.0000000000507000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000002.3221029443.0000000000478000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\w
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000002.3221156533.00000000004CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000003.3220395763.00000000004CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: GamePall.exe, 00000014.00000002.3501632209.000000000079E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: GamePall.exe, 0000000A.00000002.3479694398.0000000000D9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeAPI call chain: ExitProcess graph end nodegraph_0-3465
Source: C:\Users\user\AppData\Local\Temp\setup.exeAPI call chain: ExitProcess graph end nodegraph_5-3648
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeCode function: 0_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,0_2_100010D0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3256 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3720 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3796 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1725339558529135 --launch-time-ticks=6350788134 --mojo-platform-channel-handle=3836 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1725339558529135 --launch-time-ticks=6350826709 --mojo-platform-channel-handle=3940 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --time-ticks-at-unix-epoch=-1725339558529135 --launch-time-ticks=6357847939 --mojo-platform-channel-handle=2060 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (macintosh; intel mac os x 10_15_7) applewebkit/537.36 (khtml, like gecko) chrome/127.0.0.0 safari/537.36 opr/113.0.0.0" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3256 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (macintosh; intel mac os x 10_15_7) applewebkit/537.36 (khtml, like gecko) chrome/127.0.0.0 safari/537.36 opr/113.0.0.0" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3720 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (macintosh; intel mac os x 10_15_7) applewebkit/537.36 (khtml, like gecko) chrome/127.0.0.0 safari/537.36 opr/113.0.0.0" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3796 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (macintosh; intel mac os x 10_15_7) applewebkit/537.36 (khtml, like gecko) chrome/127.0.0.0 safari/537.36 opr/113.0.0.0" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1725339558529135 --launch-time-ticks=6350788134 --mojo-platform-channel-handle=3836 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (macintosh; intel mac os x 10_15_7) applewebkit/537.36 (khtml, like gecko) chrome/127.0.0.0 safari/537.36 opr/113.0.0.0" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1725339558529135 --launch-time-ticks=6350826709 --mojo-platform-channel-handle=3940 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (macintosh; intel mac os x 10_15_7) applewebkit/537.36 (khtml, like gecko) chrome/127.0.0.0 safari/537.36 opr/113.0.0.0" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --disable-gpu-compositing --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --time-ticks-at-unix-epoch=-1725339558529135 --launch-time-ticks=6357847939 --mojo-platform-channel-handle=2060 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (macintosh; intel mac os x 10_15_7) applewebkit/537.36 (khtml, like gecko) chrome/127.0.0.0 safari/537.36 opr/113.0.0.0" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3256 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (macintosh; intel mac os x 10_15_7) applewebkit/537.36 (khtml, like gecko) chrome/127.0.0.0 safari/537.36 opr/113.0.0.0" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3720 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (macintosh; intel mac os x 10_15_7) applewebkit/537.36 (khtml, like gecko) chrome/127.0.0.0 safari/537.36 opr/113.0.0.0" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3796 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (macintosh; intel mac os x 10_15_7) applewebkit/537.36 (khtml, like gecko) chrome/127.0.0.0 safari/537.36 opr/113.0.0.0" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1725339558529135 --launch-time-ticks=6350788134 --mojo-platform-channel-handle=3836 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (macintosh; intel mac os x 10_15_7) applewebkit/537.36 (khtml, like gecko) chrome/127.0.0.0 safari/537.36 opr/113.0.0.0" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1725339558529135 --launch-time-ticks=6350826709 --mojo-platform-channel-handle=3940 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (macintosh; intel mac os x 10_15_7) applewebkit/537.36 (khtml, like gecko) chrome/127.0.0.0 safari/537.36 opr/113.0.0.0" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --disable-gpu-compositing --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --time-ticks-at-unix-epoch=-1725339558529135 --launch-time-ticks=6357847939 --mojo-platform-channel-handle=2060 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exeCode function: 0_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034CC
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeDirectory queried: number of queries: 1695

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services11
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API		1
Registry Run Keys / Startup Folder		1
Windows Service		1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop Protocol1
Clipboard Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		11
Process Injection		31
Virtualization/Sandbox Evasion		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
Registry Run Keys / Startup Folder		1
Access Token Manipulation		NTDS1
Remote System Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
DLL Side-Loading		11
Process Injection		LSA Secrets12
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials14
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Obfuscated Files or Information		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Timestomp		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
DLL Side-Loading		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1503237 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 03/09/2024 Architecture: WINDOWS Score: 72 77 Antivirus detection for dropped file 2->77 79 Antivirus / Scanner detection for submitted sample 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 2 other signatures 2->83 8 SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe 4 35 2->8         started        12 GamePall.exe 2->12         started        process3 dnsIp4 67 104.21.90.238 CLOUDFLARENETUS United States 8->67 51 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 8->51 dropped 53 C:\Users\user\AppData\Local\...\blowfish.dll, PE32 8->53 dropped 55 C:\Users\user\AppData\Local\...\huge[1].dat, PE32 8->55 dropped 57 2 other files (none is malicious) 8->57 dropped 14 setup.exe 9 112 8->14         started        18 GamePall.exe 12->18         started        20 GamePall.exe 12->20         started        22 GamePall.exe 12->22         started        24 12 other processes 12->24 file5 process6 file7 59 C:\Users\user\AppData\...\vulkan-1.dll, PE32 14->59 dropped 61 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32 14->61 dropped 63 C:\Users\user\AppData\...\libGLESv2.dll, PE32 14->63 dropped 65 16 other files (13 malicious) 14->65 dropped 87 Antivirus detection for dropped file 14->87 26 GamePall.exe 18 24 14->26         started        30 GamePall.exe 18->30         started        32 GamePall.exe 18->32         started        34 GamePall.exe 18->34         started        40 5 other processes 18->40 36 GamePall.exe 20->36         started        38 GamePall.exe 22->38         started        signatures8 process9 dnsIp10 69 185.117.88.39 PORTLANEwwwportlanecomSE Netherlands 26->69 85 Machine Learning detection for dropped file 26->85 42 GamePall.exe 2 26->42         started        45 GamePall.exe 2 26->45         started        47 GamePall.exe 2 26->47         started        49 3 other processes 26->49 signatures11 process12 dnsIp13 71 139.45.195.8 RETN-ASEU Netherlands 42->71 73 139.45.197.238 RETN-ASEU Netherlands 42->73 75 6 other IPs or domains 42->75

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe18%ReversingLabs
SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe22%VirustotalBrowse
SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe100%AviraHEUR/AGEN.1359405

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\setup.exe100%AviraHEUR/AGEN.1359405
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat100%AviraHEUR/AGEN.1359405
C:\Users\user\AppData\Roaming\GamePall\GamePall.exe100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\GamePall\Del.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat8%ReversingLabsWin32.Backdoor.Generic
C:\Users\user\AppData\Local\Temp\nsb470F.tmp\INetC.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsb470F.tmp\blowfish.dll5%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsb470F.tmp\nsProcess.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nscD224.tmp\liteFirewall.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\setup.exe8%ReversingLabsWin32.Backdoor.Generic
C:\Users\user\AppData\Roaming\GamePall\Del.exe7%ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\GamePall.exe5%ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\libEGL.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\libcef.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\log4net.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape0%URL Reputationsafe
https://support.google.com/chrome/answer/60988690%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter0%URL Reputationsafe
https://app.optimizely.com/js/innie.js0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-Atom0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#sec-term0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom0%URL Reputationsafe
https://www.google.com/chrome/privacy/eula_text.html0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=sl&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion0%URL Reputationsafe
https://chrome.google.com/webstore?hl=hiCtrl$10%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape0%URL Reputationsafe
http://www.apache.org/licenses/LICEN0%Avira URL Cloudsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits0%URL Reputationsafe
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=urCtrl$20%Avira URL Cloudsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter0%URL Reputationsafe
https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u0%VirustotalBrowse
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
https://photos.google.com/settings?referrer=CHROME_NTP0%Avira URL Cloudsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term0%URL Reputationsafe
http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
https://chrome.google.com/webstore?hl=trCtrl$10%Avira URL Cloudsafe
https://www.newtonsoft.com/jsonschema0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits0%URL Reputationsafe
http://glokh.com/22_556/huge.datC2$0%Avira URL Cloudsafe
http://www.apache.org/licenses/LICEN0%VirustotalBrowse
https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter0%URL Reputationsafe
https://photos.google.com/settings?referrer=CHROME_NTP0%VirustotalBrowse
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog0%VirustotalBrowse
http://www.unicode.org/copyright.html0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom0%URL Reputationsafe
https://rouonixon.comBE0179B13D3B93B5365CDB8DA729680E0%Avira URL Cloudsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits0%URL Reputationsafe
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl0%Avira URL Cloudsafe
https://passwords.google.com0%Avira URL Cloudsafe
http://www.iana.org/assignments/multicast-addresses0%Avira URL Cloudsafe
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%220%Avira URL Cloudsafe
http://logging.apache.org/log4ne0%Avira URL Cloudsafe
https://www.google.com/chrome/privacy/eula_text.html1%VirustotalBrowse
https://passwords.google.com0%VirustotalBrowse
https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl0%VirustotalBrowse
https://www.google.com/chrome/privacy/eula_text.html&AideG0%Avira URL Cloudsafe
http://api.install-stat.debug.world/clients/installs(0%Avira URL Cloudsafe
http://www.connectionstrings.com/0%Avira URL Cloudsafe
https://support.google.com/chromebook?p=app_intent0%Avira URL Cloudsafe
https://www.google.com/chrome/privacy/eula_text.html&AideG1%VirustotalBrowse
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%220%VirustotalBrowse
https://chrome.google.com/webstore?hl=frCtrl$10%Avira URL Cloudsafe
https://primer.com.Uporaba0%Avira URL Cloudsafe
http://www.connectionstrings.com/0%VirustotalBrowse
https://rouonixon.com/log/add?cid=1db9169f-90f4-4b2d-b517-bc47aab19c1f&ruid=82964382-5459-43e7-8b80-0%Avira URL Cloudsafe
https://support.google.com/chromebook?p=app_intent0%VirustotalBrowse
http://glokh.com/22_556/huge.datYFCUZSz5etjXgIpLd4/6g==0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
http://glokh.com/22_556/huge.datr0%Avira URL Cloudsafe
http://www.iana.org/assignments/multicast-addresses0%VirustotalBrowse
http://glokh.com/22_556/huge.datp0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=en-GB&category=theme81https://myactivity.google.com/myactivity0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u0%VirustotalBrowse
https://www.google.com/chrome/privacy/eula_text.html&0%Avira URL Cloudsafe
http://logging.apache.org/log4j0%Avira URL Cloudsafe
https://www.google.com/chrome/privacy/eula_text.htmlT&r0%Avira URL Cloudsafe
http://glokh.com/22_556/huge.datl0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=hi&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
https://www.google.com/chrome/privacy/eula_text.html&1%VirustotalBrowse
https://www.google.com/chrome/privacy/eula_text.htmlT&r1%VirustotalBrowse
http://logging.apache.org/log4j0%VirustotalBrowse
http://glokh.com/22_556/huge.date0%Avira URL Cloudsafe
https://passwords.google.comRa0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=hi&category=theme81https://myactivity.google.com/myactivity/?u0%VirustotalBrowse
https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl0%Avira URL Cloudsafe
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl0%VirustotalBrowse
https://chrome.google.com/webstore?hl=ukCtrl$10%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=en-GB&category=theme81https://myactivity.google.com/myactivity0%VirustotalBrowse
http://api.install-stat.debug.world/clients/installs0%Avira URL Cloudsafe
https://support.google.com/chrome/a/answer/91222840%Avira URL Cloudsafe
https://raw.githubusercontent.com/rust-lang/rust/0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://chrome.google.com/webstore?hl=sl&category=theme81https://myactivity.google.com/myactivity/?usl.pak.5.drfalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDashdevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#sec-atomescapedevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://chrome.google.com/webstore?hl=hiCtrl$1hi.pak.5.drfalse
  • Avira URL Cloud: safe
unknown
http://www.apache.org/licenses/LICENGamePall.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://support.google.com/chrome/answer/6098869setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr, sl.pak.5.dr, fr.pak.5.dr, uk.pak.5.dr, hi.pak.5.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacterdevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://www.google.com/chrome/privacy/eula_text.htmlsetup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, uk.pak.5.dr, hi.pak.5.drfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://app.optimizely.com/js/innie.jsGamePall.exe, 0000000B.00000002.3620414098.0000000009010000.00000004.10000000.00040000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://logging.apache.org/log4net/release/faq.html#trouble-EventLogGamePall.exe, 0000000C.00000002.3238023410.0000000004C12000.00000002.00000001.01000000.0000000C.sdmp, log4net.xml.5.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-Atomdevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#sec-termdevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigitdevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigitdevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://chrome.google.com/webstore?hl=urCtrl$2setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefixdevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://photos.google.com/settings?referrer=CHROME_NTPsetup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr, sl.pak.5.dr, fr.pak.5.dr, uk.pak.5.dr, hi.pak.5.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequencedevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://chrome.google.com/webstore?hl=trCtrl$1tr.pak.5.drfalse
  • Avira URL Cloud: safe
unknown
http://glokh.com/22_556/huge.datC2$SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000003.3220395763.00000000004E2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000003.3220680147.00000000004E8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000002.3221197069.00000000004EA000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://rouonixon.comBE0179B13D3B93B5365CDB8DA729680EGamePall.exe, 0000000C.00000002.3514076200.0000000020782000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrlsetup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr, sl.pak.5.dr, fr.pak.5.dr, uk.pak.5.dr, hi.pak.5.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDashdevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifierdevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacterdevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://passwords.google.comsetup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, uk.pak.5.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomdevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertiondevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
http://www.iana.org/assignments/multicast-addresseslog4net.xml.5.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscapedevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr, sl.pak.5.dr, fr.pak.5.dr, uk.pak.5.dr, hi.pak.5.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscapedevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
http://logging.apache.org/log4neGamePall.exefalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.google.com/chrome/privacy/eula_text.html&AideGfr.pak.5.drfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://api.install-stat.debug.world/clients/installs(GamePall.exe, 00000023.00000002.3574652326.0000000002F01000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRangesdevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
http://www.connectionstrings.com/log4net.xml.5.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://support.google.com/chromebook?p=app_intentsetup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr, sl.pak.5.dr, fr.pak.5.dr, uk.pak.5.dr, hi.pak.5.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequencedevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://chrome.google.com/webstore?hl=frCtrl$1fr.pak.5.drfalse
  • Avira URL Cloud: safe
unknown
https://primer.com.Uporabasl.pak.5.drfalse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesdevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://rouonixon.com/log/add?cid=1db9169f-90f4-4b2d-b517-bc47aab19c1f&ruid=82964382-5459-43e7-8b80-GamePall.exe, 0000000C.00000002.3514368501.0000000024BC2000.00000004.00001000.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3237025793.0000000002561000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscapedevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digitsdevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
http://glokh.com/22_556/huge.datYFCUZSz5etjXgIpLd4/6g==SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscapedevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetterdevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?uGamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://glokh.com/22_556/huge.datrSecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000002.3221029443.000000000049F000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://glokh.com/22_556/huge.datpSecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000002.3221029443.000000000049F000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore?hl=en-GB&category=theme81https://myactivity.google.com/myactivityen-GB.pak.5.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://nsis.sf.net/NSIS_ErrorErrorSecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exefalse
  • URL Reputation: safe
unknown
https://www.google.com/chrome/privacy/eula_text.html&setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://logging.apache.org/log4jlog4net.xml.5.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.google.com/chrome/privacy/eula_text.htmlT&rsetup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://glokh.com/22_556/huge.datlSecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000003.3220395763.00000000004E2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000003.3220680147.00000000004E8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000002.3221197069.00000000004EA000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore?hl=hi&category=theme81https://myactivity.google.com/myactivity/?uhi.pak.5.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscapedevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Termdevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://passwords.google.comRasl.pak.5.drfalse
  • Avira URL Cloud: safe
unknown
http://glokh.com/22_556/huge.dateSecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000002.3221029443.0000000000478000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrlsetup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr, sl.pak.5.dr, fr.pak.5.dr, uk.pak.5.dr, hi.pak.5.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://nsis.sf.net/NSIS_Errorsetup.exe, setup.exe, 00000005.00000000.2862204034.000000000040A000.00000008.00000001.01000000.00000008.sdmp, setup.exe, 00000005.00000003.3106273329.0000000000769000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmp, SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exefalse
  • URL Reputation: safe
unknown
https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, tr.pak.5.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore?hl=ukCtrl$1setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, uk.pak.5.drfalse
  • Avira URL Cloud: safe
unknown
http://api.install-stat.debug.world/clients/installsGamePall.exe, 00000023.00000002.3574652326.0000000002F01000.00000004.00000800.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.newtonsoft.com/jsonschemaGamePall.exe, 0000000B.00000002.3455415643.0000000008487000.00000002.00000001.01000000.0000000E.sdmpfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-Alternativedevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://support.google.com/chrome/a/answer/9122284setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, tr.pak.5.dr, sl.pak.5.dr, fr.pak.5.dr, uk.pak.5.dr, hi.pak.5.drfalse
  • Avira URL Cloud: safe
unknown
https://raw.githubusercontent.com/rust-lang/rust/devtools_resources.pak.5.drfalse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigitsdevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
http://glokh.com/22_556/huge.datSecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000002.3221197069.00000000004EA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000000.00000002.3221029443.0000000000478000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, uk.pak.5.drfalse
  • Avira URL Cloud: safe
unknown
https://rouonixon.com/favicon.icoGamePall.exe, 0000000C.00000002.3396150654.00000000078D7000.00000004.10000000.00040000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-Patterndevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://www.google.com/chrome/privacy/eula_text.html&Pomosl.pak.5.drfalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivitysetup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore?hl=en-GBCtrl$1en-GB.pak.5.drfalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore?hl=zh-CNCtrl$1setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1GamePall.exe, GamePall.exe, 0000000C.00000002.3238106157.0000000004C56000.00000002.00000001.01000000.0000000C.sdmp, GamePall.exe, 0000000C.00000002.3238023410.0000000004C12000.00000002.00000001.01000000.0000000C.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacterdevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://rouonixon.com/async_log/add?cid=1db9169f-90f4-4b2d-b517-bc47aab19c1f&ruid=82964382-5459-43e7GamePall.exe, 0000000C.00000002.3237025793.0000000002561000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.unicode.org/copyright.htmlGamePall.exe, 0000000C.00000002.3238809751.0000000005720000.00000002.00000001.00040000.0000001C.sdmpfalse
  • URL Reputation: safe
unknown
https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivitysetup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunctiondevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtomdevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
http://api.install-stat.debug.world/clients/activityGamePall.exe, 00000023.00000002.3574652326.0000000002F01000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://passwords.google.comComptefr.pak.5.drfalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore?hl=zh-TWCtrl$1setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://my.rtmark.net/img.gif?f=merge&userId=0080cc945c4543c5ff4e3fd22f0fe675&z=4472886&p_rid=829643GamePall.exe, 0000000C.00000002.3396150654.00000000078D7000.00000004.10000000.00040000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3237025793.0000000002561000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://rouonixon.com/4/4472886/?ymid=854365871177474048&var=4472885&price=GamePall.exe, 0000000C.00000002.3396150654.00000000078DD000.00000004.10000000.00040000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3237025793.0000000002561000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.apache.org/).GamePall.exe, GamePall.exe, 0000000C.00000002.3238023410.0000000004C12000.00000002.00000001.01000000.0000000C.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=745678devtools_resources.pak.5.drfalse
  • Avira URL Cloud: safe
unknown
https://myactivity.google.com/setup.exe, 00000005.00000002.3219561888.000000000282A000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.dr, tr.pak.5.dr, sl.pak.5.dr, fr.pak.5.dr, uk.pak.5.dr, hi.pak.5.drfalse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigitsdevtools_resources.pak.5.drfalse
  • URL Reputation: safe
unknown
https://chrome.google.com/webstore?hl=fr&category=theme81https://myactivity.google.com/myactivity/?ufr.pak.5.drfalse
  • Avira URL Cloud: safe
unknown
https://www.google.com/chrome/privacy/eula_text.htmlH&elpManagedGamePall.exe, 0000000C.00000002.3242383584.0000000006200000.00000002.00000001.00040000.0000001E.sdmp, en-GB.pak.5.drfalse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
139.45.197.238
unknownNetherlands
9002RETN-ASEUfalse
104.18.14.253
unknownUnited States
13335CLOUDFLARENETUSfalse
162.159.61.3
unknownUnited States
13335CLOUDFLARENETUSfalse
1.1.1.1
unknownAustralia
13335CLOUDFLARENETUSfalse
104.18.66.57
unknownUnited States
13335CLOUDFLARENETUSfalse
104.21.90.238
unknownUnited States
13335CLOUDFLARENETUSfalse
139.45.195.8
unknownNetherlands
9002RETN-ASEUfalse
104.18.17.253
unknownUnited States
13335CLOUDFLARENETUSfalse
185.117.88.39
unknownNetherlands
42708PORTLANEwwwportlanecomSEfalse
34.120.37.77
unknownUnited States
15169GOOGLEUSfalse

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1503237
Start date and time:2024-09-03 08:42:27 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 15m 0s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:Run with higher sleep bypass
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Sample name:SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe
Detection:MAL
Classification:mal72.winEXE@296/110@0/10
EGA Information:
  • Successful, ratio: 77.8%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 233
  • Number of non-executed functions: 53
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

  • Connection to analysis system has been lost, crash info: Unknown
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Execution Graph export aborted for target GamePall.exe, PID 4480 because it is empty
  • Execution Graph export aborted for target GamePall.exe, PID 5148 because it is empty
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.
  • Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

TimeTypeDescription
08:45:08AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run GamePall C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
08:45:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run GamePall C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
139.45.197.238http://rndskittytor.comGet hashmaliciousUnknownBrowse
  • rndskittytor.com/favicon.ico
http://whairtoa.com:443Get hashmaliciousUnknownBrowse
  • whairtoa.com:443/
http://deloplen.com/apu.php?zoneid=695986Get hashmaliciousUnknownBrowse
  • deloplen.com/apu.php?zoneid=695986
http://www.footybite.tv/watch/sports-hd1.htmGet hashmaliciousUnknownBrowse
  • cdrvrs.com/tag.min.js
http://soaheeme.netGet hashmaliciousUnknownBrowse
  • soaheeme.net/favicon.ico
http://soaheeme.netGet hashmaliciousUnknownBrowse
  • soaheeme.net/favicon.ico
http://glaurtas.comGet hashmaliciousUnknownBrowse
  • glaurtas.com/favicon.ico
162.159.61.3tjigfd64.exeGet hashmaliciousLummaC StealerBrowse
    tjigfd64.exeGet hashmaliciousLummaC StealerBrowse
      https://xz0816.cn/Get hashmaliciousUnknownBrowse
        file.exeGet hashmaliciousUnknownBrowse
          file.exeGet hashmaliciousUnknownBrowse
            file.exeGet hashmaliciousUnknownBrowse
              file.exeGet hashmaliciousUnknownBrowse
                file.exeGet hashmaliciousUnknownBrowse
                  file.exeGet hashmaliciousUnknownBrowse
                    file.exeGet hashmaliciousUnknownBrowse
                      1.1.1.1PO-230821_pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                      • www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
                      AFfv8HpACF.exeGet hashmaliciousUnknownBrowse
                      • 1.1.1.1/
                      INVOICE_90990_PDF.exeGet hashmaliciousFormBookBrowse
                      • www.quranvisor.com/usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S
                      Go.exeGet hashmaliciousUnknownBrowse
                      • 1.1.1.1/
                      104.18.66.57https://tinyurl.com/NDCEuropeGet hashmaliciousUnknownBrowse
                        http://www.de-blizzard.comGet hashmaliciousUnknownBrowse
                          https://www.scribd.com/document/762765489/Advice-Notification#fullscreen&from_embedGet hashmaliciousUnknownBrowse
                            http://www.de-battle.netGet hashmaliciousUnknownBrowse
                              http://solarrebater.org/Get hashmaliciousUnknownBrowse
                                https://ipfs.io/ipfs/Qmctx3fdVsajRA8gHw2wP5UHNMxaJ7D37h2UWxpgk6T6iKGet hashmaliciousHTMLPhisherBrowse
                                  original.emlGet hashmaliciousUnknownBrowse
                                    https://lvltechnologies.freshdesk.com/en/support/solutions/articles/153000195870-auftragsbest%C3%A4tigung-31395-vom-14-08-2024Get hashmaliciousUnknownBrowse
                                      https://lvltechnologies.freshdesk.com/en/support/solutions/articles/153000195870-auftragsbest%C3%A4tigung-31395-vom-14-08-2024Get hashmaliciousUnknownBrowse
                                        https://apps.axahealth.co.uk/os/Get hashmaliciousUnknownBrowse

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CLOUDFLARENETUShttps://www.therecoveryvillage.com/drug-addiction/signs-drug-addiction/Get hashmaliciousUnknownBrowse
                                          • 104.22.54.104
                                          SOCRETAS GRAECIA VSL's PARTICULARS.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.12.205
                                          LYONSOFT, COOP.V. - Env#U00edo orden 240187 fecha 02-09-2024.exeGet hashmaliciousFormBookBrowse
                                          • 23.227.38.74
                                          PO 4555131028.exeGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.74.152
                                          https://piclut.com/n//?c3Y9bzM2NV8xX29uZSZyYW5kPWRHcFdjMk09JnVpZD1VU0VSMjkwNzIwMjRVMTgwNzI5MDA=Get hashmaliciousUnknownBrowse
                                          • 104.21.92.125
                                          SecuriteInfo.com.Win32.PWSX-gen.14960.5907.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.97.3
                                          avanss.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.13.205
                                          umbralstealer.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                          • 162.159.130.233
                                          BTC.exeGet hashmaliciousAsyncRAT, Rezlt, StormKitty, VenomRAT, Vermin Keylogger, WorldWind Stealer, XWormBrowse
                                          • 172.67.196.114
                                          CLOUDFLARENETUShttps://www.therecoveryvillage.com/drug-addiction/signs-drug-addiction/Get hashmaliciousUnknownBrowse
                                          • 104.22.54.104
                                          SOCRETAS GRAECIA VSL's PARTICULARS.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.12.205
                                          LYONSOFT, COOP.V. - Env#U00edo orden 240187 fecha 02-09-2024.exeGet hashmaliciousFormBookBrowse
                                          • 23.227.38.74
                                          PO 4555131028.exeGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.74.152
                                          https://piclut.com/n//?c3Y9bzM2NV8xX29uZSZyYW5kPWRHcFdjMk09JnVpZD1VU0VSMjkwNzIwMjRVMTgwNzI5MDA=Get hashmaliciousUnknownBrowse
                                          • 104.21.92.125
                                          SecuriteInfo.com.Win32.PWSX-gen.14960.5907.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.97.3
                                          avanss.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.13.205
                                          umbralstealer.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                          • 162.159.130.233
                                          BTC.exeGet hashmaliciousAsyncRAT, Rezlt, StormKitty, VenomRAT, Vermin Keylogger, WorldWind Stealer, XWormBrowse
                                          • 172.67.196.114
                                          RETN-ASEUHDKuOe.exeGet hashmaliciousUnknownBrowse
                                          • 139.45.195.8
                                          http://metamasskluginn.blogspot.co.uk/Get hashmaliciousUnknownBrowse
                                          • 139.45.197.236
                                          3O5Uh9S6wK.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                          • 109.94.208.20
                                          http://stream.crichd.vip/update/sscricket.phpGet hashmaliciousUnknownBrowse
                                          • 139.45.197.236
                                          https://squad.cl:443/MTU0czVIMDg3ODR6OG4=Get hashmaliciousUnknownBrowse
                                          • 139.45.197.236
                                          hH0XORBaVy.exeGet hashmaliciousPanda StealerBrowse
                                          • 109.94.208.20
                                          https://thubanoa.com/1?z=6533428Get hashmaliciousUnknownBrowse
                                          • 139.45.197.242
                                          http://glogopse.netGet hashmaliciousUnknownBrowse
                                          • 139.45.197.244
                                          https://zpr.io/CCttTX8DkxHnGet hashmaliciousHTMLPhisherBrowse
                                          • 139.45.197.250
                                          http://omnatuor.comGet hashmaliciousUnknownBrowse
                                          • 139.45.197.227
                                          CLOUDFLARENETUShttps://www.therecoveryvillage.com/drug-addiction/signs-drug-addiction/Get hashmaliciousUnknownBrowse
                                          • 104.22.54.104
                                          SOCRETAS GRAECIA VSL's PARTICULARS.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.12.205
                                          LYONSOFT, COOP.V. - Env#U00edo orden 240187 fecha 02-09-2024.exeGet hashmaliciousFormBookBrowse
                                          • 23.227.38.74
                                          PO 4555131028.exeGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.74.152
                                          https://piclut.com/n//?c3Y9bzM2NV8xX29uZSZyYW5kPWRHcFdjMk09JnVpZD1VU0VSMjkwNzIwMjRVMTgwNzI5MDA=Get hashmaliciousUnknownBrowse
                                          • 104.21.92.125
                                          SecuriteInfo.com.Win32.PWSX-gen.14960.5907.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.97.3
                                          avanss.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.13.205
                                          umbralstealer.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                          • 162.159.130.233
                                          BTC.exeGet hashmaliciousAsyncRAT, Rezlt, StormKitty, VenomRAT, Vermin Keylogger, WorldWind Stealer, XWormBrowse
                                          • 172.67.196.114
                                          CLOUDFLARENETUShttps://www.therecoveryvillage.com/drug-addiction/signs-drug-addiction/Get hashmaliciousUnknownBrowse
                                          • 104.22.54.104
                                          SOCRETAS GRAECIA VSL's PARTICULARS.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.12.205
                                          LYONSOFT, COOP.V. - Env#U00edo orden 240187 fecha 02-09-2024.exeGet hashmaliciousFormBookBrowse
                                          • 23.227.38.74
                                          PO 4555131028.exeGet hashmaliciousAgentTeslaBrowse
                                          • 172.67.74.152
                                          https://piclut.com/n//?c3Y9bzM2NV8xX29uZSZyYW5kPWRHcFdjMk09JnVpZD1VU0VSMjkwNzIwMjRVMTgwNzI5MDA=Get hashmaliciousUnknownBrowse
                                          • 104.21.92.125
                                          SecuriteInfo.com.Win32.PWSX-gen.14960.5907.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.97.3
                                          avanss.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.26.13.205
                                          umbralstealer.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                          • 162.159.130.233
                                          BTC.exeGet hashmaliciousAsyncRAT, Rezlt, StormKitty, VenomRAT, Vermin Keylogger, WorldWind Stealer, XWormBrowse
                                          • 172.67.196.114

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          C:\Users\user\AppData\Local\Temp\nsb470F.tmp\INetC.dllHDKuOe.exeGet hashmaliciousUnknownBrowse
                                            HDKuOe.exeGet hashmaliciousUnknownBrowse
                                              LisectAVT_2403002B_95.exeGet hashmaliciousUnknownBrowse
                                                file.exeGet hashmaliciousLummaC, SmokeLoaderBrowse
                                                  file.exeGet hashmaliciousSmokeLoaderBrowse
                                                    file.exeGet hashmaliciousLummaC, SmokeLoaderBrowse
                                                      file.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                        5GOuTtZoQn.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                          SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.15788.4670.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat

                                                            Download File
                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                            Category:dropped
                                                            Size (bytes):107107091
                                                            Entropy (8bit):7.999926944050585
                                                            Encrypted:true
                                                            SSDEEP:3145728:9xNatfm+qgNdi6Dx9j8xOaspSz6jcLkVVvOjp:9Lat+tYI6jjnJpSz6jTWjp
                                                            MD5:2B4BA70B5C6115ADD73FDEF28AAEAA8A
                                                            SHA1:7E2264C7AED8F051F681AD1E78F263606351AA66
                                                            SHA-256:D817589B822C458C17C2EE6C0ED4791930B86BBCDDDD103F6556B428B7E1DDDF
                                                            SHA-512:964F2062EDE187CE78044DE76A13B927D20B37B06A736F8834F48135B368D298727FC98B5B8C5E5839AF7F38ACFCD99337904987A8912D3D4A0C23C1256691AF
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 8%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................... ............@.................................8............8...........................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc....8.......:..................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\nsb470F.tmp\INetC.dll

                                                            Download File
                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):22016
                                                            Entropy (8bit):5.668346578219837
                                                            Encrypted:false
                                                            SSDEEP:384:VpOSdCjDyyvBwRlX+ODbswYM2s74NS0v0Ac9khYLMkIX0+Gzyekx:rdCjW/lX1PfYM2X1
                                                            MD5:92EC4DD8C0DDD8C4305AE1684AB65FB0
                                                            SHA1:D850013D582A62E502942F0DD282CC0C29C4310E
                                                            SHA-256:5520208A33E6409C129B4EA1270771F741D95AFE5B048C2A1E6A2CC2AD829934
                                                            SHA-512:581351AEF694F2489E1A0977EBCA55C4D7268CA167127CEFB217ED0D2098136C7EB433058469449F75BE82B8E5D484C9E7B6CF0B32535063709272D7810EC651
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Joe Sandbox View:
                                                            • Filename: HDKuOe.exe, Detection: malicious, Browse
                                                            • Filename: HDKuOe.exe, Detection: malicious, Browse
                                                            • Filename: LisectAVT_2403002B_95.exe, Detection: malicious, Browse
                                                            • Filename: file.exe, Detection: malicious, Browse
                                                            • Filename: file.exe, Detection: malicious, Browse
                                                            • Filename: file.exe, Detection: malicious, Browse
                                                            • Filename: file.exe, Detection: malicious, Browse
                                                            • Filename: 5GOuTtZoQn.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.15788.4670.exe, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9<.EXR.EXR.EXR.b.).LXR.EXS..XR.b. .FXR.b.(.DXR.b...DXR.b.*.DXR.RichEXR.................PE..L....I6V...........!.....8...P......Q?.......P...................................................................... G..l....?..d.......(...............................................................................P............................text....7.......8.................. ..`.data...<<...P.......<..............@....rsrc...(............D..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\nsb470F.tmp\blowfish.dll

                                                            Download File
                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):22528
                                                            Entropy (8bit):6.674611218414922
                                                            Encrypted:false
                                                            SSDEEP:384:yTxz0Cv0hqd+1TjQmd9YWrSUEc//////OD5hF92IJpJgLa0MpoYfAz6S:jCvsqdS3QGBREc//////Q53NgLa1ub
                                                            MD5:5AFD4A9B7E69E7C6E312B2CE4040394A
                                                            SHA1:FBD07ADB3F02F866DC3A327A86B0F319D4A94502
                                                            SHA-256:053B4487D22AACF8274BAB448AE1D665FE7926102197B47BFBA6C7ED5493B3AE
                                                            SHA-512:F78EFE9D1FA7D2FFC731D5F878F81E4DCBFAF0C561FDFBF4C133BA2CE1366C95C4672D67CAE6A8BD8FCC7D04861A9DA389D98361055AC46FC9793828D9776511
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 5%
                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................6..........dD.......P....@.....................................................................Y.......................................p...................................................................................CODE....|4.......6.................. ..`DATA....8....P.......:..............@...BSS..........p.......L...................idata...............L..............@....edata..Y............P..............@..P.reloc..p............R..............@..P.rsrc................V..............@..P.....................X..............@..P................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\nsb470F.tmp\nsProcess.dll

                                                            Download File
                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):4608
                                                            Entropy (8bit):4.666004851298707
                                                            Encrypted:false
                                                            SSDEEP:48:iYXzAm8HGJLvwM8GJFd6I7W4JtT2bxNNAa4GsNf+CJ8aYqmtlKdgAtgma1QvtCSJ:lz2mJkpGR6GY74GQ1YqmstgGCtR
                                                            MD5:FAA7F034B38E729A983965C04CC70FC1
                                                            SHA1:DF8BDA55B498976EA47D25D8A77539B049DAB55E
                                                            SHA-256:579A034FF5AB9B732A318B1636C2902840F604E8E664F5B93C07A99253B3C9CF
                                                            SHA-512:7868F9B437FCF829AD993FF57995F58836AD578458994361C72AE1BF1DFB74022F9F9E948B48AFD3361ED3426C4F85B4BB0D595E38EE278FEE5C4425C4491DBF
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.I...I...I...n|f.L...I...Q...@..K...@..H...@..H...RichI...........PE..L...`..N...........!......................... ...............................`.......................................#....... ..<....@.......................P..|.................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\nscD224.tmp\liteFirewall.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):82944
                                                            Entropy (8bit):6.389604568119155
                                                            Encrypted:false
                                                            SSDEEP:1536:Dli3i1jKfTV0LzYpAzMk2nACScLw5jPAT:j9KLQ+ScLw5jPAT
                                                            MD5:165E1EF5C79475E8C33D19A870E672D4
                                                            SHA1:965F02BFD103F094AC6B3EEF3ABE7FDCB8D9E2A5
                                                            SHA-256:9DB9C58E44DFF2D985DC078FDBB7498DCC66C4CC4EB12F68DE6A98A5D665ABBD
                                                            SHA-512:CD10EAF0928E5DF048BF0488D9DBFE9442E2E106396A0967462BEF440BF0B528CDF3AB06024FB6FDAF9F247E2B7F3CA0CEA78AFC0CE6943650EF9D6C91FEE52A
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W=.e9n.e9n.e9n...n.e9n...n.e9n..Bn.e9n.e8n.e9n.7.n.e9n...n.e9n...n.e9n...n.e9nRich.e9n........PE..L...,.N...........!.........^.......%...............................................3..................................`...$'..d....`.......................p...................................... ...@...............h............................text...1........................... ..`.rdata..P/.......0..................@..@.data........0......................@....rsrc........`.......*..............@..@.reloc.......p.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\nsf751E.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):358254920
                                                            Entropy (8bit):6.971707988895985
                                                            Encrypted:false
                                                            SSDEEP:3145728:yTzytRGD/CYRNIPKYTFBhfmOS9KBaVzTx9OSstV97nC:ynUs4tvaVzTD9eC
                                                            MD5:33C098264C6CB2A9DB446F6CC5640ECB
                                                            SHA1:C84BED9D8C39400EAA41D00DE022FDC839D38875
                                                            SHA-256:83905FC1C4D0BA32A148F91D360AA2351A8B64629E544D9EBA9DEDC39C1F5F76
                                                            SHA-512:D0ADD59ACE5A9356298C52B10B641500675E3E8BF655A47A99E7B28DA912659246133BFC9A9D2FCB2FEB82CEDD03B88A9B5EFDEA3CC377F56F24B1302438EE51
                                                            Malicious:false
                                                            Preview:........,.......................H...........................................................................................................................................................................................................................................................e...i...............j.......................3.......................................................................................................................t...dV..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\nsw46EF.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):58119
                                                            Entropy (8bit):5.697765279145807
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:49157D86FE1EC373614B218E1F4381D0
                                                            SHA1:2A14CF4EE90DFCADB6A677990B43019548D2835B
                                                            SHA-256:BF13689029FF64B302FB553B4E8A35B6122471FFD6DB3C914A493FF82DCD4944
                                                            SHA-512:C8E1022F5257A993659389E7B8BB593E04A596D0D7C39886B33FB2777AD54DC9AEE48940AFB8B2C36707EA92ECD496D35F2ECD41E2D3062EF728251AF3FAC36D
                                                            Malicious:false
                                                            Preview:."......,.......................,........"......."..............................................................................................................................................................................................................................................................j.......,.../...5.......3...................................................................................................................T...9.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\setup.exe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                            Category:dropped
                                                            Size (bytes):107107091
                                                            Entropy (8bit):7.999926944050585
                                                            Encrypted:true
                                                            SSDEEP:
                                                            MD5:2B4BA70B5C6115ADD73FDEF28AAEAA8A
                                                            SHA1:7E2264C7AED8F051F681AD1E78F263606351AA66
                                                            SHA-256:D817589B822C458C17C2EE6C0ED4791930B86BBCDDDD103F6556B428B7E1DDDF
                                                            SHA-512:964F2062EDE187CE78044DE76A13B927D20B37B06A736F8834F48135B368D298727FC98B5B8C5E5839AF7F38ACFCD99337904987A8912D3D4A0C23C1256691AF
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 8%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................... ............@.................................8............8...........................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc....8.......:..................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_0

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                            Category:dropped
                                                            Size (bytes):8192
                                                            Entropy (8bit):0.01057775872642915
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                            SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                            SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                            SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                            Malicious:false
                                                            Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_1

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):8192
                                                            Entropy (8bit):0.012096502606932763
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:259E7ED5FB3C6C90533B963DA5B2FC1B
                                                            SHA1:DF90EABDA434CA50828ABB039B4F80B7F051EC77
                                                            SHA-256:35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
                                                            SHA-512:9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
                                                            Malicious:false
                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_2

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):8192
                                                            Entropy (8bit):0.011852361981932763
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:0962291D6D367570BEE5454721C17E11
                                                            SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                            SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                            SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                            Malicious:false
                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_3

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):8192
                                                            Entropy (8bit):0.012340643231932763
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:41876349CB12D6DB992F1309F22DF3F0
                                                            SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                            SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                            SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                            Malicious:false
                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\DawnCache\index

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                            Category:dropped
                                                            Size (bytes):262512
                                                            Entropy (8bit):9.553120663130604E-4
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:FF1288EE34EC7321DB9FE35B4AE1A477
                                                            SHA1:D8CFC13A815CEE0C656A09C4CA5470C30A1FEDF8
                                                            SHA-256:0361D8D019ADCC32E9A92AB267520087CC83CAB78C56F65AE515BBD76D1BB756
                                                            SHA-512:53D5A74597FDEBC98E1927DE1E760CCE704DCC07357B326E2292F15595DACD9FAB1A8BD2C8EA82F2B07C09BA36D6D90AC4231C37BF5FC4EC91AA72EE2A5A8513
                                                            Malicious:false
                                                            Preview:............................................/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\Del.exe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):8192
                                                            Entropy (8bit):4.622398838808078
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:97D4D47D539CB8171BE2AEFD64C6EBB1
                                                            SHA1:44ABF82DD553CCE0C1F41B9B78D853075DDD1F16
                                                            SHA-256:8D996D5F68BF2248F223C4F3549303BC6A8EC58CC97FCB63B7BB7D8068850273
                                                            SHA-512:7D402847B093E208410C695095DE815A3F5D5DA81630FD51C88C009C48C269D0EA5016D626351BB9D38862163FAD930645072C50ACCCD743DC0E19531A592FDE
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 7%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.].........."...0.............64... ...@....@.. ....................................@..................................3..O....@.......................`.......2............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H........#...............1...............................................0..-.......(....r...p(.....(.......(....,...(....*(....*....0..T........~....(.....~....(.....(....s....%.o....%.o....%.o....%.o....%~....o....(....&..&..*........PP.......0..6.......(....(......( ...r...p~....r...p(!.....("...,...(#...*...0..........r...p.~$.....o%.....,..~....o&......,..o'....ra..p.~$.....o%.....,..~....o(......,..o'....r...p.~$.....o%.....,..~....o(......,..o'......&..*....4.......#..

                                                            C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_0

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                            Category:dropped
                                                            Size (bytes):8192
                                                            Entropy (8bit):0.01057775872642915
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                            SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                            SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                            SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                            Malicious:false
                                                            Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_1

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):8192
                                                            Entropy (8bit):0.012096502606932763
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:259E7ED5FB3C6C90533B963DA5B2FC1B
                                                            SHA1:DF90EABDA434CA50828ABB039B4F80B7F051EC77
                                                            SHA-256:35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
                                                            SHA-512:9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
                                                            Malicious:false
                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_2

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):8192
                                                            Entropy (8bit):0.011852361981932763
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:0962291D6D367570BEE5454721C17E11
                                                            SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                            SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                            SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                            Malicious:false
                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_3

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):8192
                                                            Entropy (8bit):0.012340643231932763
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:41876349CB12D6DB992F1309F22DF3F0
                                                            SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                            SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                            SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                            Malicious:false
                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\GPUCache\index

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                            Category:dropped
                                                            Size (bytes):262512
                                                            Entropy (8bit):9.47693366977411E-4
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:9359BC64627DF6AFA2897ABFDE4A6212
                                                            SHA1:E6559BB5F2EA307BE4F282511ACF6246ED96BCAB
                                                            SHA-256:327EE22AF8C59D0E63741F7CBCD53D0391B6F26CC9A4AA3EA48D1735875EA908
                                                            SHA-512:7ABF391B6D7D9E1D897068034342F28B1063D1ADEEAAC6FC5B72A6FB28854BD5910535158A900E755B383DA8F1D403CF0351AAE819E5B55637EF06CCDCBCF259
                                                            Malicious:false
                                                            Preview:........................................(..../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):187392
                                                            Entropy (8bit):4.5816933981574515
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            SHA1:DA03DE3ABEC590F957B282E3EE8D404C7859D040
                                                            SHA-256:E13FD38426C94F2F72E7560E379C74FA1E7C365574EB14D30183F2CCCEC01F76
                                                            SHA-512:226C9AB2E156EED32ED05F50B7711CC19C1920AE3E3FA093234FB24EE2B8687754099EE0571A987D2F640199353587FC599BE07D0E175938C7FB0DB784585C75
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 5%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0.............r.... ........@.. .......................@............@................................. ...O.......D.................... ...................................................... ............... ..H............text........ ...................... ..`.rsrc...D...........................@..@.reloc....... ......................@..B................T.......H....... ...X...........x...p............................................(....s....*Z..(....,...(....(....*.(....*..(....*..(....*.......*.~....*....0..W.......(....".....(......,..o....-..*.o.....+...( .....o....&..(!...-...........o"....."...BZ*.......%..A.......0..Q.......(....(........,..o....-..*.o.....+...( .....o....&.._...(!...-...........o".....*.........!. A.......0..V.......(....(......,..o....-.*~#.....o.....+...( ...."...B[..o....&..(!...-...........o"....*......

                                                            C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):462336
                                                            Entropy (8bit):6.803831500359682
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:6DED8FCBF5F1D9E422B327CA51625E24
                                                            SHA1:8A1140CEBC39F6994EEF7E8DE4627FB7B72A2DD9
                                                            SHA-256:3B3E541682E48F3FD2872F85A06278DA2F3E7877EE956DA89B90D732A1EAA0BD
                                                            SHA-512:BDA3A65133B7B1E2765C7D07C7DA5103292B3C4C2F0673640428B3E7E8637B11539F06C330AB5D0BA6E2274BD2DCD2C50312BE6579E75C4008FF5AE7DAE34CE4
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=N...........!................N#... ...@....@.. ..............................T.....@.................................."..O....@..P....................`......."............................................... ............... ..H............text...T.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................0#......H.......0U..l...........P%.../..P ......................................6..`N.?O...%.C.k_..d...I......5a.......9x......R...gg8...JM...`.[. .o..eE1$_.M.h.q.oz..1..........@....s.c/J..wk.D.....t..&...(....*...0..2........r...p(....}.......}"....(........(.........(....*..r...p(....}.......}"....(........(....*..0..j.........o....-..s#...+..}......(......(......}.....(....s....}......}......}......(......%-.&r...p}......j(#...*rr!..p.{.....{.....B...(....*..0..A........{..

                                                            C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):574376
                                                            Entropy (8bit):5.8881470355864725
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:8F81C9520104B730C25D90A9DD511148
                                                            SHA1:7CF46CB81C3B51965C1F78762840EB5797594778
                                                            SHA-256:F1F01B3474B92D6E1C3D6ADFAE74EE0EA0EBA6E9935565FE2317686D80A2E886
                                                            SHA-512:B4A66389BF06A6611DF47E81B818CC2FCD0A854324A2564A4438866953F148950F59CD4C07C9D40CC3A9043B5CE12B150C8A56CCCDF98D5E3F0225EDF8C516F3
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ot............" ..0.............6.... ........... ....................................@....................................O.......................................T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........f...P............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{E....3...{D......(....,...{D...*..{F.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                            C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.xml

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):561424
                                                            Entropy (8bit):4.606896607960262
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:928ED37DB61C1E98A2831C8C01F6157C
                                                            SHA1:98103C2133EBDA28BE78BFE3E2D81D41924A23EE
                                                            SHA-256:39F6A4DB1BE658D6BAFF643FA05AAE7809139D9665475BFCA10D37DCA3384F21
                                                            SHA-512:F59387BFA914C7DB234161E31AD6075031ACA17AAEF4B8D4F4B95C78C7A6A8D0E64211566CA2FD4549B9DA45231F57A4191FBCD3809404653F86EE2ABD4937A4
                                                            Malicious:false
                                                            Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Newtonsoft.Json</name>.. </assembly>.. <members>.. <member name="T:Newtonsoft.Json.Bson.BsonObjectId">.. <summary>.. Represents a BSON Oid (object id)... </summary>.. </member>.. <member name="P:Newtonsoft.Json.Bson.BsonObjectId.Value">.. <summary>.. Gets or sets the value of the Oid... </summary>.. <value>The value of the Oid.</value>.. </member>.. <member name="M:Newtonsoft.Json.Bson.BsonObjectId.#ctor(System.Byte[])">.. <summary>.. Initializes a new instance of the <see cref="T:Newtonsoft.Json.Bson.BsonObjectId"/> class... </summary>.. <param name="value">The Oid value.</param>.. </member>.. <member name="T:Newtonsoft.Json.Bson.BsonReader">.. <summary>.. Represents a reader that provides fast, non-cached, forward-only access to s

                                                            C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                            Category:dropped
                                                            Size (bytes):116540
                                                            Entropy (8bit):4.480514158916431
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:DB2D869947AF135C1E8F341C7BA9E77F
                                                            SHA1:6B5A54803C1A738C54B0004CBC9252E241ADC8F7
                                                            SHA-256:F5102BDB653D86FBDAA604702F7597C967DD685AA7CBBEA8F11167E332905690
                                                            SHA-512:5AB69B68B841B2712BDA845A608DFA015A03F3ED91526E7EA9AE5E24B11972E503843299F59CAB3C3CF64AFFB3365C548D557E2A9610481996AF3052C25C0C7B
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................... ............@.................................8............8...........................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc....8.......:..................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):875520
                                                            Entropy (8bit):5.621956468920589
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:B03C7F6072A0CB1A1D6A92EE7B82705A
                                                            SHA1:6675839C5E266075E7E1812AD8E856A2468274DD
                                                            SHA-256:F561713347544E9D06D30F02A3DFCEC5FE593B38894593AEEDF5700666B35027
                                                            SHA-512:19D6792EB9BA8584B94D0D59E07CE9D1C9C4DA5516490F4ABCE5AE0D7D55B357BDA45B2093B3E9EB9D6858061E9D3F530A6655C4779A50C911501AE23925C566
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..R...........p... ........... ....................................@..................................p..O.......x............................o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc...x............T..............@..@.reloc...............Z..............@..B.................p......H....... .................................................................(....*..(....*..(....*^.(.......=...%...}....*:.(......}....*:.(......}....*^.(.......>...%...}....*:.(......}....*.(.........*....0..,.......(....o.......3..*....... ....3.(....-..*.*.*.0..L.......~..... . ..(......(....-..(....r...p( ...,.......&...~....(!...,..(".....*.*........+1...........4.......~....*.~....*..(....*.~....,.*.(#...-.(....-..(....+.r...ps$...z(..........*b.r...p(%...~.....(....&*.r

                                                            C:\Users\user\AppData\Roaming\GamePall\cef.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1946739
                                                            Entropy (8bit):7.989700491058983
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:96AD47D78A70B33158961585D9154ECC
                                                            SHA1:149BF6F6905A76B0CC9E9ACA580357BD6C3497A2
                                                            SHA-256:C861117D1F1DBF02867B46FA87CB8C65C3213D196029EE81A02B617D131236E2
                                                            SHA-512:6A971F742B5754EEF39C6C2C64DB13DFDCB74D8CB23833404E9EF5AD89E142278E5DF789F508DB561C5E957013AE0C60D002CDFA93BCD87CA4967D610DF1579B
                                                            Malicious:false
                                                            Preview:........V...f.....g.7........................!.....%....o8...).>...).F...).H...).X...).a...)*i...).k...).q...)Lt...).v...)Tw...).x...).}...).....)I....)i....)....).....).....)L....)....)....)t....).....).....).....)s....).... )....!)....")....#)....$)}...%)+...&)h#..').'..().-..)).>..*).A..+).C..,).Q..-)CU...).]..<).d..=).l..>)i...?)G...@)H...A)r...B)....C)z...T)....U)....V)+...W)....X)....Y)....Z)....[)#...\)}...]).!..^)R1.._).2..`).;..a).=..b)mE..c)QG..d).H..e)qL..f).U..g).]..h).b..i))d..j).e..k).g..l)Pi..m).p..n).z..s).z...).....)b....).....)'....).....)....)....).....).....)....).....)s....)F....)j....)....).....)....)....)....)h....)H....)....).....).....)k....).....)L....)q....)2....).....).....).....).....).....)N....)|....).....).....).....).!...).)...).6...).C...)RE...).L...).N...).O...).U...)bV...).W...).^...)o_...)(g...)Si...).v...).....)0....)/....).....),....).....*.....*F....*]....*3....*v....*....*v....*.....*.....*.....*$... *....!*8..."*....#*....$*....%*..

                                                            C:\Users\user\AppData\Roaming\GamePall\cef_100_percent.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):214119
                                                            Entropy (8bit):7.955451054538398
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:391F512173ECEC14EB5CE31299858DE1
                                                            SHA1:3A5A41A190C1FB682F9D9C84F500FF50308617FC
                                                            SHA-256:E0F5C754C969CCA0AC4594A6F3F2C23D080A09EEA992AF29E19F4291FD1E0B06
                                                            SHA-512:44D7B9BCB3544C3F5550150EF3522BF6A0B36900695E6A13E44F5616E16A058548189D4FEA4A22248B1CB2B273B0EAA7D559EB2D8F013BED520E4097BD45D800
                                                            Malicious:false
                                                            Preview:........................#.b...&.....:.g....7.....7.....7.....7|(...7.-...7t5...7.6...7.9...7s:...7hB...7.E...7.G...7.K...7qN...7.Q...7yR...7.S...7.W...7.\...7.b...7.i...7.k...76m...7Vq...7.r...7.v...7.y...7.{...7.~...7Z....75....7;....7W....7.....7c....7u....7b....7.....7.....7.....7Q....7*....7\....8."...8,)..<FqG..=F7I..>F.L..?F$O..@F.P..AFaQ..BFnT..CF.W..DF.Y..EFJ\..FF.^..MF(b..NF.c..QF.e..RF.f..YFZg..ZF.p..[F.x..\F.{..]F.{...L.|...L.....L....Ni....N.....NJ....N2....N+....N^....No....N9....NK....N....N1....N$....N....Nh....N.....N.....U.....U.....U.....U.....U.....U[....U.&...Uh(...U?/...U.4...U.:...U.@...U.B...U,G...U.K...U)N...U.R...UF\...U.`...U.b...U.j...U]s...UEt...U.u...U.w...U.z...Uh{...U.}...U#....U.....U^....U.....U|....U.....U.....U.....U.....U.....U.....U.....U.....U.....U]....U?....U.....U9....U....U.....Um....U<....U!....U.....U.....U....Uq....U3....U!....U.....U....U.....Uu....UJ....U.....U.....U.....U.....U`....U'....U.....U.....Ul....U%....U7....U.....U.....UW.

                                                            C:\Users\user\AppData\Roaming\GamePall\cef_200_percent.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):290001
                                                            Entropy (8bit):7.9670215100557735
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:BF59A047984EAFC79E40B0011ED4116D
                                                            SHA1:DF747125F31F3FF7E3DFE5849F701C3483B32C5E
                                                            SHA-256:CD9BE67AA0527F16E309189FA2369E1A2596D0601A7D55C405F8A619F4D095E9
                                                            SHA-512:85A545758E8C89EF47BF11B553C57D23ED7DA6AE89A8BCCB262F509AABE61A1121C3F87EC9200791F2670225BAEECC3C92AED6AFDA86C08CA0FD611DA2E595D2
                                                            Malicious:false
                                                            Preview:........................#.....&.....:......7.....7.....7.....7.+...7.1...7.8...7.9...7)<...7.=...7xE...7.H...7.J...7'N...7.Q...7.T...7.U...7.W...7.Z...7._...7.e...7.l...7.n...7Fp...7ft...7.v...7)y...7.|...7.~...7.....7j....7E....7K....7g....7.....7s....7.....7r....7.....7.....7.....7a....7:....7l"...8.%...8<,..<F.J..=F.N..>FtV..?F9\..@Fw_..AFr`..BF0g..CFll..DF|o..EF.v..FF){..MF....NF...QFf...RF....YF`...ZF...[F....\F....]F....L*....L.....L.....N.....N.....N.....N.....N.....N.....N.#...N.&...N.'...N.)...N.*...N.+...Nv,...N.-...N;r...N.|...Um....U.....UM....UV....U.....U....UC....U.....U....UM....U.....U.....Um....U.....U.....U.....U.....UQ....U.....U7....U.....U.....Uk....U.....U.....U.....U.....U.....U.....U.....U.....U.....U{....U.....U.....U.....U~&...U.)...U.Q...U.Q...U.V...U.[...U.\...U._...U.`...U?a...U.a...Uic...U.d...U\f...U.g...U.i...U1l...U.p...U.u...U.}...U.....U.....U^....U.....U.....Ux....U....U.....Uy....U6....U.....U....UR....Uq....U.....U.....U_....U.....U.....U..

                                                            C:\Users\user\AppData\Roaming\GamePall\cef_extensions.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1305142
                                                            Entropy (8bit):7.99463351416358
                                                            Encrypted:true
                                                            SSDEEP:
                                                            MD5:20DDA02AF522924E45223D7262D0E1ED
                                                            SHA1:378E88033A7083AAC24E6CD2144F7BC706F00837
                                                            SHA-256:8448C2BA10A3D7DC8CA3FB24F580BF99D91F746107B1A06E74932749CC1CAB01
                                                            SHA-512:E71320B2AA0CB52938206EC00187D78274646C4C7D3579B33A0163262C063B7813FE7ACD0D2E5807082ADE772069AA577FED7F594964790C2F7C061CE38467B6
                                                            Malicious:false
                                                            Preview:........i...f+....i+....l+....m+{...n+q...o+7(..p+.1..q+X3..r+~5..s+aI..t+.]..u+.f..v+Ui..w+'k..x+.l..y+.q..z+.s..{+O{..|+...}+=...~+.....+....+-....+.....+.....+.....+.....+.....+.....+.....+.....+.....+%....+.....+&(...+.Q...+.Y...+Xe...+Bj...+cv...+.}...+....+H....+....+Q....+l....+I....+.....+ ....+T....+!....+m....+.....+.....+U....+.....+.....+.....+l....+~....+.....+=....+w....+.....+-"...+.(...+.0...+.2...+.4...+.G...+uS...+.....+9....+y....+.....+.....+N....+....+0....+.....+.....+.....+_....+.....+.....+.....+.....+.....+.....+.....+.....+S....7`....7R...(7/...)7.....L.m...LO....L.....Mk....M.....M.....M>....M.....M.....Mq....M.....M.....M\....M.....M.....M.....M.....M.....M.....M.....M.....M.....MO....M.....M.....M.!...M.(...Mf5...M.;...M&E...M.P...M.T...M<]...M.`...M.j.. M.k..!M2v.."M.w..#M.z..$M....%M...&M...'M#...(M@...)M....*M(...+MY...,Mu...-M$....M..../MV...0M;...1Mx...2M....3M....4Mi...5M....6M....7MP...8M"...DM....EM.....Mi....M.~...M.~...Mb....M_....M....M.

                                                            C:\Users\user\AppData\Roaming\GamePall\cef_sandbox.lib

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:current ar archive
                                                            Category:dropped
                                                            Size (bytes):87182312
                                                            Entropy (8bit):5.477474753748716
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:FFD456A85E341D430AFA0C07C1068538
                                                            SHA1:59394310B45F7B2B2882D55ADD9310C692C7144F
                                                            SHA-256:F188B96639B5157E64222BB8483D76CD21A99141FC2614EF275E20639C739264
                                                            SHA-512:EB4CB388383CB37B1D89531D560169985A80DF9335F005AFBBFDE56F9031821A933D735138B1086CF81D006E480FF14711A8A95B3DB8A0FD4037AA6EFD926B50
                                                            Malicious:false
                                                            Preview:!<arch>./ 1696073295 0 1940897 `...Y..:.t.:.>.:...:...:...:...:...;/..;/..;/..;/..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..@...@...@...@...@...A...A...A...A...A...A...A...A...A...A...A...A...Co..Co..Co..Co..Co..Co..Co..Co..Co..Co..E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...G..G..G..G..G..G..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=.

                                                            C:\Users\user\AppData\Roaming\GamePall\chrome_100_percent.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):656926
                                                            Entropy (8bit):7.964275415195004
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:3404DD2B0E63D9418F755430336C7164
                                                            SHA1:0D7D8540FDC056BB741D9BAF2DC7A931C517C471
                                                            SHA-256:0D3FCA7584613EB1A38BAF971A7DD94F70803FC130135885EC675E83D16A4889
                                                            SHA-512:685D63633DB8A57D84225C2B92C92016E1CE98BA2BF8D3DDACE2EB120B3BCF84C718787D59DB6EC61F34CF91CB651500B4E4FF0AC37AEB89561CDCC586946C80
                                                            Malicious:false
                                                            Preview:..........+...........................&..........;.....;N....;.....;"....;.....;.....;N....;.....;.....;s....;....;.....;.....;....;4....;.....;.....;0....;.....;c....;7....;.....;.....;.....;.....;?....;:....;G....;.....;n....;x....;.....;.....;.....;#....;.....;.....;B....;.....;.....;.....;N....;.....;.....;+....;.....;% ...;c!...;.!...;."...;E+...;t4...;qH...;I\...;.]...;.^...;>a...;.c...;.g...;.o...;pw...;.|...;h....;.....;.....;....;.....;....;o....;.....;.....;.....;*....;y....;.....;.....;3....;9....;h....;.....;.....;.....;F....;."...;.+...;.0...;.8...;?:...;'X...;.q...;.....;....;.....;t....;.....;.....;.....;./...;.X...; m...;....;.....;.....;.....;+....;.....<O....<.....<.....<=....<2$...<y+...<.3...<.<...<aA...<.L...<.W...<.[...<._...<.d...<Dv...<t....<!....<....<....<.....<.....<.....<V....<.....<.#...<.8...<|F...<hP...<bW.. <i^..!<ts.."<(...#<{...)<`...*<c...+<d...,<"...;<x...<<k...=<....><-...?<....@<....A<'...B<g...C<....D<U...E<....F<....G<....J<....K<....L<v%

                                                            C:\Users\user\AppData\Roaming\GamePall\chrome_200_percent.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1017158
                                                            Entropy (8bit):7.951759131641406
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:3FBF52922588A52245DC927BCC36DBB3
                                                            SHA1:EF3C463C707A919876BF17C3E1CD05C0D2C28CA9
                                                            SHA-256:C6FE346106C5E4950161ED72EB0A81FE3537A94E4A59461AAF54E750D1904F76
                                                            SHA-512:682EB6D61B564C878FDB971A6439FCDA9F1E108BD021A32E8990B68B1338986A4866A0965DEA62567501C8826D43CEBF2B7C8BE8323DE415A75E8D89A9D592E7
                                                            Malicious:false
                                                            Preview:..........+.....................b................;.....;&....;.....;.....;.....;.....;b....;....;8....;.....;.....;o....;....;<....;.....;.....;l....;....;/....;.....;[....;Q....;.....;j....;.....;.....;L'...;.E...;lZ...;.o...;.q...;.r...;.s...;.{...;.{...;.~...;"....;.....;U....;.....;.....;.....;....;d....;.....;.....;i....;.....;f....;....;0....;.....;.....;.(...;+*...;.+...;A....;54...;.9...;,O...;.`...;.n...;.~...;.....;.....;M....;....;;....;q....;Z....;.....;.....;.-...;\=...;.P...;.d...;@|...;.....;Y....;#....;_....;/....;.....;.#...;.;...;.J...;gc...;cf...;W....;....;W....;.....;.....;.....;7....;.-...;.I...;Y\...;W....;....;.....;S....;.....;t....;.....;.....<W....<.&...<9<...<iG...<jQ...<.X...</a...<gi...<.n...<Pz...<.....<f....<.....<I....<.....<.....<.....<4C...<4d...<....<....<.....<.....<.....<D8...<.e...<_....<....<.... <I...!<...."<.E..#<.E..)<.G..*<%j..+<N...,<....;<....<<v...=<....><....?<....@<y...A<....B<....C<....D<....E<"F..F<.J..G<.O..J<.X..K<.e..L<.r

                                                            C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):1174528
                                                            Entropy (8bit):6.475826085865088
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:207AC4BE98A6A5A72BE027E0A9904462
                                                            SHA1:D58D2C70EA0656D81C627D424F8F4EFCCEF57C86
                                                            SHA-256:2BA904DA93ACC4766639E7018AC93CC32AA685DB475F3A59B464C6BC8B981457
                                                            SHA-512:BFB6C58774829DB3D5FADC92CB51477FF4EAC8FB934DB6583A312BB1157468F6DD3A4A3AFAF25A687B74890DC8A69857A12D0B38B18D83E82836E92E02046FF3
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....v...p......P.....................................................@A........................vT......AX..<.......x...........................<<.......................;......(...............<[.......O.......................text....u.......v.................. ..`.rdata..\............z..............@..@.data...H...........................@....00cfg...............F..............@..@.crthunk.............H..............@..@.tls.................J..............@...CPADinfo(............L..............@...malloc_h.............N.............. ..`.rsrc...x............P..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):2106216
                                                            Entropy (8bit):6.4563314852745375
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:1C9B45E87528B8BB8CFA884EA0099A85
                                                            SHA1:98BE17E1D324790A5B206E1EA1CC4E64FBE21240
                                                            SHA-256:2F23182EC6F4889397AC4BF03D62536136C5BDBA825C7D2C4EF08C827F3A8A1C
                                                            SHA-512:B76D780810E8617B80331B4AD56E9C753652AF2E55B66795F7A7D67D6AFCEC5EF00D120D9B2C64126309076D8169239A721AE8B34784B639B3A3E2BF50D6EE34
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.h...;...;...;..];...;...;...;.._;...;..h;0..;..i;'..;..X;...;..l;D..;?M.;...;..Y;...;..^;...;Rich...;........PE..L...92.K...........!.........d...............................................p .....O. ...@.........................@.......@...P..................... .h............................................i..@............................................text...S........................... ..`.data....~.......B..................@....rsrc................(..............@..@.reloc..D............,..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):4127200
                                                            Entropy (8bit):6.577665867424953
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:3B4647BCB9FEB591C2C05D1A606ED988
                                                            SHA1:B42C59F96FB069FD49009DFD94550A7764E6C97C
                                                            SHA-256:35773C397036B368C1E75D4E0D62C36D98139EBE74E42C1FF7BE71C6B5A19FD7
                                                            SHA-512:00CD443B36F53985212AC43B44F56C18BF70E25119BBF9C59D05E2358FF45254B957F1EC63FC70FB57B1726FD8F76CCFAD8103C67454B817A4F183F9122E3F50
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!7P.OdP.OdP.Od..NeR.OdP.Nd..OdY..dU.Od.Jem.Od.KeQ.Od...dQ.Od..Leo.Od..Je..Od..OeQ.Od..Ge..Od..Kec.Od...dQ.Od..MeQ.OdRichP.Od................PE..L..................!.....2<..*...............P<...............................?.......?...@A.........................<<.u.....=.P.....=.@.............>..%....=.........T....................u..........@.............=..............................text...e0<......2<................. ..`.data...`"...P<......6<.............@....idata........=.......<.............@..@.rsrc...@.....=.......<.............@..@.reloc........=.......<.............@..B........................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\devtools_resources.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):2205743
                                                            Entropy (8bit):7.923318114432295
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:54D4E14BFF05C268248CAB2EEDFB61DD
                                                            SHA1:33AF472176F6E5FB821FFE23C9FBCCC7C735B5B9
                                                            SHA-256:2CAC401BFFA9FD4DFFE11E05EE18FC5CA7A30EC5BF7EF6A3EA8518A4F3344790
                                                            SHA-512:5A6893E7EA30EAA0EFF44687B0D15366A8224E476E4AE8FE0D5C7EF2B3C62E6B0184F73EAD36C4E4E08D6936524CEF8429660B3EC29453EED128E3C5368CE78C
                                                            Malicious:false
                                                            Preview:........K....[.....[.....[.....[Y....[.....[.....[.....[.....[P ...[.!...[."...[.#...[.$...[.%...[.%...[T&...[0'...[/(...[.(...[.(...[.*...[.+...[{,...[1-...[.-...[3....[b/...[.0...[.1...[.2...[.3...[,4...[.4...[P5...[.5...[#6...[!8...[.8...[.9...[.9...[::...[q;...[Y=...[.=...[ ?...[.@...[0A...[iB...[?D...[.E...[pE...[UF...[.G...[.H...[)I...[.I...[.M...[.M...[DN...[.N...[FO...[.O...[.Q...[oV...[uW...[cX...[[\...[.]...[Ea...[bc...[.c...[ d...[.d...[oe...[.f...[.h...[.i...[Xj...[.k...[.l...[An...[.o...[.p...[.....[....[.....[.....[.....[.....[[!...[.%...[d....[x1...[.4...[.4...[.9...[.C...[.Q...[KS...[#V...[=]...\.b...\.z...\Q}...\.....\.....\*....\`....\.^...\7b...\uy...\g....\.....\.....\=....\....\....\....\'....\.....\....\.... \....!\...."\....$\....%\....&\....)\....*\....+\.Q..,\.S..-\.U...\..../\w...0\....1\8...2\....3\....4\....5\....6\....7\.T..8\.z..9\6...:\....;\c...<\)&..=\.*..>\>5..?\JU..@\.r..A\....B\9...C\....D\S...E\....F\\y..G\Y...H\%...I\....J\M...K\.a..L\.j..M\.n

                                                            C:\Users\user\AppData\Roaming\GamePall\icudtl.dat

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):10717392
                                                            Entropy (8bit):6.282534560973548
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:E0F1AD85C0933ECCE2E003A2C59AE726
                                                            SHA1:A8539FC5A233558EDFA264A34F7AF6187C3F0D4F
                                                            SHA-256:F5170AA2B388D23BEBF98784DD488A9BCB741470384A6A9A8D7A2638D768DEFB
                                                            SHA-512:714ED5AE44DFA4812081B8DE42401197C235A4FA05206597F4C7B4170DD37E8360CC75D176399B735C9AEC200F5B7D5C81C07B9AB58CBCA8DC08861C6814FB28
                                                            Malicious:false
                                                            Preview:...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW*..K..P.*..L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

                                                            C:\Users\user\AppData\Roaming\GamePall\libEGL.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):377856
                                                            Entropy (8bit):6.602916265542373
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:8BC03B20348D4FEBE6AEDAA32AFBBF47
                                                            SHA1:B1843C83808D9C8FBA32181CD3A033C66648C685
                                                            SHA-256:CBEE7AC19C7DCCCA15581BD5C6AD037A35820DDFE7C64E50792292F3F2E391E6
                                                            SHA-512:3F9EEC2C75D2A2684C5B278A47FB0E78B57F4F11591FAC4F61DE929F716BBAA8F7DF05E10390408AD6628538611541548C26869822372E9C38D2C9C43881651E
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....`...`............................................... ............@A........................8,..h....:..(.......x........................>..........................D........p..............(<..`............................text....^.......`.................. ..`.rdata..L....p.......d..............@..@.data....4...p.......`..............@....00cfg...............|..............@..@.tls.................~..............@....rsrc...x...........................@..@.reloc...>.......>..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):6635008
                                                            Entropy (8bit):6.832077162910607
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:63988D35D7AB96823B5403BE3C110F7F
                                                            SHA1:8CC4D3F4D2F1A2285535706961A26D02595AF55C
                                                            SHA-256:E03606B05EEAED4D567EA0412350721C0D566B3096B18C23BD0B3FCDE239E45A
                                                            SHA-512:D5F5ACA00BE9E875FCD61531CC7F04F520FB12999E36E4FE06BEAAE491B47D2E9FE182015DB1CBFBB8E78CF679F2EB49E20ECDF1B16D1D42058D6F2D91BC3359
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!......L...........@.......................................e...........@A.........................].......^.d.....a.......................a.."...U]......................T].....X.L.............H.^.@.....].@....................text.....L.......L................. ..`.rdata...I....L..J....L.............@..@.data...X....._.......^.............@....00cfg........a.......a.............@..@.tls..........a.......a.............@....rsrc.........a.......a.............@..@.reloc..."....a..$....a.............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\libcef.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):176517632
                                                            Entropy (8bit):7.025874989859836
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:F5259CC7721CA2BCC8AC97B76B1D3C7A
                                                            SHA1:C2FC0C8396D8CD6764809A2A592972E2EBCA64BA
                                                            SHA-256:3FE6A262EF01CB8FD4DC2D4373DE0F1F0A89EE51953452ED4557CB55F1DA9AB4
                                                            SHA-512:2D01B1F2B24717EFF37965BBC32D167434A65F3DFFF74342D2E2FA8FBB0E97C3F61FDF673A13AD63031D630D9CE46A6F9F0C4F89EBD30C31F3EA55817B9D1331
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.........N.......k....................................................@A........................#..........h....0J.(C....................L.|.\.P................................?..............`.......LY..@....................text............................... ..`.rdata...%2..0...&2.................@..@.data...dr+..`.......>..............@....00cfg........I.......&.............@..@.rodata.@.....I.......&............. ..`.tls..........J.......&.............@...CPADinfo(.....J.......&.............@...malloc_h..... J.......&............. ..`.rsrc...(C...0J..D....&.............@..@.reloc..|.\...L..0\..B).............@..B........................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\libcef.lib

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:current ar archive
                                                            Category:dropped
                                                            Size (bytes):40258
                                                            Entropy (8bit):4.547436244061504
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:310744A0E10BD9C2C6F50C525E4447F9
                                                            SHA1:9BA62D6AC2CB8EFF46C9B21051677FC1DC66D718
                                                            SHA-256:E9C55CFF925E26812139CDCAD6612E0D69E317CB7BB1435C9EB5113D338ACCE7
                                                            SHA-512:6DF9E3F9AFD7CDEC750B006987E5AEC445E163DD0B9CF1A9EA53F78DB2EE5FD654E3B4F82BCA3E1F4BEDB189F5DFA51189C820905676AD048DBE2E0AD405BF5B
                                                            Malicious:false
                                                            Preview:!<arch>./ 0 0 0 0 14390 `.......8z..:&..:...;...;...<&..<&..<...<...=...=...=...=...>...>...>...>...>...>...?f..?f..?...?...@B..@B..@...@...A$..A$..A...A...B"..B"..B...B...C...C...C...C...D...D...D...D...D...D...E...E...E...E...Fn..Fn..F...F...GZ..GZ..G...G...HJ..HJ..H...H...I$..I$..I...I...J...J...J...J...K ..K ..K...K...L...L...L...L...M...M...M...M...N...N...N|..N|..N...N...Od..Od..O...O...P`..P`..P...P...QP..QP..Q...Q...RT..RT..R...R...S@..S@..S...S...T...T...T...T...U...U...Un..Un..U...U...VP..VP..V...V...W,..W,..W...W...X...X...X...X...X...X...Y\..Y\..Y...Y...ZB..ZB..Z...Z...[,..[,..[...[...\...\...\...\...\...\...]b..]b..]...]...^N..^N..^...^..._6.._6.._..._...`$..`$..`...`...a...a...a...a...b...b...b...b...c...c...c...c...c...c...dj..dj..d...d...e^..e^..e...e...fV..fV..f...f...g8..g8..g...g...h*..h*..h...h...i"..i"..i...i...j...j...j...j...k...k...k...k...l...l...l...l...l...l...mh..mh..m...m...nN..nN..n...n...o2..o2..o...o...p...p...p.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\af.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):470498
                                                            Entropy (8bit):5.409080468053459
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:64F46DC20A140F2FA3D4677E7CD85DD1
                                                            SHA1:5A4102E3E34C1360F833507A48E61DFD31707377
                                                            SHA-256:BA5CA0A98E873799A20FD0DF39FDB55AAB140E3CC6021E0B597C04CCE534246D
                                                            SHA-512:F7D789427316595764C99B00AF0EF1861204F74B33F9FAB0450F670CB56290C92BFB06EF7D1D3B3BF0B6ACDC6295E77F842C49579BD9973E3D5805920CDB2527
                                                            Malicious:false
                                                            Preview:........$$..e.>...h.F...i.N...j.Z...k.i...l.t...n.|...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................&...........5.....<.....C.....D.....E.....J.....W.....f.....w.................x.................A.......................S.........................................%.....{.......................V.......................J.......................Y.......................e.......................a.......................l...................................O.....f.......................).....z.......................6.....u.......................Q.......................E.....w.................!.....I.....R.............................l.......................f.................+.............................f.......................D.......................<......................._.......................2.....~.................2.....v.................X...........$.....8.................P.....r...........6.....j.....}.................1.....?...................

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\am.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):763010
                                                            Entropy (8bit):4.909167677028143
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:3B0D0F3EC195A0796A6E2FAB0C282BFB
                                                            SHA1:6FCFCD102DE06A0095584A0186BD307AA49E49BD
                                                            SHA-256:F9F620F599BC00E84A9826948C3DA985AC9ADB7A6FFB4C6E4FBEFEAF6A94CF85
                                                            SHA-512:CA9217F22C52EF44E4F25142D1AD5DD9D16E4CCC3B6641609E1F4C2650944E35BA4CAB59CA5CD9EA6FEFD6BE1D3E8227FC0E3E6BDEDD14B059CA2C72D096D836
                                                            Malicious:false
                                                            Preview:........>${.e.r...h.z...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.(...|.....}.@.....H.....M.....U.....].....e.....l.....s.....z.....{.....|...............................................F.....f.....'...........V...........Y.............................5.................F.................!.................d.....z...............................................C...........\.................z...........h...........3...........$.....C.................e.................i.................,.......................X.............................h.......................!.....|...........$.............................1.....}.........................................Z.................|...........'.....N...........F.................;.............................G.................v............ ....4 ..... ....X!.....!.....!....x"....."....Z#.....#....M$.....%.....%.....%.....&....+'.....'.....'.....(....D).....).....)....2*.....*.....*.....*.....+....",.....,

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\ar.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):838413
                                                            Entropy (8bit):4.920788245468804
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:C70B71B05A8CA5B8243C951B96D67453
                                                            SHA1:DEED73A89F0B3EDAB8FF74117CC6B31CB4F426E8
                                                            SHA-256:5E0D4BC0893A334B6FFF610F66E4A00920530D73EC3257EB9D37A96EBD555C13
                                                            SHA-512:E000FD3592AC5FE700C4CE117868915C066AC66D5954A1DE4F5AFF0F4559C93F7DFF47623F1837CE827FFF94E91ECD89A974037BE9CCCC8E672E229A1E8115E9
                                                            Malicious:false
                                                            Preview:.........#..e.....h.....i.....j.....k.....l.!...n.)...o.....p.;...q.A...r.M...s.^...t.g...v.|...w.....y.....z.....|.....}.........................................................................-.....d.................n...........A...........u.......................O.......................D.................Y...........3.....J...........=.....g.....~.....&.................O.......................B.....!...........u...........5...........).....W.................3.....N.....U.....B...........!.........../.....Y........... .......................g...........).....I.................#.....A...........@.................6........... .....D...........I.................%.............................=.................?...................................G...................................).....t............ ..... ..... ..... ....o!.....!....6"....\"....."....S#.....#.....#.....$.....%....V&.....&....5'.....'.....(....J(.....(....X).....).....).....*....z*.....*.....*....t+.....,....{,.....,....--

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\bg.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):869469
                                                            Entropy (8bit):4.677916300869337
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:12A9400F521EC1D3975257B2061F5790
                                                            SHA1:100EA691E0C53B240C72EAEC15C84A686E808067
                                                            SHA-256:B7FD85B33B69D7B50F6C3FDC4D48070E8D853C255F2711EEDAA40D1BA835F993
                                                            SHA-512:31EAA1CBF13BC711750B257C6B75813ACC8E4E04E9262815E399A88B96BA7B5BE64CE2450638B5521D5CB36750C64848944168C3234D2CE15A7E3E844A1E1667
                                                            Malicious:false
                                                            Preview:........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}................... .....(.....0.....7.....>.....E.....F.....G.....L.....n...................................I...........Q...........q.......................T.................E.......................7.....~...........<.................:.....&...........F.................X...........$.................Z...........X...........m.................C.........................................{...........:.....a...................................8................._...........O.....}...................................$.....h.........................................2.............................3 ....e .....!.....!.....!.....".....".....#....W#.....#....{$....-%.....%.....%.....&....k'.....'....T(.....).....).....).....).....*....`+.....+.....+.....,....p-.....-....&....../...../.....0.....0.....1....o2.....2....73.....4.....4.....4....-5.....5....X6.....6.....6.....7.....8.....9

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\bn.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1118348
                                                            Entropy (8bit):4.2989199535081895
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:89A24AF99D5592AB8964B701F13E1706
                                                            SHA1:2177122C6DCC20E1D07EF43AF5A112E8E5C6B95B
                                                            SHA-256:5BDBBCD0D07B6AE3A7F96F07871EE541F4111D90D73FD6E112C5ABE040025C96
                                                            SHA-512:60F6CD73BF35886EF54FA6200F86BCED78DD11F612C8071F63EB31108F109C166D45609879E8E5107024A025BAFCFCF1C80051B6D8FF650D92DCF17136384EB1
                                                            Malicious:false
                                                            Preview:........($..e.F...h.N...i._...j.k...k.z...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......#.....(.....0.....8.....=.....E.....L.....S.....Z.....[.....\.....a.............................=.....G...........?.....4...........................................................B.....}.....>...........k...........X...........].............................q.....W...................................W...........S...........e.............................I.....m.....e..........._.....(.................9...........q.................p...........5.....X.....8...........Q...........M...........I.....u.....-...........!.....G............ ..... ..... .....!....P".....".....".....#.....%.....%.....&.....'.....'....^(.....(....;).....).....*....6*.....+.....+....1,....],....E-................-/...../....x0.....0.....0.....1.....2.....2.....3...."4.....4....x5.....5.....6....78....*9....]9.....:.....;....;<.....<.....=....?>.....>.....>.....?....y@.....@.... A....&B.....B

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\ca.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):537139
                                                            Entropy (8bit):5.397688491907634
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:37B54705BD9620E69E7E9305CDFAC7AB
                                                            SHA1:D9059289D5A4CAB287F1F877470605ED6BBDA2C8
                                                            SHA-256:98B2B599C57675EFC1456B38B23CE5657B142E0547F89AB1530870652C8EB4BA
                                                            SHA-512:42D667FEB59BB5FA619AC43DC94629ED1157CBE602643FB21378A2C524EF1F6E32098E7C62D3F3DE35D9FEDEF6607FE034908601AE3C49156CD0916E2514D2F9
                                                            Malicious:false
                                                            Preview:........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}................... .....(.....0.....7.....>.....E.....F.....G.....I.....c.....|................._...........[.....z...........O.................D...........(.....G.................B....._.................A.....T.................8.....I...........3.....u...........(.......................p.................,.......................1.................T.....o.............................v.......................b.......................@.......................@.......................O.......................<.............................`.......................P.........................................M.......................H......................._.........................................n.......................Q.......................[.............................1.................>.........................................6.............................|...........".....>.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\cs.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):545011
                                                            Entropy (8bit):5.844949195905198
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:65A2C2A73232AB1073E44E0FB6310A5F
                                                            SHA1:F3158AA527538819C93F57E2C778198A94416C98
                                                            SHA-256:E9A1610AFFCA9F69CD651C8D2EDD71B5A0F82CB3910A8A9D783F68E701DB5BB0
                                                            SHA-512:20ED527F3BBBA2CECE03D7B251B19D6DCC9D345B5425291D8139FCDD5646EC34D585891160CC4BD96C668D18FFFFDD56F4D159880CFC0D538749F429F7F65512
                                                            Malicious:false
                                                            Preview:.........$..e.....h.&...i.....j.:...k.I...l.T...n.\...o.a...p.n...q.t...r.....s.....t.....v.....w.....y.....z.....|.....}.................................................#.....$.....%.....'.....7.....I.....[.....p.............................|.................%...........(.........................................3......................./.......................2.......................z...........I.....k...........R.......................v................./.......................z...........=.....W.................&.....=....................... .....o.......................^.......................r.......................m.......................b.......................z.................0...........%.....i.......................3.....G.......................(.......................1.................R................./.....J.....^...........A.....q.................`.................,...................................V.....w...........Z.......................O.....t.................b.......

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\da.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):496165
                                                            Entropy (8bit):5.446061543230436
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:A44EC6AAA456A6129FD820CA75E968BE
                                                            SHA1:9B5B17AFD57ADB8513D2DA9A72223E8A003975A5
                                                            SHA-256:F01F9C3E4E6204425F2969F77BF6241D1111CE86CDD169BDF27E5D2D4B86C91A
                                                            SHA-512:947DB81EA64009CC301CD2DCE06384202E56446F6D75E62390334B91D09B564CB0681E06BF7A945033BD6C28C2171346A91EE16693262C4E373A31B51AD42A9E
                                                            Malicious:false
                                                            Preview:........,$..e.N...h.V...i.g...j.s...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.".....*...../.....7.....?.....G.....N.....U.....\.....].....^.....`.....n.....~.........................................Q.............................*.....q.................].......................P.....w.................8.....b.....p...........9.....h.................n.................7.......................^............................. .....p...................................q.......................X.......................1...............................................".............................{.......................Z.......................C.....p.....~...........y.................4.............................l.......................I.....f.....v...........^.................................................................F.......................B...................................O.....~...........J.....z.................$.....@.....M.................F.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\de.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):534726
                                                            Entropy (8bit):5.49306456316532
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:49CA708EBB7A4913C36F7461F094886B
                                                            SHA1:13A6B5E8DC8B4DF7A976A0859684DC0AA70F1B12
                                                            SHA-256:8AE7D6B77C51A4FE67459860ABDAE463F10766FAF2BA54F2BB85FD9E859D2324
                                                            SHA-512:6908F96BFDF7499B33E76697AA96103E89ACB3E25EDBD6156B610564AF14D4ED474C547A760503490B6327A801478E223039836BEEF2B938AF76827A15C0F751
                                                            Malicious:false
                                                            Preview:.........#..e.~...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.%...y.+...z.:...|.@...}.R.....Z....._.....g.....o.....w.....~.................................................................X.................E...................................^.....x...........n................./.......................Z...................................U.....w.............................h...........&.....7...........9.....w........... ................. ..........._.................D.......................U.......................h...................................a.....x...........f.........................................F.......................u...........).....;...........j.................A.......................;.......................9.......................t...........,.....`...........-.....K.....b...........G.....s.................}.................T...........,.....6...........S................./.......................K.......................t...........*.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\el.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):950999
                                                            Entropy (8bit):4.76377388695373
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:9CBC320E39CFF7C29F61BD367C0BF3BB
                                                            SHA1:2AF07EFFF54A0CF916CF1C0A657F7B7ADF2029FF
                                                            SHA-256:E8837DEFA908EB2FD8B4EB6344412C93403A4258F75EC63A69547EB06A8E53B3
                                                            SHA-512:F7D84185F4520E7AAF3F3CACF38B53E9638BB7D5023FA244020EC8D141FFD5C10B198FF089824D69671FE8350F931B0BB19B6CAF14AF47B0838953367A146DD0
                                                            Malicious:false
                                                            Preview:........)$..e.H...h.P...i.X...j.b...k.q...l.|...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...................&...........6.....=.....D.....K.....L.....M.....O.....v.......................5...................................V.................h...........F.....i...........~...........{...........a...........'.................&.......................M.....U.....O............................./.....J.....1..........._...........{.....6................. .............................g.......................<.................J...........8.....t.....O.....).......................U............................................................ ..... .....!.....!.....".....#.....$.....$.....$.....%....|&.....&.....'.....'....;(....t(.....(....M).....)....;*....h*....U+.....,.....,.....,.....-....8.....t...........f/....(0.....0.....0.....1....S2.....2.....3....64....Q5.....6....@6....A7....(8.....8.....8.....9.....:....o;.....;....[<....%=.....=.....=.....>.....?....6@

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\en-GB.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):430665
                                                            Entropy (8bit):5.517246002357965
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:0F1E2BC597771A8DB11D1D3AC59B84F3
                                                            SHA1:C1F782C550AC733852C6BED9AD62AB79FC004049
                                                            SHA-256:E4798E5FF84069C3BFD7D64734CCD9FF5C8A606315B44A714ACDCABDDAF3CA6E
                                                            SHA-512:07E9B98357C880995576059AD4E91E0F145DC0F2FFF2DFDAD8649FA42EB46FA86F7F093503C41019EAD4550784E26C553D171518355FBBF995E38B1F6D7ABFF0
                                                            Malicious:false
                                                            Preview:.........$ .e.(...h.0...i.>...j.J...k.Y...l.d...n.l...o.q...p.~...q.....r.....s.....t.....v.....w.....y.....z.....|.....}.....................................%.....,.....3.....4.....5.....:.....G.....V.....f.....w...........J.......................H.....y.................I.......................@.....o.......................?.....M............................._.......................B.......................8.............................[.......................*.....V.....a...........*.....l............................. .....^.............................A.....b.....n.................H.....[.......................+.....t.......................5.....y.......................:.....c.....n...........'.....d.....y.................).....?.............................G.............................].......................4.....O.....^.................6.....F.................#.....;.................V.....d...........$.....[.....x.................F.....U.............................k.............

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\en-US.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):434598
                                                            Entropy (8bit):5.509004494756697
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:FEAB603B4C7520CCFA84D48B243B1EC0
                                                            SHA1:E04138F1C2928D8EECE6037025B4DA2995F13CB4
                                                            SHA-256:C5B8FBDBB26F390A921DCACC546715F5CC5021CD7C132FD77D8A1562758F21F4
                                                            SHA-512:E6B3970A46D87BFD59E23743B624DA8116D0E1A9912D014557C38FD2664F513E56317AFA536DF52E7E703863FBD92136BE57EE759A2FFC2958AB028F6287E8B7
                                                            Malicious:false
                                                            Preview:.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.,...y.2...z.A...|.G...}.Y.....a.....f.....n.....v.....~.................................................................G.......................\.......................Q.......................T......................./.....t.......................7.....^.....k.................".....9.................!.....9.............................i.......................7.......................!.............................K.....f.....u.............................Y.............................k.......................G.....t.......................7.....B.............................J.......................$.....~.......................^.............................=.....R.............................q.......................X.............................X.......................7.....o.................X.......................k.......................a.......................!.....C.....S.................,.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\es-419.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):524728
                                                            Entropy (8bit):5.377464936206393
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:32A59B6D9C8CA99FBD77CAA2F586509A
                                                            SHA1:7E8356D940D4D4CC2E673460483656915AA59893
                                                            SHA-256:AA4A5AA83DD5F8476867005844F54664DB1F5464A855EF47EC3A821DAF08E8F2
                                                            SHA-512:860BA06228BBA31EEC7EB8BD437DDB6E93BABD0129033FB6EFF168F2FB01B54E2B93D2AB50A5D4F5D2FB7B04A5D0DD5541999D708CC2613B74AADD17B3E98735
                                                            Malicious:false
                                                            Preview:........5$..e.`...h.h...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....j.....|.......................J...........>.....Y...........1.....v..........."...................................L.....g.................4.....G.................,.....=...........7.....}...........6...................................6.....I.................\.....s..........._.................Z...........2.....Y.......................:.......................".......................0.................R.....e...........).....g.....s.................P.....[.................4.....>.................L.....\...........O.................!.....v.................+.....x.................i.................:.................2.......................!.......................0.................I.....c...........x.............................B.....p...........V.......................G.....j.....}...........n.............

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\es.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):523181
                                                            Entropy (8bit):5.356449408331279
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:3D1720FE1D801D54420438A54CBE1547
                                                            SHA1:8B1B0735AE0E473858C59C54111697609831D65A
                                                            SHA-256:AE32D66C0329104B9624BA0811FE79149D1680D28299440EC85835DBA41C7BD2
                                                            SHA-512:C033BBB5261EC114DCB076EDB5E4B3293F37D60C813674A947F996606A6289204C04D2E4315356D92EEEB43FF41D534997DBEBBF960B17F2F24AA731AFE4B7E1
                                                            Malicious:false
                                                            Preview:........5$..e.`...h.h...i.p...j.|...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.+.....3.....8.....@.....H.....P.....W.....^.....e.....f.....g.....i.....|.......................O...........G.....b...........D.................0........... .....:.................Y.....t.........../.....^.....n...........0.....X.....i...........c.................W...................................I.....Z...........*.....f.....{...........o.................g...........+.....P.................8.....N.................".....1.................*.....@.................?.....R.................;.....G.................%.....0.............................y...................................D.....^.................@.....].................5.....T...........;.....`.....s...........h.................M.......................A.......................W.............................&.................)...................................A.....U................. .....3.................D.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\et.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):475733
                                                            Entropy (8bit):5.456553040437113
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:C00D66D3FD4FD9D777949E2F115F11FB
                                                            SHA1:A8EAAD96CABCDFB7987AF56CB53FA5E16143EC48
                                                            SHA-256:26C438935E3F666329EE8D1DABA66B39179BCF26EBAC902F9B957A784BDC9B4A
                                                            SHA-512:E7E8C083B556DD05874AC669B58A4D1CD05D1E1B771EB4C32942869E387C6FA2B317B5F489138BD90135117DAEB051D96A7823B531DF0303BD4245A036F25A20
                                                            Malicious:false
                                                            Preview:........@$y.e.v...h.~...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.#...z.2...|.8...}.J.....R.....W....._.....g.....o.....v.....}.....................................................S...........J.....e...........4.....d.....w...........Y.......................u.......................m.......................\.......................[.........................................7.......................;.......................K.......................x...........;.....R.................9.....T................. .....,.............................w...........#......................./.....=.................'...../.................".....1.................$.....,.................O.....g.................4.....J.................,.....O.................4.....A.................=.....i.................&.....7.................#.....;.................?.....Z...........U.................C...................................@.....M...........................................

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\fa.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):773397
                                                            Entropy (8bit):5.04618630633187
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:C998140F7970B81117B073A87430A748
                                                            SHA1:8A6662C3AABDAC68083A4D00862205689008110C
                                                            SHA-256:182F18E4EFCA13CA59AFD1DF2A49B09733449D42526EE4700B11A9C5E6AAC357
                                                            SHA-512:5A947A44F674F9556FDD44D2E4FF8CF0E0AAC4475FFA12480CA1BD07CFE7514961B7CACE6760189432B4B4BEB5EA5816701158EB3CB827A806F3063853C46D5E
                                                            Malicious:false
                                                            Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.#...s.4...t.=...v.R...w._...y.e...z.t...|.z...}...............................................................................-.....T.....9.......................^...........u..........._.............................H.................a...........S.....f...................................?.................j..........._.............................'...........f.......................I.......................v.............................Q.....u...........}.................S...........).....@...........x.................m...........M.....d...........p.................H.................:...........`.................`...........l...............................................s...........C...........0.....P.......................;...........1 ....V ....q ....+!.....!....'"....I"....."....|#.....#.....#.....$.....%.....&.....&....j'.....(....l(.....(....W).....)....M*....p*.....*....n+.....+.....+....d,.....-....P-....x-

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\fi.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):483378
                                                            Entropy (8bit):5.428549632880935
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:1CFD31A6B740D95E4D5D53432743EBF1
                                                            SHA1:20CEEEA204150BD2F7AAE5866C09A3B0AE72D4C5
                                                            SHA-256:F821E06B4BACD9E7660A2D6912A049591FFD56C6D2A0A29B914648589B17B615
                                                            SHA-512:C483B7347F91BE8EE515DCF352A1D7502B9A159EDE35EACCEBAA763B93A625BCE2D0C7D598C2A6111092257D6DAC7A167102E956697210D4694B9812D70C8A94
                                                            Malicious:false
                                                            Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.%...v.:...w.G...y.M...z.\...|.b...}.t.....|.....................................................................................................^.....q...........7.....j.....}...........Z.......................~.......................s.......................D.....d.....t........... .....F.....`...........C.......................Q.....}.................S.......................T.........................................E.............................k......................./.....P.....\.................).....3.............................p.......................L.......................0.......................%.......................B.............................g.......................e.......................d.......................M.....d.....s...........*.....T.....f...........".....[.....u...........x.................I.......................Y.......................4.....v.......................S.....~.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\fil.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):546749
                                                            Entropy (8bit):5.197094281578282
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:6EDA0CD3C7D513AAB9856EC504C7D16F
                                                            SHA1:BA24C4B994E7866F2C012CCEC6C22DFC1A4FCFF6
                                                            SHA-256:3CD2BC9E887663C5E093E0334BC60CF684655A815E3DE7AD9A34BAD5EBB858B1
                                                            SHA-512:47000F5EA882CB9EDDCF4FB42ED229423EE55AA18B4A4353D7EF85ADFA7E1B0BBB33C2469887224D7146B3E33FB2296749CD053D68D7DAF26980BC710A27C63E
                                                            Malicious:false
                                                            Preview:.........$..e.@...h.H...i.^...j.j...k.y...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......!.....&...........6.....>.....E.....L.....S.....T.....U.....Z.....g.....|.................K...........:.....X...........O.................Q...........>.....e...........Z.......................~.................%.......................h.................H...........^.................M.................!.................H.....b...........].................V...........B.....d...........#.....N.....k.................A.....N.................,.....;.................S.....i...........5.....k.....z...........=.....o.....}...........>.....o.....}...........@.....r...................................R.......................L.......................<.......................e.................U.................F.....`...........>.....q.........................................%.................4.................4.................J.....b.................B.....X...........N.......

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\fr.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):568277
                                                            Entropy (8bit):5.380723339968972
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:D185162DF4CAC9DCE7D70926099D1CF1
                                                            SHA1:46594ADB3FC06A090675CA48FFA943E299874BBD
                                                            SHA-256:E40C07183A32B75930242F166C5AAE28F4CD769BB2268391BEAA241814E7D45A
                                                            SHA-512:987D9CC6AD5F2ED6A87537FDADF105F6EB31A97B11156E70814FE021047E5D8D08398F008812038DF3CCDCB6254BF5B744D9982FE04F79D407AC2F53BB046E25
                                                            Malicious:false
                                                            Preview:.........$..e. ...h.(...i.9...j.E...k.T...l._...n.g...o.l...p.y...q.....r.....s.....t.....v.....w.....y.....z.....|.....}..................................... .....'.........../.....0.....2.....B.....P.....b.....q.................6.....X...........?.................'.................(.................W.................4.....`.....p...........D.........................................{...........(.....L...........*.....i.....{...........S.........................................}...........i.................N.......................H.....r.................N.......................f.......................}.......................x.......................e.......................d.................+.................&.......................8.....~.......................k.................0...........;.......................f.........................................d.................6...........4................."...................................R.....k.................G.....[...........G.......

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\gu.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1103776
                                                            Entropy (8bit):4.336526106451521
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:44F704DB17F0203FA5195DC4572C946C
                                                            SHA1:205CBCC20ADCCCF40E80AA53272FBA8CD07389CA
                                                            SHA-256:4B073F08F0C8C035974B5EC43AA500F8BDD50E6CFE91A2FB972A39E0F15ECEDD
                                                            SHA-512:3CFD4501556845141EE9B461C831CA59779AD99F0E83E8D03433DE78D774378E87DE752DD9711C112A0C584259AD1DA6DC891D92F3F447F63A4D84263CD5BFCE
                                                            Malicious:false
                                                            Preview:........4$..e.^...h.f...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.#...|.)...}.;.....C.....H.....P.....X.....`.....g.....n.....u.....v.....w.....|.......................&.....b....._.....0.....l....._..... ...............................................a.......................G.................r...........\.....|....._...........z.......................V...........n.....B...................................7.....4...../.......................".......................4.....p...........P...........E.....m.......................................................................'...........}.......................C.................j .....!....u!.....!.....".....#....\$.....$....K%.....%....R&....{&.....'.....'.....'.....'.....(....b).....).....*....'+.....+....t,.....,.....-....9.....|............/....W0.....0.....0.....1.....2....33....f3.....4.....5.....6.....6.....7.....8....<9.....9....|:....H;.....;.....;.....<....s=.....=.....=.....?.....?.....@

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\he.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):681555
                                                            Entropy (8bit):4.658620623200349
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:E75086A24ECAA25CD18D547AB041C65A
                                                            SHA1:C88CE46E6321E4A21032308DFD72C272FB267DBD
                                                            SHA-256:55BE8A5ED9FB9C129AC45B7FC99574B9907350AFD024BAA5D07525F43E995F6B
                                                            SHA-512:01D7FDD90B8D0D3779B8442250E2AA767481B2E581F880BF9C3DCBB15FCE52E477B1881F3704FBCB3172DB77DB10241BCB24851BFE30066D1E9B66244B3C6877
                                                            Malicious:false
                                                            Preview:.........$..e.....h.....i.....j.'...k.6...l.A...n.I...o.N...p.[...q.a...r.m...s.~...t.....v.....w.....y.....z.....|.....}.........................................................................+.....D.....].....z.....?...........~...........).............................O.................T...........#.....E...........:.......................w.................W................./...........F.................V...........5.....T...........K.................3.............................o...................................E.........../.....a.....t.............................z...........,.....?...........5.....v.................q.................5.......................r.................1...........X.................I.......................y.................$.................k...........).................!.......................#.................7.....P...........e.......................e.............................w...........W ..... ....$!....K!.....!....7"....g"....."....@#.....#....-$

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\hi.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1167065
                                                            Entropy (8bit):4.308980564019689
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:1FF8A0B82218A956D2701A5E4BFA84EF
                                                            SHA1:56BB8218963E14ADCC435F2455891F3A0453D053
                                                            SHA-256:62E7C3ABC317931723BE11ADD3712DD15EAAB0A35A4D8E7DB0B6347104EC5733
                                                            SHA-512:3330D983401953AA5ED4856A8D10FFCBEEFC2A4E594CF850566A0AD38837BC1164870BB1270B6BBE5D7DD6FB1ECA29CDE85869A5C51808B901CDC282E04764E4
                                                            Malicious:false
                                                            Preview:.........#..e.....h.....i.....j.....k.....l.%...n.-...o.2...p.?...q.E...r.Q...s.b...t.k...v.....w.....y.....z.....|.....}...............................................................................?.....j.............................................../.....j.........................................N.....}.....P...........^...........F...........A.....d.....K...........N.............................L.....&...........V...........f...................................L.....~.................{.................A.................y.....*.....}...........;...................................*.....[.................,.....K...................................j ..... ..... .....!....J".....".....".....#.....$....T%.....%....@&.....&....8'....d'.....'.....(.....(.....(.....)....6*.....*.....*.....+.....,.....-....c-......................%/.....0.....0.....1.....1.....2....i3.....4....B4.....5.....6.....7.....7.....9.....9....S:.....:.....;.....<....F=.....=.....>....N?.....?.....@.....@.....A....LB

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\hr.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):526575
                                                            Entropy (8bit):5.518614920030561
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:0BD2F9847C151F9A6FC0D59A0074770C
                                                            SHA1:EA5313A194E9D99489E9F1D7B4DFC0BC986C8E17
                                                            SHA-256:5F2F1AA2E2EC78F375084A9C35275E84692EE68A1E87BBEF5A12A2C0FCF7F37A
                                                            SHA-512:0032C0B41FDF769DAA1AF23C443D4195B127DF9EA8621174F1AABDBAFAE4954383095FA1EEAD14FC458188B8837BBE9AECA0D5338E4D47F10D976FBED8609496
                                                            Malicious:false
                                                            Preview:........F$s.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.)...y./...z.>...|.D...}.V.....^.....c.....k.....s.....{.................................................................k...........Y.....z...........F.....~...................................e.......................y.......................m.......................l................. .................q................._.........................................A.............................4.......................j.......................D.....f.....w.................*.....:.................4.....I.................&.....5.................8.....M................. .....0.........................................S.....n.................0.....M.......................3....................... .................E.....v...........!.....F.....\...........).....[.....t...........U.................M...........(.....:...........".....`.................G.....v.................$.....B.....T...........0.....n.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\hu.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):566819
                                                            Entropy (8bit):5.6387082185760935
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:4C27A1C79AB9A058C0A7DFFD22134AFD
                                                            SHA1:5F0A1B34E808B91ADB1E431E462D9FCF82F4FFF2
                                                            SHA-256:AD98C0A367B51EB217E69D66FA6A946946E85EC8452FC5A7AE0F179F35BE28C3
                                                            SHA-512:0F066DB5905EB24B6CB4FBC7C81F017B43AFB7A6E975886644D871E979406B990509905D100653496EE2D20969A77434B702FF1EA5D348274AE54EA597A91D5E
                                                            Malicious:false
                                                            Preview:.........$..e.....h.....i.!...j.+...k.:...l.E...n.M...o.R...p._...q.e...r.q...s.....t.....v.....w.....y.....z.....|.....}.........................................................................+.....A.....V.....j.................9.....W...........N.................*.................*...........".....X.....q...........K.....r.................Y.................?................."...........I.................7.......................k...........'.....7...........:................./.................:.................Z.....w...........O.....v.................f.................5.................(...........2.....u...................................M.................0...........6.....x...................................m.................)................. .....I.................O.....g...........c.................O.......................E.......................r...........'.....H...........v.............................l...........7.........................................5...........& ....q

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\id.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):466959
                                                            Entropy (8bit):5.379636778781472
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:1466C484179769A2263542E943742E59
                                                            SHA1:18E45A08661FD6D34BADE01CDB1E1D5184BA2B67
                                                            SHA-256:C331293D16B16B08DEF73BE73437845D58C593941320C547A377DB423749AEBB
                                                            SHA-512:ABC54D5CAAA663578F064E43CC0465BEB97EFC46991936708EBF3FCD64BD007E47072AB4834A5361B21F064BB0F6527E247BC2C2F0DFB8336F50C2FF3E15A59C
                                                            Malicious:false
                                                            Preview:........ $..e.6...h.>...i.O...j.[...k.j...l.u...n.}...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................'...../.....6.....=.....D.....E.....F.....H.....V.....c.....s.................k................. .....l.......................l.................-.......................0.............................R.....s.................I.....x.................T.......................@.....j.....w.................L.....Y.................Z.....m...........H.......................%.....@.....Q.............................c.......................<.......................#.....t.......................L.....x.................%.....R.....^.................>.....K.................5.....G.............................J.......................".....h.......................L.....}.................#.....=.....K.................+.....:.................2.....K...........C.......................u.................,.....|.......................C.....b.....r...........1.....h.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\it.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):522800
                                                            Entropy (8bit):5.284113957149261
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:7767A70358D0AE6D408FF979DF9B2CD4
                                                            SHA1:9C57A5B068DC12AAF1591778DEF5D3696377EDAB
                                                            SHA-256:672908E77E9EACA793654C8E630442099DE3BE772FD3230A9C4045CAFBCC0B1E
                                                            SHA-512:913AA8C49D04CD84706D08A88453D1ED36FDE6A00F7C1DF63DECEA99316A8A234924457C0C50937329B3979E437B1C2D7796E63ADF209505E212FDCEAE3BFDB5
                                                            Malicious:false
                                                            Preview:........-$..e.P...h.X...i.i...j.u...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.$.....,.....1.....9.....A.....I.....P.....W.....^....._.....`.....b.....u.......................E...........3.....O.................V.....g..........._.................o...........#.....L.............................k.......................n.................2...........*.......................w.................5.......................R...................................c................./.....[.....y.................=.....K.............................x.................*.............................`.......................4.............................^.........................................B.............................F.....\.....r........... .....L.....a...........=.......................b.......................8.....c.....v...........[.................c...........S.....j...........d.................[.................).....v.......................X.............

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\ja.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):634636
                                                            Entropy (8bit):5.718480148171718
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:4A4AF69546DCF65F2D722A574E221BEA
                                                            SHA1:EE51613F111CF5B06F5605B629952EFFE0350870
                                                            SHA-256:7AD195AF107F2A394BAB527C3E84E08F3B7748076F23459F084CF0E05DD29655
                                                            SHA-512:0E93F6B22F7C9176EFC9D49901BFBD281FA5AC3632780DFA76CE597CADD8C1CF570A9163A86BC320BBFBD354F48288DBEC5E36A6088999B00A3561D302A96D03
                                                            Malicious:false
                                                            Preview:........n#K.e.....h.....i.....j.....k.....l.....m.....o.%...p.2...q.8...v.D...w.Q...y.W...z.f...|.l...}.~...............................................................................................6.....W...........}.................l........... .....8...........c.......................B.................W.......................x...................................7.....V...........e.................=.......................].......................{...........#.....2...........y.................`...................................<.....W...........j.................y...........e...................................h...........(.....:...........%.....a.....p...........{.................}...........m..................................._...................................Z.....x.............................o...................................:.....U...........*.....d.....z....."...........*.....?...........X.................`.................@.................g............ ..... ..... .....

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\kn.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1256908
                                                            Entropy (8bit):4.247594585839553
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:6A41A5AB03A22BDAEC7985B9A75EC11A
                                                            SHA1:6BB02DF557BD6522E02FE026C0243BEB9332B2E5
                                                            SHA-256:E22873652AC7D9D18E47DAE838D121B5644EDA4C67F7B0BC110733BF7E931FEA
                                                            SHA-512:BCA661D802D29463A847AC77EB8D5DFA41C31455E7314049CA26555957DCA3BE33701C074F7ED26D2C375A0A9C5F8A93461007B8D74F5ED3BD27C02E5DB170A5
                                                            Malicious:false
                                                            Preview:........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...|.V...}.h.....p.....u.....}.................................................................W...........".....V.....W...................................n...........b............................._.......................<.....)...........s.......................).............................1.....7...................................[.................................................................*.....u...........f...........K.....^........................ ..... .....!..../"....i"....=#.....#....r$.....$....I%.....%....l&.....&....p'....((.....(.....(.....)....N*.....*.....*.....,.....-.....-................./.....0....W0.....0....z1.....1.....1.....2....Y3.....3.....4....@5.....6.....6.....7.....8.....8.....9....V9.....:....R;.....;....1<.....=....B>.....?....]?.....@....DB....BC....wC.....D.....E.....F....$G....\H....AI.....I....4J.....K.....K.....L....PL.....M....lN.....O

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\ko.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):532715
                                                            Entropy (8bit):6.0824169765918725
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:5FD9942F57FFC499481947DB0C3FDFA7
                                                            SHA1:4D60AB21305902877467FF6151C1B7AB12553AAE
                                                            SHA-256:09E279860E20E9E559945940E29446CAD4273D05C5F3F15D0BAD664A1D5749F2
                                                            SHA-512:97953E580588C07769F1BD0002E2DF648FFCE5B246D2359E4475EDCFA1CD6E7286BAF168A115D7A65686B2151C313B6FD0C271E40B1F9DD4132F2F39904FE8D4
                                                            Malicious:false
                                                            Preview:........O#j.e.....h.....i.....j.....k.....l.....m.....o.....p.....q.....r.....s.....t.....y.#...z.2...|.8...}.J.....R.....W....._.....j.....r.................................................................].................5.................O.....b...........F.......................p.................'.......................,.......................;.......................L.......................e.......................Y.......................X...................................Q.....h.................>.....U................. .....0.........................................-.....I.................A.....Q.................L....._.................K.....[.................J.....Z...........O.......................Z.....{.................U.....}.................`.................%.......................J.............................h.......................\.................+.......................m.........................................'.............................x.........................

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\lt.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):573015
                                                            Entropy (8bit):5.63016577624216
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:8745B87D09D9ECC1112C60F5DD934034
                                                            SHA1:2F411E4EEF0E656CAC0C755FECE1AD2531CB689E
                                                            SHA-256:D546C994C81510122E7B2359DA50F694E1F0CA4081830404E16187A5CF4D4E0D
                                                            SHA-512:27B658C153A01AABB9595C5B1059567E535EDFC8F8187B89316D2C85694DE32696D209CFDD2A32C4826DFB1E50AC692937156563EE190E68DB358C40F9AAE15F
                                                            Malicious:false
                                                            Preview:........+$..e.L...h.T...i.e...j.q...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}. .....(.....-.....5.....=.....E.....L.....S.....Z.....[.....\.....^.....l.....y.................4...........".....=...........S.................M...........'.....A...........8.....p...................................A...................................B.....g...........z.................R...................................;.....K...........c.................T...........2.....P...........2.....Y.....t...........W.........................................E...................................D.....S...........Q.........................................S.............................B.................&.......................t...........1.....Y...........K.................+.........................................'...........N.................A.................,...........q.................d...........&.....F...........x.................(.......................H ..... .....!

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\lv.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):570683
                                                            Entropy (8bit):5.624052036286866
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:E16B0B814074ACBD3A72AF677AC7BE84
                                                            SHA1:10744490B3E40BEB939B3FDCA411075A85A34794
                                                            SHA-256:46B5C09AA744AF0F660C79B0CDBDE8C8DBDD40A0BA1A23AAF28D37ECC4211DC5
                                                            SHA-512:70EA9DFAC667C0992AE0E95815A47EB8E779BAAE1215E733AFE84EEE26D3BA754AD838C12E9AEE3114D7BBE11CD21B31C550F5CAFE6C5E838B69E54C6174EF18
                                                            Malicious:false
                                                            Preview:........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...|.V...}.h.....p.....u.....}...................................................................................Z.................G.................%...........Z.................F.................6.................Q.....\...........Q.........................................|.....#.....t...................................W.................0...........T.................B...........8.....Y...........$.....J.....`...........-.....V.....h...........;.....b.....v.............................G.......................r.........../.....>...........'.....Z.....k...........c.................@...........3.....K.................).....>...........=.....t.................c.................(.................2.......................8...........<.....q.........................................:.................8...................................N.....^...........0.....K.....m............ .....

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\ml.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1307271
                                                            Entropy (8bit):4.279854356980692
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:309E068B4E15157486D095301370B234
                                                            SHA1:D962CDAF9361767045A928966F4323EAD22D9B37
                                                            SHA-256:4F2C19B7E94B695C5C5CAB95DEE6E49AE53C3337C351B5C665BCB6BA4E6AE909
                                                            SHA-512:6B1333946C7950D97D2DF29D063DB39A0EC5C0EEAA1ECA40743E4A6A0E4C972D897D3FF2BA837B53E31B8003F2C5C4BACCB7A4AB4B50C6CB47DF39AD7B8E05E7
                                                            Malicious:false
                                                            Preview:........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.,...w.9...y.?...z.N...|.T...}.f.....n.....s.....{...........................................................$.....d.................Z.....C.......................W...........%.....r.....a.......................}.................n...........................................................I.................m.......................l.......................5.....y.............................^.............................j.......................|............ ..... .....!.....!....*".....#.....#....V$.....$....n%.....&.....&.....&.....'....n(.....(.....).....*.....*....W+.....+....c,....+-.....-.....-...........0.....0.....1.....1.....2....!3....Y3.....4.....4.....5....T5....06.....6.....7.....7.....9.....9.....:.....;.....;.....<.....=....Z=....|>....s?.....@....T@.....A....UB.....C....SC.....D.....E....yF.....F.....G.....H.....I.....I....-K....(L.....L.....M.....N.....N....eO.....O.....P.....Q.....R

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\mr.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1075591
                                                            Entropy (8bit):4.313573412022857
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:69C36C23D6D9841F4362FF3A0F86CFDF
                                                            SHA1:C4C1F632EB8373107AEEBD6C26ECF036AEDA2B6B
                                                            SHA-256:6A794C2B08F8B046BE771DF33719536BDAF2371E3825D49A0E556958B781832D
                                                            SHA-512:8C1329BDB371677BC0A9D727A38591EDF32025BAE1E7EFE402D01C6A8BB5F647D827C59A18F40455D5C9C0482798525C98C3F1C8AC568AA886D7C1ED07D1580E
                                                            Malicious:false
                                                            Preview:.........$..e.....h.....i."...j.....k.=...l.H...n.P...o.U...p.b...q.h...r.t...s.....t.....v.....w.....y.....z.....|.....}.........................................................................@.....b.................%.....]...........W.................J.............................:.....@.....=...................................&.................&.....F.....P.......................h...........o...............................................c...................................R..........._.................i...............................................J.................. .....!.....!....(".....#.....#....O$....{$....B%.....&....c&.....&....F'.....(...._(.....(....R).....*....y*.....*.....+.....-.....-................./...../...../.....0....61....l1.....1....Z2.... 3.....3.....3.....4.....5.....6.....6.....7.....8.....9....E9....u:....n;.....;....@<.....=....O>.....?....5?.....@.....A.....B.....B....MD....WE.....E....eF....nG....LH.....H.....H.....I.....J.....J.....K....5L....)M.....M

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\ms.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):489457
                                                            Entropy (8bit):5.250540323172458
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:A1253E64F8910162B15B56883798E3C0
                                                            SHA1:68D402D94D2145704DC3760914BF616CC71FC65D
                                                            SHA-256:E033BFAD6CD73EA7B001DFAF44B7102E3BBE2A1C418F005C149E4FB2565DB19F
                                                            SHA-512:ABD63713093049ECC8E24FD8145EAE065340058A3C38758A59EE8796FBED7E6CFBC54982D650889F1CEB54797060C7DDA12EEE2A963B14C5E907A110C2057DBE
                                                            Malicious:false
                                                            Preview:........T$e.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v./...w.<...y.B...z.Q...|.W...}.i.....q.....v.....~........................................................................................._.....{...........:.....n.....~...........\.................#.......................=.......................1.......................3.......................Y.................*.....z.......................W.......................E.......................b.........../.....A.............................N.......................$.....x.......................r.......................z.......................p.......................^.......................Q.......................r.................!.....s.......................S.....w.................6....._.....p.................T.....w.......................#.......................$.................2.....K...........B.......................s.................,.............................P.....r.................0.....].

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\nb.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):476208
                                                            Entropy (8bit):5.4272499712806965
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:622ED80836E0EF3F949ED8A379CBE6DF
                                                            SHA1:9A94CD80E747B88582470EF49B7337B9E5DE6C28
                                                            SHA-256:560B2F09C1B6E6BB7E6A5A5F9BF85A88BD2ACA054B7D4A5955D9C91B6D7CA67C
                                                            SHA-512:950627E74180E1451BB35AE4A7416AC14D42D67BBBB59DC51D7B69E4CEB61715F8F9B0EB9D7F35FCEFD4D43FABE5CE2103F1AF3709CAE6733C25AC19E6339A83
                                                            Malicious:false
                                                            Preview:........2$..e.Z...h.b...i.y...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.....}.......................N...........A.....V.................X.....k...........z.................K.......................L.......................:.......................;.......................g................./...........<.........................................R.................1...........Q.......................\.....u.................1.....V.....f.................9.....I.................H.....\.................J.....Z...........".....T.....d.................@.....P.................<.....J...........4.....y.................B.....h.....{...........&.....E.....^.................-.....?...........,.....k.................V.....|.................b.......................i.................&.......................s...........9.....b...........*.....V.....i.................".....0.................).

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\nl.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):491139
                                                            Entropy (8bit):5.362822162782947
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:C8378A81039DB6943F97286CC8C629F1
                                                            SHA1:758D9AB331C394709F097361612C6D44BDE4E8FE
                                                            SHA-256:318FB294CE025BDA7636B062CA7B6A1FB1E30C485D01856159CB5DB928782818
                                                            SHA-512:6687FFE4DE0D5A2314743EB3134096292724163D4E0332D2F47922B4807B0CDE7C20E2D57D2662E403D801BC7A20BC247F5D0EDD787AB650E5766B49AF7D3C63
                                                            Malicious:false
                                                            Preview:.........$..e.*...h.2...i.C...j.O...k.^...l.i...n.q...o.v...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................#.....*.....1.....8.....9.....:.....<.....H.....X.....i.....{.............................X.......................|...........4.....J.................M.....d.................8.....G.......................).................8.....Y...........1.....h.................F.....{.................U.........................................\.................4.............................Y.......................-.....~.......................}.......................v.......................V.......................5.....a.....n...........*.....^.....m...........I.......................X.......................>....._.....v...........,.....T.....f...........8.....o.................=.....[.....o...........3.....e.....v...........H.....................................................E.....j...........5.....f.....{.................B.....R.................B.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\pl.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):550453
                                                            Entropy (8bit):5.757462673735937
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:80C5893068C1D6CE9AEF23525ECAD83C
                                                            SHA1:A2A7ADEE70503771483A2500786BF0D707B3DF6B
                                                            SHA-256:0069648995532EFD5E8D01CC6F7DD75BD6D072E86C3AE06791088A1A9B6DACC4
                                                            SHA-512:3D1C41A851E1CF7247539B196AD7D8EE909B4F47C3CFB5BA5166D82CDA1C38049B81A109C23FA6D887490E42EE587CC2A6BD96A3EA890267C089AC74710C755F
                                                            Malicious:false
                                                            Preview:........6$..e.b...h.j...i.{...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.............................X...........S.....o...........=.....w...................................i...............................................z.................$.................1.....W...........M.................*.......................@.......................l...........0.....L...........].................9.....v.......................E.....h.....x.................,.....:.................<.....P.................>.....P.................6.....F.......................-.........................................e.....}.................4.....K.......................;.................+.....@.................a.................+.....I.....`.................9.....U...........2.....}...................................w...........'.....R.................9.....J.............................v.............

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\pt-BR.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):516256
                                                            Entropy (8bit):5.426294949123783
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:3BA426E91C34E1C33F13912974835F7D
                                                            SHA1:467A1B05BAD23252A08EE22E6B9EBB4404F6A0F0
                                                            SHA-256:CB66D88D3B3938FE1E42C50ECB85CEDB0D57E0F0AB2FA2A5FC0E4CDEA640E2B7
                                                            SHA-512:824A4301DC4D935FF34CE88FAA0354440FC1A3A8E79B0F4B0B2DCC8F12542ECEF65828FB930EDF5B35BF16863296BBAE39E9306962B4D3CFA9F6495AC05BDEF4
                                                            Malicious:false
                                                            Preview:........9$..e.h...h.p...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.$...|.*...}.<.....D.....I.....Q.....Y.....a.....h.....o.....v.....w.....x.....}.............................d...........L.....h.........../.....h.....x.............................w.................(.....y.......................^...................................:.....j..........._.................:......................._...................................K.....d...........p.................5.............................q.......................n.......................w.......................p.......................O.....}.................).....W.....a.................V.....g...........b................. .....j.......................;.....a.................=.....U...........N.................2.....W.....p...........8.....p.................S.................@.................0...........1.....{.................X.......................0.....V.....k...........C...................

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\pt-PT.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):518861
                                                            Entropy (8bit):5.4029194034596575
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:4D7D724BE592BD0280ED28388EAA8D43
                                                            SHA1:8E3C46B77639EB480A90AD27383FBB14C4176960
                                                            SHA-256:4724D82866C0A693C2B02D1FFA67D880B59CDB0D3334317B34EC0C91C3D3E2A2
                                                            SHA-512:D05388F66C50E039F7D3393515740F6B2593F9C0EF8651F9CDE910C5FF06656E0D22FDB066B22665289EE495837EA16CC085ECB3F85B0F6FB498AECDAA19ADF7
                                                            Malicious:false
                                                            Preview:........I$p.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v."...w./...y.5...z.D...|.J...}.\.....d.....i.....q.....y.......................................................................u...........Z.....u...........@.................).................$.................S.....w.................D.....T.................(.....:...........(.....j.................x.................H.......................g...................................9.....N...........D.......................p.......................^.......................a.......................q.......................r.......................U.............................[.....e.................P.....a...........?.......................O.....y.............................?.................0.....J...........#.....p.................9.....c.....u...........#.....Y.....n.........../.....}...............................................G.....k...........N.......................B.....g.....|...........J.......

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\ro.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):537125
                                                            Entropy (8bit):5.4566742297332596
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:4F1C0A8632218F6FEF6BAB0917BEB84F
                                                            SHA1:05E497C8525CB1ADE6A0DAEFE09370EC45176E35
                                                            SHA-256:9C19835F237B1427000D72C93703311CFCBEFF6C2B709474B16DB93E629BC928
                                                            SHA-512:A7CDF94F79CD888BB81FD167F6B09BF1BEF2C749218869E5A12A0A3B2C2506D1A63F64B63D8E48EA49375636041C639082563BF9D526FE44003FC5A5E8D50E9D
                                                            Malicious:false
                                                            Preview:........0$..e.V...h.^...i.o...j.y...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.(.....0.....5.....=.....E.....M.....T.....[.....b.....c.....d.....f.....u.......................3.................+.................%.....9...........@.................1.......................Q.......................4.......................C...................................>.....b...........@.......................d.........................................p...........@.....n.................+.....H.............................h.......................M.......................J.......................7.............................].......................E.....t...................................?.............................W.....w.................\.................).......................f.......................W.........................................'...........$.....y...................................f.......................j.......................l...........+.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\ru.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):878725
                                                            Entropy (8bit):4.848685093578222
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:3A3D0D865A78399306924D3ED058274E
                                                            SHA1:AA1A42DB6021666B2297A65094D29978792CE29B
                                                            SHA-256:EAB4C32FEBE084CC7A3A272CDA008B69D6617ED6D042376B0316BE185B9E66FE
                                                            SHA-512:ACA8C87D0B2BB35A325726F7774F8A0232B99C8EFE0F948AB68210958E23B95E9D9026A9430D96FC2D5CEBA94815F4217896EF877C9A6E1D0E56F73533FB1D12
                                                            Malicious:false
                                                            Preview:.........#/.e.....h.....i.#...j./...k.>...l.I...n.Q...o.V...p.c...q.i...r.u...s.....t.....v.....w.....y.....z.....|.....}.........................................................................9.....V.....n...........V.......................g...........i...........l.....).................g...........,.....f.......................@.................6.....M......................./....."...........l..........._...........D.....y..... .................&.......................5.....9.....3.............................B.................r.................D...................................=.....b.........................................E.....\...........Y.................'...................................D.....n...........j.................9.......................a...........i...........v...........t...........a........................ ....,!....l!.....!....j"....."....R#....|#....O$.....%.....%.....%.....&....x'.....(....Q(.....(....z).....).....)....]*.....*.....+....$+.....+.....,.....-

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\sk.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):553886
                                                            Entropy (8bit):5.812150703289796
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:A9656846F66A36BB399B65F7B702B47D
                                                            SHA1:4B2D6B391C7C2B376534C0AF9AA6779755B4B74E
                                                            SHA-256:02B65F48375911C821786D91698E31D908A4C0F5F4F1460DE29980A71124480E
                                                            SHA-512:7E23CAA89FF80BF799AC5353CEAF344CBED0393F23D15FCBE8DC24EE55757F417CEA3BFC30889FD2CB41951F9FA5629C2E64B46DD9617D4A85EFEF0A255246F6
                                                            Malicious:false
                                                            Preview:........5$..e.`...h.h...i.|...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.%...}.7.....?.....D.....L.....T.....\.....c.....j.....q.....r.....s.....u.............................h...............................................[.........../.....I.................S.....j...........9.....h.....{...........4.....].....q...........J.................?.............................%.....`.....y...........\................./.............................%.....v.................G.....g.....|...........=.....c.....u...........6.....].....o...........O.........................................".......................3.......................R.............................-.....x.................0.....K....._.................0.....E.................G.....W...........T.................).....w.................-.......................M.............................O.................J.........................................'.........................................E.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\sl.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):532410
                                                            Entropy (8bit):5.486224954097277
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:BE49BB186EF62F55E27FF6B5FD5933F4
                                                            SHA1:84CFD05C52A09B4E6FA62ADCAF71585538CF688E
                                                            SHA-256:833F2E1B13381AA874E90B747931945B1637E53F2396A7409CCDA0A19CBE7A84
                                                            SHA-512:1808631559D3C28589D3F5A4B95554CEBC342DE3D71B05DDC213F34851BF802967BFFAC3D7668C487265EE245D1E26EFCE5D317EDBFBBEEB4BC2C9F122980585
                                                            Malicious:false
                                                            Preview:.........$..e.....h.6...i.G...j.Q...k.`...l.k...n.s...o.x...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................%.....,.....3.....:.....;.....<.....>.....P.....^.....n...................................y.................&...........2.....}.................h.......................g.......................Z.......................v.................O...................................3.....I.................T.....h...........b.................S...........$.....J.......................(.............................n.......................z...........$.....8.................2.....C...........).....j.................;.....i.....|...........?.....q.................[.......................g.......................L.....j.................G.......................~.................I.......................B.......................b.............................^.............................o.........................................j.......................x.......

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\sr.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):818089
                                                            Entropy (8bit):4.779985663253385
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:AFA2DFBA3BD71FE0307BFFB647CDCD98
                                                            SHA1:CD7A5C54246E891981AEEEAA88D39EC9E3F2C594
                                                            SHA-256:1375353837629A20102C69BF62701EE5401BED84D3DC4845BED5EE43E4D322CF
                                                            SHA-512:CE8BBBDDC33CB6B8DF4AEE127A8987E6D8C1D0761AC5BD25D685310BAA2D377F239BDF06F2C04B54295CF8FD440697A69A040644D5A7C0395C4F71A0252B8E87
                                                            Malicious:false
                                                            Preview:........=$|.e.p...h.x...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.,...|.2...}.D.....L.....Q.....Y.....a.....i.....p.....w.....~.........................................).................W...........O...........\...........z.....E...................................3...........b.................a.................5.......................1.....1...........v...........|...........{...........`...........Y.....~.....d...................................S........... .......................{...........(.....K...........H.................c...........d...........3.................)...........B.................D.................(...........W.......................E.................~...........'.....O...........^.................~ .....!....]!....z!....J"....."....=#.....#....0$.....$.....$.....%.....%....P&.....&.....&.....'....1(.....(.....(.....).....*....5+....S+....A,.....,....Z-.....-....^...........=/....^/...../....Y0.....0.....0.....1....'2.....2

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\sv.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):479512
                                                            Entropy (8bit):5.541069475898216
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:09592A0D35100CD9707C278C9FFC7618
                                                            SHA1:B23EEF11D7521721A7D6742202209E4FE0539566
                                                            SHA-256:9C080A2F6D4EDF0E2E94F78550B9DB59ADF5B1B9166DE2BAE496E6ABB6733304
                                                            SHA-512:E0760B3F227A3E7EAEB4816B8E02BEE51C62730D24403724D66B36BCCBC0BDCD56DF9EAB28B073AB727EE12C8856A858E52A9803E1A1C9164FCD3CF2F716D8AF
                                                            Malicious:false
                                                            Preview:.........$..e.....h.....i.....j.%...k.4...l.?...n.G...o.L...p.Y...q._...r.k...s.|...t.....v.....w.....y.....z.....|.....}.........................................................................#.....5.....I.....]...........b.................).......................e...........2.....K.................T.....p...........&.....U.....e...........%.....V.....f...........J.........................................O.......................Y..................................._.....u.............................n.......................J.......................'...............................................(.............................z.......................j.......................h.......................|.................$.....w.......................M.....k.......................?.....Q...........).....f.................J.....i.................;.....c.....x...........1.....l...................................q.................?.................;.....N.............................p.............

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\sw.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):504856
                                                            Entropy (8bit):5.34516819438501
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:9E038A0D222055FED6F1883992DCA5A8
                                                            SHA1:8FA17648492D7F093F89E8E98BF29C3725E3B4B5
                                                            SHA-256:DDCA575D659545D80E715EB4176BBBBFBD3F75E24B223537B53740B0DCB282BD
                                                            SHA-512:FB70F97E08191DFEB18E8F1A09A3AB61687E326265B1349AB2EFF5055F57E177A496BF0EA3592B61C71FE1F73C9143CA1495B05226F36EB481024827CAE6DCC4
                                                            Malicious:false
                                                            Preview:........4$..e.^...h.f...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....m.............................?.................$.................2.....D...........7.......................P.......................A.....l.....{...........&.....U.....c...........0.....d..................................._.......................m.......................n.............................*.......................J.....r.......................>.....G.........................................A.....O.................4.....F.................G.....R.................).....6.................).....2.................\.....u...........(.....T.....p...........2.....c.................D.......................l.................B.............................j.................+.......................j...........?.....S...........5.....x...................................P.......................r...........%.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\ta.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1298313
                                                            Entropy (8bit):4.058495187693592
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:36104CB0D5E26E0BBB313E529C14F4B4
                                                            SHA1:69A509DEE8419DA719DCF6DE78BFE0A6737508C5
                                                            SHA-256:DC28C869A143424F71EDCFDB08B56DA31C2EC96E9D608535FFA7DC0B0842B7D8
                                                            SHA-512:D46ED1AA19EB298BC4C3D61EFC28D80753D6B551F01808E6158A0869FAAE8755DF61D4B4BAFF1310DD09FCFC385ABA67E1AA7D61BBE399DF7BB2D483EBE0FEFF
                                                            Malicious:false
                                                            Preview:.........$..e.(...h.0...i.A...j.M...k.\...l.g...n.o...o.t...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................!.....(...../.....6.....7.....8.....=.....k.................:...........5...........$.....v...........`...........(...........Z.................%.............................O...........j.....L.........................................m...........u...................................;.....c...........7.................................................................8 ..... ....m!....I".....".....".....#.....$.....%....9%....d&....n'.....(....L(....C)....4*.....*.....*.....+.....,....3-....a-....Z.....J/...../...../.....0.....1....Z2.....2.....3....:5.....6....Z6....U7....=8.....8.....8.....9.....:.....:....F;.....<.....=.....=.....>....E?....S@.....@....[A....3B.....B....IC.....C.....D.....E....[F.....F....+H....>I.....J....pJ....\L....FN.....O.....O....DQ....QR.....S....{S.....T.....V.....V....'W....+X.....Y.....Y.....Y.....[....9\.....\

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\te.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1199612
                                                            Entropy (8bit):4.314031920337284
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:98714389748A98ECC536CD2F17859BDF
                                                            SHA1:07761AA31588F30C2CED4A1E31FE99DDC43A5E8D
                                                            SHA-256:8A81B1A5457407E49D6372677938E7A2D28DFCA69F555FEDC8A2C9C09C333A65
                                                            SHA-512:38CC4F064BD874EEC9DBFAB4C2A83A487FBCD89CEFB40BE4213C42231BC48AF9255341C9D325EE059BC50EE533898C5FA22CD3B3927A8E045049DEF3C5DFB2C6
                                                            Malicious:false
                                                            Preview:........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t. ...v.5...w.B...y.H...z.W...|.]...}.o.....w.....|.......................................................................X...........J...........|...............................................f.........................................~.............................Y.............................A.............................d.....X.........../.....k.....b...........5...............................................'.......................L.....u ....:!.....!.....!.....".....#....*$....k$.....%.....&....6'.....'.....(.....).....*...._*.....+....P,.....,.....-....'...........m/...../.....0.....1...."2....f2.....3.....4....R5.....5.....6....G7.....7.....7.....8....I9.....9.....9....{:....0;.....;....)<.....=.....>.....?.....?.....@....bA.....A.....B....JC....(D.....D.....D....DF.....F.....G.....G.....I....@K....qL.....L....4N....EO.....O....pP.....Q.....R....?S.....S.....T....^U.....U.....V....`W....[X.....Y

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\th.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1008989
                                                            Entropy (8bit):4.356501290091745
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:56F29DE3465795E781A52FCF736BBE08
                                                            SHA1:EAA406E5ED938468760A29D18C8C3F16CF142472
                                                            SHA-256:529C561747BF8B6206BE4F8BCF287A1D15E1B14A33113242DDAD5E035CA37BE6
                                                            SHA-512:519B5B3CC7032B2AF856456EEC25019B3A6A7F2A6DB7A0318CF87C41E08C6F6BFA73E239939B0DA16972C1D357FF06177765D875E19742D23E99A95FD4AC5416
                                                            Malicious:false
                                                            Preview:........i#P.e.....h.....i.....j.....k.....l.....o.....p.....q.....r.....s.0...t.9...v.N...w.[...y.a...z.p...|.v...}.....................................................................................'.....{.......................^...........e...........f.................s...........I...........]...........P...........r.................{...........D.....]...........;...........$.................,.....}.....K...........v...........e...........r...........m.....................................................E.......................P.......................:.......................B.......................b.......................s.......................X.......................S..................!.....".....".....".....#....0$....|$.....$....j%.....%....5&....l&.....'....z'.....'....!(....A).....).....*.....*.....+.....,....H,....x,....M-.....-....6.....l.....k/...../....o0.....0.....1.....2....>3...._3.....4.....5....c6.....6.....7....n8.....8.....9.....9....f:.....:.....:.....;.....<....D=

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\tr.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):515329
                                                            Entropy (8bit):5.616482888977033
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:46CA9EE922C3C175DE466066F40B29CE
                                                            SHA1:5563E236A15CD9CC44AE859165DF1E4E722936C7
                                                            SHA-256:BD8B1441FD2057F0B61512CC0AA23DFD2619560CF886B4D453FA7472E7153A3F
                                                            SHA-512:45AA2D6896568751C2F986ABD281EA07CB731880DF8F28F2F0AEFD95736F41B1E005D8DFB6F0AEF0CED6CEF94154D34FD0DA2CB7F0B0C66D9C085F5C47F32605
                                                            Malicious:false
                                                            Preview:........c$V.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.%...s.6...t.?...v.T...w.a...y.g...z.v...|.|...}...........................................................................................)...........L.................+.......................e........... .....;.................7.....J.......................)......................................... .....B...........5.....x.................Z.......................Q.....{.................w.................Q.................!.......................'.......................&....................... ................."...../.................5.....F.................9.....F.................2.....>.................7.....D...........I.......................v.......................i.......................P.......................q.................-.....z.......................m.................,.............................*.................B................."...........(.....n.................N.....~.................l.......

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\uk.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):876131
                                                            Entropy (8bit):4.88404350774067
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:1365ABDD1EFB44720EA3975E4A472530
                                                            SHA1:8421FC4905C592EB1269C5D524AA46866D617D3C
                                                            SHA-256:29AB0F7EE69FB7A1E1E54DD2A3746D2CFEAAA71AE5971EE30AA8E2E0F6556FA5
                                                            SHA-512:2E806A9BEA864E689BBD1D78B800DFDBC6E4109320F9A4790E52010BFDEC20C7644655A6FE3BABDE0B84D9580208CB78EF1FA0DB3476F8676C17A13D130296C7
                                                            Malicious:false
                                                            Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.'...s.8...t.A...v.V...w.c...y.i...z.x...|.~...}.....................................................................................1.....s.....W.......................r...........x...........m.....!.......................<.............................n...........,.................-...........|.............................=.....y.....+...........%.....K...................................w.............................N...................................r.................O...........N.................^...........\...............................................h...............................................R.....m.....f.....6.............................W.....y...........O.....x...........K...........j...........z .....!.....!.....".....".....#....R#.....#....&$.....$.....$.....%.....%....s&.....&.... '.....(.....(....~).....).....*....Q+.....+.....,.....,....Z-.....-.....-....[............/....4/.....0.....0....$1

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\ur.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):765853
                                                            Entropy (8bit):5.17061834928747
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:3FED15E64BEAFBA75DE61B08A45AE106
                                                            SHA1:E24953271D8C0254AD011D3A65B2C2FA57903681
                                                            SHA-256:B6E250C3F4FBAC3AF5FB8BB1C61CACAD8685D7F2A97063DE23BC22E91B7F2E27
                                                            SHA-512:3948D080135AFEB240815D43F7B5B8D407BA2830FF701D9B8343F2A72E610827EDAAB643444CDCEB86812ADFC9FB3FBA3AAD6DB7488843C2A04E92A3E63FE40D
                                                            Malicious:false
                                                            Preview:........1$..e.X...h.`...i.h...j.t...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.#.....+.....0.....8.....@.....H.....O.....V.....].....^....._.....d.....|.............................n.....................................................).....^.......................<...........G.................J.................9...........E.................~...........{...........\...........L.....k.......................,.................9.....e.....C.......................>...................................8.....Z...........C.................;.................-...........L.................N.................1...........-.....y.........................................s.......................*.....p........... .......................i...........).....J.......................L...........M ..... ..... ....Y!.....!....4"....Z"....,#.....#....&$....W$....'%.....%....^&.....&....f'.....(.....(.....(.....)....3*.....*.....*....]+.....+.....,....F,.....,....z-.....-

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\vi.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):609259
                                                            Entropy (8bit):5.796202390024141
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:CD741C24AF7597E0DC11069D3AC324E0
                                                            SHA1:2A883DFBCF48D5093D70D4B77BBFFFA521287334
                                                            SHA-256:13E982DC4B2B1AEE093E96BA27E02258C2B815CBB062006A4396BB3A3E6A84B1
                                                            SHA-512:6D27998E25B57FF0CE08C3590B69031038CBA390E68333A83514022B2C56B689AF8AD9715302824027864B5320852E9AB77D74E3B8A90DC66DF59F48CEB528C9
                                                            Malicious:false
                                                            Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.*...s.;...t.D...v.Y...w.f...y.l...z.{...|.....}...........................................................................................;.......................-...........A.................[...........O.....u...........v.................6.......................+.......................}...........G.....y.....9...........K.....y.............................z...........?.....V...................................T.................X.......................r...................................9.....J...........H.......................}.................'.......................<.......................O.............................Z................._.................*.................)........... .....V.....v.......................j...........N.................3...................................O.....v................./.....C.......................@...........) ....^ ....w ..... ....J!....}!.....!..../".....".....#....8#

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\zh-CN.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):441207
                                                            Entropy (8bit):6.685712707138377
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:99E6ACFB46923C4F8B29058E9EE6166B
                                                            SHA1:AF06C42E5F3578ADBC4F0BD7262DC6775FDD351F
                                                            SHA-256:9D8498875263B19552A982D1850F2F942FF44AF4E323BC5A3A67C34413994D95
                                                            SHA-512:4FDF5186FC2FC68210C2BE91F5B821F0979CA67D6C9B8915C14E7A20D3CE2548EB2660D5F9F398CF6C585A5C0725FA34FD3670F416F7C8A4F009C729BCF02988
                                                            Malicious:false
                                                            Preview:.........#..e.T...h.\...i.d...j.g...k.v...l.}...m.....o.....p.....q.....r.....s.....t.....v.....w.....|.....}...............................(.....-.....5.....<.....C.....E.....J.....S....._.....q.................v.................1......................./.......................:.......................>.............................c.......................D.....j................._.......................n.......................T.....}.................@.....o.................V.......................5.....O.....i................."...........x.......................U.......................].......................=.......................".....s.......................L.....u.................g.......................W.....w.................3.....X.....o...........&.....J.....\.................=.....].............................y.......................y...................................N.....`...........,.....d.....y...........).....O.....^.............................|.......................x.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\zh-TW.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):439630
                                                            Entropy (8bit):6.6906570508767995
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:BB7C995F257B9125457381BB01856D72
                                                            SHA1:21C55FF5CBC4F223C23D5A2FBCC9E051DB78A44C
                                                            SHA-256:F2299E03E99B0E9A9CACE3B1C72E6C8C5FE089487CA1C82F2AAF4273B62E37A2
                                                            SHA-512:5247C5DA6F00DF6241500524DDB162041A03649FA0AFCC11AD40E820814958768A2E11CE34E1250FDBF42B2459F8C06B00AE7442B537F0731A62C6724FC8D890
                                                            Malicious:false
                                                            Preview:.........#,.e.....h.....i.)...j.-...k.<...l.G...n.O...o.T...p.\...q.b...r.n...s.....t.....v.....w.....y.....z.....|.....}...................................................................%.....4.....C...........3.....q.................+.....T.....`........... .....R.....d.................M.....b.................3.....?.............................g.......................[.......................S.......................;.......................*.......................@.......................F.............................D.....d.....p.................2.....A.............................q.......................T.......................<.............................i.......................f.......................A.....[.....o.................!.............................u.......................^.............................h.......................P.........................................H.......................Z.......................$.....e.....z.................1.....X.....j...........#.

                                                            C:\Users\user\AppData\Roaming\GamePall\log4net.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):275968
                                                            Entropy (8bit):5.778490068583466
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:7EA1429E71D83A1CCAA0942C4D7F1C41
                                                            SHA1:4CE6ACF4D735354B98F416B3D94D89AF0611E563
                                                            SHA-256:EDEC54DA1901E649588E8CB52B001AB2AEC76ED0430824457A904FCC0ABD4299
                                                            SHA-512:91C90845A12A377B617140B67639CFA71A0648300336D5EDD422AFC362E65C6CCD3A4FF4936D4262B0EAF7BAE2B9624BCD3C7EEC79F7E7CA18ABE1EC62C4C869
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.X...........!.....,..........~K... ...`....... ..............................H.....@.................................$K..W....`...............................I............................................... ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................`K......H...........<x...............-..P .......................................i.)V.#c....e../.`...V....j>..*..?.LbrzKV.x.}...........[.f)..dD`..66.61[.z....W^....>F..r...#. ..g...T...P....Ss)ii.a.v.(0.....(1...o2...s....}....*...0..7........{....-%~....r...p.{....r9..p(3...(.....(.......(4....*.........//........{....*"..}....*..{....*....0..4..........%...(5....-.~....r?..p(....+...}.......,..(6....*........')........{....*..{....*"..}....*.*..{....*"..}....*.0..........

                                                            C:\Users\user\AppData\Roaming\GamePall\log4net.xml

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1547797
                                                            Entropy (8bit):4.370092880615517
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:32AB4E0A9A82245EE3B474EF811F558F
                                                            SHA1:9F2C4C9EEB5720D765F2321ACD0FF9F8DD11E6A4
                                                            SHA-256:9BBF4D15F8FB11F7D2C032BD920D2A33B2C2CB8EF62E7E023049AF6132F5D6C1
                                                            SHA-512:A0574A170F69F9926C32BAF6119A16A381FEC9E881B304082859EE7CFF463570C78984EE14369C59CDB19E532B3ABF193D02B462F1B40D07214B6244150CD63F
                                                            Malicious:false
                                                            Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>log4net</name>.. </assembly>.. <members>.. <member name="T:log4net.Appender.AdoNetAppender">.. <summary>.. Appender that logs to a database... </summary>.. <remarks>.. <para>.. <see cref="T:log4net.Appender.AdoNetAppender"/> appends logging events to a table within a.. database. The appender can be configured to specify the connection .. string by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionString"/> property. .. The connection type (provider) can be specified by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionType"/>.. property. For more information on database connection strings for.. your specific database see <a href="http://www.connectionstrings.com/">http://www.connectionstrings.com/</a>... </para>.. <para>.. Record

                                                            C:\Users\user\AppData\Roaming\GamePall\natives_blob.bin

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):342741
                                                            Entropy (8bit):5.496697631795104
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:A58DB728B50E6B82CBDCAA0DB61D36B1
                                                            SHA1:7CD76526CB29A0FF5350A2B52D48D1886360458B
                                                            SHA-256:BA2F2AC6AE9BC67399728F25772A0EB3E840695395CC747ADF4B2F8B5D6D9A46
                                                            SHA-512:0DB9AFBDADA44364521D89BAB6055458125F4F3C8C1B09048EAFA4055A194231CCFFD82FCDADA9360AB2B19F472B893330EBFCB027391E7A0C2B1100FC51E673
                                                            Malicious:false
                                                            Preview:..mirrors....(function(a,b){."use strict";.var c=a.Array;.var d=a.isNaN;.var e=a.JSON.stringify;.var f;.var g;.var h=b.ImportNow("promise_state_symbol");.var i=b.ImportNow("promise_result_symbol");.var j;.var k;.b.Import(function(l){.f=l.MapEntries;.g=l.MapIteratorNext;.j=l.SetIteratorNext;.k=l.SetValues;.});.var m={.UNDEFINED_TYPE:'undefined',.NULL_TYPE:'null',.BOOLEAN_TYPE:'boolean',.NUMBER_TYPE:'number',.STRING_TYPE:'string',.SYMBOL_TYPE:'symbol',.OBJECT_TYPE:'object',.FUNCTION_TYPE:'function',.REGEXP_TYPE:'regexp',.ERROR_TYPE:'error',.PROPERTY_TYPE:'property',.INTERNAL_PROPERTY_TYPE:'internalProperty',.FRAME_TYPE:'frame',.SCRIPT_TYPE:'script',.CONTEXT_TYPE:'context',.SCOPE_TYPE:'scope',.PROMISE_TYPE:'promise',.MAP_TYPE:'map',.SET_TYPE:'set',.ITERATOR_TYPE:'iterator',.GENERATOR_TYPE:'generator',.}.var n=0;.var o=-1;.var p=[];.var q=true;.function MirrorCacheIsEmpty(){.return n==0&&p.length==0;.}.function ToggleMirrorCache(r){.q=r;.ClearMirrorCache();.}.function ClearMirrorCache(r){.

                                                            C:\Users\user\AppData\Roaming\GamePall\resources.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):8226870
                                                            Entropy (8bit):7.996842728494533
                                                            Encrypted:true
                                                            SSDEEP:
                                                            MD5:F7EC58AEA756F3FD8A055AC582103A78
                                                            SHA1:086B63691F5E5375A537E99E062345F56512A22C
                                                            SHA-256:517418184EA974C33FFE67B03732D19B1234DCB9E5C1C2E9E94ED41B3BC1D064
                                                            SHA-512:C620C6E16BBCEE9BC607E6CA75D602C756276AC69E5F3761D82DE7728164133656A71A69043EB1A86CE3051FDE4327A47EFD41D1FF47C8385699CA67C423AD7B
                                                            Malicious:false
                                                            Preview:............f.6:..{..D..|..G..~. K.....]....._....=.....c...........9.....B.............................F.....K/.....2....54....r5.....6.....?.....@....jB.....C....hD.....E.....H....nj.....k.....r....@~...."..........W.....................;..../;'...2;P...7;....8;....C;....D;U...E;....F;....G;A,..H;.;..I;gK..J;.Z..K;.h..L;.}..M;y...N;{...O;z...P;....Q;8...R;....S;....T;C'..U;.=..V;.W..W;.m..X;....Y;....Z;D...[;....\;....];.....<.....<x....<.....<-....<\....<.....<.....<.....<.....<*(...< /...<+3...<.3..I=.3..J=.7..K=.9..R= >..S=.G..T=}V..[=;w..\=.x..]=.}..^=R..._=....`=....a=....b=....c=....e=:...f=.....=....=.....=....=`....=p....=.....=.....=.....=.....=.....=K....=.....=t....=.....=.....=.....=\....=Z....=.....=T....=[....=x....=.....=.....=D....=.....=.....=.....=l....=F....=.'...=j)...>.+...>l,...>_0...>.2...>.6...>.8..N>.\..O>~^..P>._..Q>%d..R>.k..S>.l..T>Tn..U>.p..b>.u..c>/y..d>.|..B@....C@....D@o...E@....F@W...L@Z...M@(...N@...O@....D.....D ....D ....D;....D.....D....D..

                                                            C:\Users\user\AppData\Roaming\GamePall\snapshot_blob.bin

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):276319
                                                            Entropy (8bit):4.242318669799302
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:8234983533FA47D2A1D7710FF8274299
                                                            SHA1:E4C5793B6FE6A6C6C9D8E3921B3BC341AE3448D8
                                                            SHA-256:F95553D8066144CBB8A05EED1735C94A4B97A2E44E49F624C2302990A13017C9
                                                            SHA-512:1E7E201B0FF9AFA7821B5FFD0A36548A49CD4DBBABA5858E13DA35058670A5053723DD3544B2FD85C619F2B8FC9E5DB48DF977BB293E7BA7DE6F22CC8DAB28CA
                                                            Malicious:false
                                                            Preview:.........X./j1N.11.8.172.9.......................................................@...y...........@..`....`....`....`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\start.bat

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):29
                                                            Entropy (8bit):4.159199529386524
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:FF2077D414778DB1E7DC844E9AE55347
                                                            SHA1:6258BC2F81DF20A2EA2539598313684DF10ED693
                                                            SHA-256:55B535EBD9ABE00F702B8362D6B4A4A18F27F030887E907F8161CF79E3B182E0
                                                            SHA-512:DAD4A28357090B3B782AB47B3508A33B8F0A1797818D743620239E97B77779E6F5E40CB0942361DDF97834A49F27A529B71A26E3EC08820A88179EC548A64F94
                                                            Malicious:false
                                                            Preview:start GamePall.exe 8KuQuyEucb

                                                            C:\Users\user\AppData\Roaming\GamePall\swiftshader\Xilium.CefGlue.pdb

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:MSVC program database ver 7.00, 512*4023 bytes
                                                            Category:dropped
                                                            Size (bytes):2059776
                                                            Entropy (8bit):4.067542396670122
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:70F9EAEA8A2A604E59F72EDE66F83AB4
                                                            SHA1:0AB9EA1BFFDFF471EC22AB289C7FBC5E0CDF48BF
                                                            SHA-256:38A07BA75CC2BBDF715CA87D380A4E5A0DCFAF9C30C5ECD30F6107871D51825B
                                                            SHA-512:47DE4DAD93385A4907FADE307040FE026ED66989C0C9915AFC96CB2BC93DE5E106DC1274E4AD2382021C758C60FEDE06D68998CF3591E23E2951778CE09D6D4C
                                                            Malicious:false
                                                            Preview:Microsoft C/C++ MSF 7.00...DS................J..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):346624
                                                            Entropy (8bit):6.54104466243173
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:7A53AD3E5D2E65C982450E7B7453DE8A
                                                            SHA1:99F27E54F1F61207C02110CAC476405557A8AD54
                                                            SHA-256:24FDDD6A367792A9D86D9060FC9AA459B5FB0F67804CB7D139A100D86BBDAFF8
                                                            SHA-512:2B5E5DB46FDC787CB46CDAEBFFC01586E248FBB864677B27AF03CDC33E956DEF51B3F836597E7092C4175CF605C44728C6F96B74BB2C9870E9715D4AF4C531A1
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.........T............................................................@A....................................P....p...........................3..4.......................8........G...............................................text............................... ..`.rdata..............................@..@.data....4..........................@....00cfg.......@......................@..@.tls.........P......................@....voltbl......`...........................rsrc........p......................@..@.reloc...3.......4..................@..B........................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):2445312
                                                            Entropy (8bit):6.750207745422387
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:334C3157E63A34B22CCE25A44A04835F
                                                            SHA1:C6B05BD55BE9FED3B0C5077C5649E2A41C10DC08
                                                            SHA-256:3E307570B574469EC8BCF1CE6D5291DF8D627CA3812F05AACFEBBD3F00B17F89
                                                            SHA-512:11F538ADD05515861891892EBB90163B6540B72FEB380D64B4A0AA56C6415E3B71374557BF50D0B936712B1006F2B94D59BEBFBF18CBF93BB883D9055CAAEEE9
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.....4 .................................................p*...........@A..........................#.. ....$.d....P)......................`).......#.......................#......."...............$.P............................text.../2 ......4 ................. ..`.rdata..\....P ......8 .............@..@.data...L....@$...... $.............@....00cfg....... )......>$.............@..@.tls.........0)......@$.............@....voltbl.M....@)......B$..................rsrc........P)......D$.............@..@.reloc.......`)......H$.............@..B........................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\v8_context_snapshot.bin

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):631017
                                                            Entropy (8bit):5.144793130466209
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:0794DF29DF8DFC3ECE5C443F864F5AEB
                                                            SHA1:BFD4A9A34BEB9751BC4203FB9A9172F1F05E5B16
                                                            SHA-256:3EE2237E9B14871165B051CCF892C8375E45B5F12841E02F4B9D37F5D5A03283
                                                            SHA-512:0D34E36F7455B977F086F04840FBA679284A619A7164A56B5C7FC2ADCB23A231B67A62101540EB07CF5C8192790266B08D2CC232D291621C331FE77C1F5E52C0
                                                            Malicious:false
                                                            Preview:..........d..<..11.8.172.9......................................................@...]!...S..y...-[..........`....`....`T...`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):4400640
                                                            Entropy (8bit):6.667314807988382
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:7F913E31D00082338F073EF60D67B335
                                                            SHA1:AC831B45F2A32E23BA9046044508E47E04CDA3A4
                                                            SHA-256:B60E9818C4EA9396D0D2D2A4AC79C7DC40D0DFF6BB8BC734D0AB14ADC30FBF30
                                                            SHA-512:E1AC79C775CF9137283CD2C1AE1A45EC597E0351CDB9C11D483E2E1F8B00CC2BBC5807A50DED13A3A5E76F06C1A565EFF1233F4EC727B0C5F7AA3BEAEA906750
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....$5.........P.-......................................PD...........@A........................8=?.~....\?.P.... B......................0B.X.....?.....................H.?......@5.............._?..............................text...T#5......$5................. ..`.rdata...a...@5..b...(5.............@..@.data...@N....?..x....?.............@....00cfg........B.......A.............@..@.tls....5.....B.......A.............@....rsrc........ B.......A.............@..@.reloc..X....0B.......A.............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader_icd.json

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:JSON data
                                                            Category:dropped
                                                            Size (bytes):106
                                                            Entropy (8bit):4.724752649036734
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:8642DD3A87E2DE6E991FAE08458E302B
                                                            SHA1:9C06735C31CEC00600FD763A92F8112D085BD12A
                                                            SHA-256:32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
                                                            SHA-512:F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
                                                            Malicious:false
                                                            Preview:{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

                                                            C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):826368
                                                            Entropy (8bit):6.78646032943732
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:A031EB19C61942A26EF74500AD4B42DF
                                                            SHA1:FDC6EA473234F153639E963E8EFB8D028DA1BE20
                                                            SHA-256:207706A3A3FAA8500F88CB034B26413074EFC67221A07C5F70558F3C40985A91
                                                            SHA-512:80F843E47FC2B41B17EF6EA1BB2BB04119B2417311599EC52120D9F9DF316B4D7B1DAF97EE5CDF2AE78CDB9475E5C65255A7F2AB2A9231804F6A82C83303FD19
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....|..........@.....................................................@A...........................<!..$...P....p..............................l..............................................P................................text....z.......|.................. ..`.rdata..tr.......t..................@..@.data....7..........................@....00cfg.......P......................@..@.tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):211456
                                                            Entropy (8bit):6.566524833521835
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:6D7FD214164C858BBCF4AA050C114E8C
                                                            SHA1:B8868DA6BB9A79EE7C9901A9BFAC580D5BAFCC96
                                                            SHA-256:3F58FB22BD1A1159C351D125BEE122A16BB97BABB5FCA67FDBD9AAAED3B302E6
                                                            SHA-512:0F8F2523C3A616AC7C72A1239B7E353F6A684FF75DA79D1CAF9B98A47FF6FE06329165825704C67C04E92073BA2C17D0FF339C57731DDF0F1489C2E97D1D0A14
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^..._...^..._q..^..._..^..._..^..._..^..._..^k.._...^..._...^...^...^k.._...^k.._...^n..^...^k.._...^Rich...^........................PE..L...Ua.X.........."!.........(......c........0............................................@.................................x...<....@.......................P..T"......8...............................@............0..0............................text............................... ..`.rdata..`....0....... ..............@..@.data...............................@....gfids.......0......................@..@.rsrc........@......................@..@.reloc..T"...P...$..................@..B........................................................................................................................................................................................................................................

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                            Entropy (8bit):7.130028698415853
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe
                                                            File size:76'495 bytes
                                                            MD5:e9521ec55c41641cc645a0223b1e9ac1
                                                            SHA1:ef63f2a2d918925b8b44ec9a9b848e919cc6a22a
                                                            SHA256:2c49cd770976c10d5f65114ce71ce14817e3ffaa74cf3bed2fa24f588b13ebf2
                                                            SHA512:2b47b987176e633307fab15343879e0befa461af5e25f15d58eba3ebee9022bfd3bdf9b51ae970509ab6efc7e1dd09917acbef88f5d10104e28b93373187a780
                                                            SSDEEP:1536:6FiFMVzRtVXmqpScuHEMVSco4Romu/T/juizvTbdq2f+:6Fi6z/VXzAf3oco454juKf8W+
                                                            TLSH:2A73DF253390C4B3DB7607B05D7A57A3ABF68D1110A4A3472790EE6FBD772D2890F582
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@

                                                            File Icon

                                                            Icon Hash:0771ccf8d84d2907

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x4034cc
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x614F9B02 [Sat Sep 25 21:56:18 2021 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f10e4da994053bf80c20cee985b32e29

                                                            Entrypoint Preview

                                                            Instruction
                                                            push ebp
                                                            mov ebp, esp
                                                            sub esp, 00000220h
                                                            push esi
                                                            push edi
                                                            xor edi, edi
                                                            push 00008001h
                                                            mov dword ptr [ebp-10h], edi
                                                            mov dword ptr [ebp-04h], 0040A130h
                                                            mov dword ptr [ebp-08h], edi
                                                            mov byte ptr [ebp-0Ch], 00000020h
                                                            call dword ptr [004080B0h]
                                                            mov esi, dword ptr [004080C0h]
                                                            lea eax, dword ptr [ebp-000000C0h]
                                                            push eax
                                                            mov dword ptr [ebp-000000ACh], edi
                                                            mov dword ptr [ebp-2Ch], edi
                                                            mov dword ptr [ebp-28h], edi
                                                            mov dword ptr [ebp-000000C0h], 0000009Ch
                                                            call esi
                                                            test eax, eax
                                                            jne 00007F643CE1CDF1h
                                                            lea eax, dword ptr [ebp-000000C0h]
                                                            mov dword ptr [ebp-000000C0h], 00000094h
                                                            push eax
                                                            call esi
                                                            cmp dword ptr [ebp-000000B0h], 02h
                                                            jne 00007F643CE1CDDCh
                                                            movsx cx, byte ptr [ebp-0000009Fh]
                                                            mov al, byte ptr [ebp-000000ACh]
                                                            sub ecx, 30h
                                                            sub al, 53h
                                                            mov byte ptr [ebp-26h], 00000004h
                                                            neg al
                                                            sbb eax, eax
                                                            not eax
                                                            and eax, ecx
                                                            mov word ptr [ebp-2Ch], ax
                                                            cmp dword ptr [ebp-000000B0h], 02h
                                                            jnc 00007F643CE1CDD4h
                                                            and byte ptr [ebp-26h], 00000000h
                                                            cmp byte ptr [ebp-000000ABh], 00000041h
                                                            jl 00007F643CE1CDC3h
                                                            movsx ax, byte ptr [ebp-000000ABh]
                                                            sub eax, 40h
                                                            mov word ptr [ebp-2Ch], ax
                                                            jmp 00007F643CE1CDB6h
                                                            mov word ptr [ebp-2Ch], di
                                                            cmp dword ptr [ebp-000000BCh], 0Ah
                                                            jnc 00007F643CE1CDBAh
                                                            and word ptr [ebp+00000000h], 0000h

                                                            Rich Headers

                                                            Programming Language:
                                                            • [EXP] VC++ 6.0 SP5 build 8804

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x84380xa0.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x360000x4108.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x639f0x64007224e998fe56f3bd47d63fbbb07b7c8aFalse0.6683203125data6.446278846973847IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x80000x12760x1400f7ab432379f1255f04a3e990ba282ef1False0.4333984375data5.054263249154582IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0xa0000x1a8580x6008e1e6b6bb7da1113950a0aab31a168c0False0.4427083333333333data4.079691703439067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .ndata0x250000x110000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x360000x41080x420004ed5bc7191f2908fa190137579bdcbfFalse0.626953125data6.006157417687487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0x362b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.7213883677298312
                                                            RT_ICON0x373580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 256 important colorsEnglishUnited States0.6751066098081023
                                                            RT_ICON0x382000x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colorsEnglishUnited States0.7851985559566786
                                                            RT_ICON0x38aa80x568Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colorsEnglishUnited States0.6560693641618497
                                                            RT_ICON0x390100x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.8031914893617021
                                                            RT_ICON0x394780x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.3118279569892473
                                                            RT_ICON0x397600x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.36824324324324326
                                                            RT_DIALOG0x398880x202dataEnglishUnited States0.4085603112840467
                                                            RT_DIALOG0x39a900xf8dataEnglishUnited States0.6290322580645161
                                                            RT_DIALOG0x39b880xeedataEnglishUnited States0.6302521008403361
                                                            RT_GROUP_ICON0x39c780x68dataEnglishUnited States0.6634615384615384
                                                            RT_MANIFEST0x39ce00x423XML 1.0 document, ASCII text, with very long lines (1059), with no line terminatorsEnglishUnited States0.5127478753541076

                                                            Imports

                                                            DLLImport
                                                            ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                                            SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                                            ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                                            COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                            USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, SetWindowPos, SetCursor, GetSysColor, SetClassLongA, GetWindowLongA, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                                            GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                            KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, GetTempFileNameA, RemoveDirectoryA, WriteFile, CreateDirectoryA, GetLastError, CreateProcessA, GlobalLock, GlobalUnlock, CreateThread, lstrcpynA, SetErrorMode, GetDiskFreeSpaceA, lstrlenA, GetCommandLineA, GetVersionExA, GetWindowsDirectoryA, SetEnvironmentVariableA, GetTempPathA, CopyFileA, GetCurrentProcess, ExitProcess, GetModuleFileNameA, GetFileSize, ReadFile, GetTickCount, Sleep, CreateFileA, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishUnited States

                                                            Network Behavior

                                                            Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:02:43:22
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe"
                                                            Imagebase:0x400000
                                                            File size:76'495 bytes
                                                            MD5 hash:E9521EC55C41641CC645A0223B1E9AC1
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:02:44:39
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Local\Temp\setup.exe"
                                                            Imagebase:0x400000
                                                            File size:107'107'091 bytes
                                                            MD5 hash:2B4BA70B5C6115ADD73FDEF28AAEAA8A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 8%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:02:45:04
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Imagebase:0x440000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 5%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:8
                                                            Start time:02:45:09
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3256 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                                                            Imagebase:0xf10000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:9
                                                            Start time:02:45:09
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3720 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                                                            Imagebase:0x9e0000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:10
                                                            Start time:02:45:09
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3796 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                                                            Imagebase:0x660000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:02:45:09
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1725339558529135 --launch-time-ticks=6350788134 --mojo-platform-channel-handle=3836 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                                                            Imagebase:0xcd0000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:02:45:09
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1725339558529135 --launch-time-ticks=6350826709 --mojo-platform-channel-handle=3940 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                                                            Imagebase:0x260000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:02:45:16
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --time-ticks-at-unix-epoch=-1725339558529135 --launch-time-ticks=6357847939 --mojo-platform-channel-handle=2060 --field-trial-handle=3248,i,11380243691243800328,17966187180915203330,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                                                            Imagebase:0xf30000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:02:45:16
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0xf00000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:15
                                                            Start time:02:45:18
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x9a0000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:16
                                                            Start time:02:45:19
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x3e0000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:17
                                                            Start time:02:45:19
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0xac0000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:18
                                                            Start time:02:45:19
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x400000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:19
                                                            Start time:02:45:19
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x200000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:20
                                                            Start time:02:45:20
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x170000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:21
                                                            Start time:02:45:20
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x2a0000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:22
                                                            Start time:02:45:20
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0xf10000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:23
                                                            Start time:02:45:20
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x60000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:24
                                                            Start time:02:45:21
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x2f0000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:25
                                                            Start time:02:45:21
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0xbc0000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:26
                                                            Start time:02:45:21
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0xa90000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:27
                                                            Start time:02:45:21
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x90000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:28
                                                            Start time:02:45:22
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x3c0000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:29
                                                            Start time:02:45:22
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0xeb0000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:30
                                                            Start time:02:45:22
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x370000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:31
                                                            Start time:02:45:22
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0xaf0000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:32
                                                            Start time:02:45:22
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x3c0000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:33
                                                            Start time:02:45:23
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x780000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:34
                                                            Start time:02:45:23
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x440000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:35
                                                            Start time:02:45:23
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0xb50000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:36
                                                            Start time:02:45:23
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0xee0000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:37
                                                            Start time:02:45:23
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x990000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:38
                                                            Start time:02:45:23
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x760000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:39
                                                            Start time:02:45:24
                                                            Start date:03/09/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0xa80000
                                                            File size:187'392 bytes
                                                            MD5 hash:46A3A9D4CA0EBE2BC40FA28BBFCD7200
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:18.6%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:19.6%
                                                              Total number of Nodes:1451
                                                              Total number of Limit Nodes:37
                                                              execution_graph 4042 401ec5 4043 402c17 17 API calls 4042->4043 4044 401ecb 4043->4044 4045 402c17 17 API calls 4044->4045 4046 401ed7 4045->4046 4047 401ee3 ShowWindow 4046->4047 4048 401eee EnableWindow 4046->4048 4049 402ac5 4047->4049 4048->4049 3366 401746 3367 402c39 17 API calls 3366->3367 3368 40174d 3367->3368 3372 405f4a 3368->3372 3370 401754 3371 405f4a 2 API calls 3370->3371 3371->3370 3373 405f55 GetTickCount GetTempFileNameA 3372->3373 3374 405f82 3373->3374 3375 405f86 3373->3375 3374->3373 3374->3375 3375->3370 4050 401947 4051 402c39 17 API calls 4050->4051 4052 40194e lstrlenA 4051->4052 4053 402628 4052->4053 4057 401fcb 4058 402c39 17 API calls 4057->4058 4059 401fd2 4058->4059 4060 4066ff 2 API calls 4059->4060 4061 401fd8 4060->4061 4063 401fea 4061->4063 4064 4062e6 wsprintfA 4061->4064 4064->4063 3412 4034cc SetErrorMode GetVersionExA 3413 40351e GetVersionExA 3412->3413 3415 40355d 3412->3415 3414 40353a 3413->3414 3413->3415 3414->3415 3416 4035e1 3415->3416 3417 406794 5 API calls 3415->3417 3504 406726 GetSystemDirectoryA 3416->3504 3417->3416 3419 4035f7 lstrlenA 3419->3416 3420 403607 3419->3420 3507 406794 GetModuleHandleA 3420->3507 3423 406794 5 API calls 3424 403615 3423->3424 3425 406794 5 API calls 3424->3425 3426 403621 #17 OleInitialize SHGetFileInfoA 3425->3426 3513 406388 lstrcpynA 3426->3513 3429 40366f GetCommandLineA 3514 406388 lstrcpynA 3429->3514 3431 403681 3432 405d45 CharNextA 3431->3432 3433 4036a8 CharNextA 3432->3433 3439 4036b7 3433->3439 3434 40377d 3435 403791 GetTempPathA 3434->3435 3515 40349b 3435->3515 3437 4037a9 3440 403803 DeleteFileA 3437->3440 3441 4037ad GetWindowsDirectoryA lstrcatA 3437->3441 3438 405d45 CharNextA 3438->3439 3439->3434 3439->3438 3445 40377f 3439->3445 3525 402f5c GetTickCount GetModuleFileNameA 3440->3525 3442 40349b 12 API calls 3441->3442 3444 4037c9 3442->3444 3444->3440 3447 4037cd GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3444->3447 3612 406388 lstrcpynA 3445->3612 3446 403816 3448 4038ae ExitProcess OleUninitialize 3446->3448 3451 40389b 3446->3451 3458 405d45 CharNextA 3446->3458 3450 40349b 12 API calls 3447->3450 3452 4038c5 3448->3452 3453 4039e8 3448->3453 3456 4037fb 3450->3456 3555 403b6e 3451->3555 3459 405a9e MessageBoxIndirectA 3452->3459 3454 4039f0 GetCurrentProcess OpenProcessToken 3453->3454 3455 403a66 ExitProcess 3453->3455 3460 403a36 3454->3460 3461 403a07 LookupPrivilegeValueA AdjustTokenPrivileges 3454->3461 3456->3440 3456->3448 3463 403830 3458->3463 3465 4038d2 ExitProcess 3459->3465 3466 406794 5 API calls 3460->3466 3461->3460 3467 403875 3463->3467 3468 4038da 3463->3468 3469 403a3d 3466->3469 3613 405e08 3467->3613 3629 405a09 3468->3629 3472 403a52 ExitWindowsEx 3469->3472 3475 403a5f 3469->3475 3472->3455 3472->3475 3650 40140b 3475->3650 3476 4038f0 lstrcatA 3477 4038fb lstrcatA lstrcmpiA 3476->3477 3477->3448 3479 403917 3477->3479 3481 403923 3479->3481 3482 40391c 3479->3482 3637 4059ec CreateDirectoryA 3481->3637 3632 40596f CreateDirectoryA 3482->3632 3483 403890 3628 406388 lstrcpynA 3483->3628 3488 403928 SetCurrentDirectoryA 3489 403943 3488->3489 3490 403938 3488->3490 3641 406388 lstrcpynA 3489->3641 3640 406388 lstrcpynA 3490->3640 3493 40641b 17 API calls 3494 403985 DeleteFileA 3493->3494 3495 403993 CopyFileA 3494->3495 3501 403950 3494->3501 3495->3501 3496 4039dc 3498 406161 36 API calls 3496->3498 3499 4039e3 3498->3499 3499->3448 3500 40641b 17 API calls 3500->3501 3501->3493 3501->3496 3501->3500 3503 4039c7 CloseHandle 3501->3503 3642 406161 MoveFileExA 3501->3642 3647 405a21 CreateProcessA 3501->3647 3503->3501 3505 406748 wsprintfA LoadLibraryExA 3504->3505 3505->3419 3508 4067b0 3507->3508 3509 4067ba GetProcAddress 3507->3509 3510 406726 3 API calls 3508->3510 3511 40360e 3509->3511 3512 4067b6 3510->3512 3511->3423 3512->3509 3512->3511 3513->3429 3514->3431 3516 406666 5 API calls 3515->3516 3518 4034a7 3516->3518 3517 4034b1 3517->3437 3518->3517 3653 405d1a lstrlenA CharPrevA 3518->3653 3521 4059ec 2 API calls 3522 4034bf 3521->3522 3523 405f4a 2 API calls 3522->3523 3524 4034ca 3523->3524 3524->3437 3656 405f1b GetFileAttributesA CreateFileA 3525->3656 3527 402f9f 3554 402fac 3527->3554 3657 406388 lstrcpynA 3527->3657 3529 402fc2 3658 405d61 lstrlenA 3529->3658 3533 402fd3 GetFileSize 3534 4030cd 3533->3534 3553 402fea 3533->3553 3663 402ebd 3534->3663 3538 403112 GlobalAlloc 3540 403129 3538->3540 3539 40316a 3543 402ebd 32 API calls 3539->3543 3545 405f4a 2 API calls 3540->3545 3542 4030f3 3544 40346e ReadFile 3542->3544 3543->3554 3546 4030fe 3544->3546 3548 40313a CreateFileA 3545->3548 3546->3538 3546->3554 3547 402ebd 32 API calls 3547->3553 3549 403174 3548->3549 3548->3554 3678 403484 SetFilePointer 3549->3678 3551 403182 3679 4031fd 3551->3679 3553->3534 3553->3539 3553->3547 3553->3554 3694 40346e 3553->3694 3554->3446 3556 406794 5 API calls 3555->3556 3557 403b82 3556->3557 3558 403b88 3557->3558 3559 403b9a 3557->3559 3738 4062e6 wsprintfA 3558->3738 3560 40626f 3 API calls 3559->3560 3561 403bc5 3560->3561 3562 403be3 lstrcatA 3561->3562 3564 40626f 3 API calls 3561->3564 3565 403b98 3562->3565 3564->3562 3730 403e33 3565->3730 3568 405e08 18 API calls 3569 403c15 3568->3569 3570 403c9e 3569->3570 3572 40626f 3 API calls 3569->3572 3571 405e08 18 API calls 3570->3571 3574 403ca4 3571->3574 3577 403c41 3572->3577 3573 403cb4 LoadImageA 3575 403d5a 3573->3575 3576 403cdb RegisterClassA 3573->3576 3574->3573 3578 40641b 17 API calls 3574->3578 3580 40140b 2 API calls 3575->3580 3579 403d11 SystemParametersInfoA CreateWindowExA 3576->3579 3611 4038ab 3576->3611 3577->3570 3581 403c5d lstrlenA 3577->3581 3585 405d45 CharNextA 3577->3585 3578->3573 3579->3575 3584 403d60 3580->3584 3582 403c91 3581->3582 3583 403c6b lstrcmpiA 3581->3583 3588 405d1a 3 API calls 3582->3588 3583->3582 3587 403c7b GetFileAttributesA 3583->3587 3590 403e33 18 API calls 3584->3590 3584->3611 3586 403c5b 3585->3586 3586->3581 3589 403c87 3587->3589 3591 403c97 3588->3591 3589->3582 3592 405d61 2 API calls 3589->3592 3593 403d71 3590->3593 3739 406388 lstrcpynA 3591->3739 3592->3582 3595 403e00 3593->3595 3596 403d7d ShowWindow 3593->3596 3740 40557b OleInitialize 3595->3740 3598 406726 3 API calls 3596->3598 3600 403d95 3598->3600 3599 403e06 3601 403e22 3599->3601 3602 403e0a 3599->3602 3603 403da3 GetClassInfoA 3600->3603 3607 406726 3 API calls 3600->3607 3606 40140b 2 API calls 3601->3606 3609 40140b 2 API calls 3602->3609 3602->3611 3604 403db7 GetClassInfoA RegisterClassA 3603->3604 3605 403dcd DialogBoxParamA 3603->3605 3604->3605 3608 40140b 2 API calls 3605->3608 3606->3611 3607->3603 3610 403df5 3608->3610 3609->3611 3610->3611 3611->3448 3612->3435 3758 406388 lstrcpynA 3613->3758 3615 405e19 3759 405db3 CharNextA CharNextA 3615->3759 3618 403881 3618->3448 3627 406388 lstrcpynA 3618->3627 3619 406666 5 API calls 3625 405e2f 3619->3625 3620 405e5a lstrlenA 3621 405e65 3620->3621 3620->3625 3622 405d1a 3 API calls 3621->3622 3624 405e6a GetFileAttributesA 3622->3624 3624->3618 3625->3618 3625->3620 3626 405d61 2 API calls 3625->3626 3765 4066ff FindFirstFileA 3625->3765 3626->3620 3627->3483 3628->3451 3630 406794 5 API calls 3629->3630 3631 4038df lstrcatA 3630->3631 3631->3476 3631->3477 3633 4059c0 GetLastError 3632->3633 3634 403921 3632->3634 3633->3634 3635 4059cf SetFileSecurityA 3633->3635 3634->3488 3635->3634 3636 4059e5 GetLastError 3635->3636 3636->3634 3638 405a00 GetLastError 3637->3638 3639 4059fc 3637->3639 3638->3639 3639->3488 3640->3489 3641->3501 3643 406184 3642->3643 3644 406175 3642->3644 3643->3501 3768 405ff1 3644->3768 3648 405a60 3647->3648 3649 405a54 CloseHandle 3647->3649 3648->3501 3649->3648 3651 401389 2 API calls 3650->3651 3652 401420 3651->3652 3652->3455 3654 405d34 lstrcatA 3653->3654 3655 4034b9 3653->3655 3654->3655 3655->3521 3656->3527 3657->3529 3659 405d6e 3658->3659 3660 405d73 CharPrevA 3659->3660 3661 402fc8 3659->3661 3660->3659 3660->3661 3662 406388 lstrcpynA 3661->3662 3662->3533 3664 402ee3 3663->3664 3665 402ecb 3663->3665 3668 402ef3 GetTickCount 3664->3668 3669 402eeb 3664->3669 3666 402ed4 DestroyWindow 3665->3666 3667 402edb 3665->3667 3666->3667 3667->3538 3667->3554 3697 403484 SetFilePointer 3667->3697 3668->3667 3671 402f01 3668->3671 3698 4067d0 3669->3698 3672 402f36 CreateDialogParamA ShowWindow 3671->3672 3673 402f09 3671->3673 3672->3667 3673->3667 3702 402ea1 3673->3702 3675 402f17 wsprintfA 3676 4054a9 24 API calls 3675->3676 3677 402f34 3676->3677 3677->3667 3678->3551 3680 403228 3679->3680 3681 40320c SetFilePointer 3679->3681 3705 403305 GetTickCount 3680->3705 3681->3680 3686 403305 42 API calls 3687 40325f 3686->3687 3688 4032c5 3687->3688 3689 4032cb ReadFile 3687->3689 3690 40326e 3687->3690 3688->3554 3689->3688 3690->3688 3692 405f93 ReadFile 3690->3692 3720 405fc2 WriteFile 3690->3720 3692->3690 3695 405f93 ReadFile 3694->3695 3696 403481 3695->3696 3696->3553 3697->3542 3699 4067ed PeekMessageA 3698->3699 3700 4067e3 DispatchMessageA 3699->3700 3701 4067fd 3699->3701 3700->3699 3701->3667 3703 402eb0 3702->3703 3704 402eb2 MulDiv 3702->3704 3703->3704 3704->3675 3706 403333 3705->3706 3707 40345d 3705->3707 3722 403484 SetFilePointer 3706->3722 3708 402ebd 32 API calls 3707->3708 3714 40322f 3708->3714 3710 40333e SetFilePointer 3715 403363 3710->3715 3711 40346e ReadFile 3711->3715 3713 402ebd 32 API calls 3713->3715 3714->3688 3718 405f93 ReadFile 3714->3718 3715->3711 3715->3713 3715->3714 3716 405fc2 WriteFile 3715->3716 3717 40343e SetFilePointer 3715->3717 3723 4068d9 3715->3723 3716->3715 3717->3707 3719 403248 3718->3719 3719->3686 3719->3688 3721 405fe0 3720->3721 3721->3690 3722->3710 3724 4068fe 3723->3724 3729 406906 3723->3729 3724->3715 3725 406996 GlobalAlloc 3725->3724 3725->3729 3726 40698d GlobalFree 3726->3725 3727 406a04 GlobalFree 3728 406a0d GlobalAlloc 3727->3728 3728->3724 3728->3729 3729->3724 3729->3725 3729->3726 3729->3727 3729->3728 3731 403e47 3730->3731 3747 4062e6 wsprintfA 3731->3747 3733 403eb8 3748 403eec 3733->3748 3735 403bf3 3735->3568 3736 403ebd 3736->3735 3737 40641b 17 API calls 3736->3737 3737->3736 3738->3565 3739->3570 3751 404451 3740->3751 3742 40559e 3746 4055c5 3742->3746 3754 401389 3742->3754 3743 404451 SendMessageA 3744 4055d7 OleUninitialize 3743->3744 3744->3599 3746->3743 3747->3733 3749 40641b 17 API calls 3748->3749 3750 403efa SetWindowTextA 3749->3750 3750->3736 3752 404469 3751->3752 3753 40445a SendMessageA 3751->3753 3752->3742 3753->3752 3756 401390 3754->3756 3755 4013fe 3755->3742 3756->3755 3757 4013cb MulDiv SendMessageA 3756->3757 3757->3756 3758->3615 3760 405dde 3759->3760 3761 405dce 3759->3761 3763 405d45 CharNextA 3760->3763 3764 405dfe 3760->3764 3761->3760 3762 405dd9 CharNextA 3761->3762 3762->3764 3763->3760 3764->3618 3764->3619 3766 406715 FindClose 3765->3766 3767 406720 3765->3767 3766->3767 3767->3625 3769 406017 3768->3769 3770 40603d GetShortPathNameA 3768->3770 3795 405f1b GetFileAttributesA CreateFileA 3769->3795 3772 406052 3770->3772 3773 40615c 3770->3773 3772->3773 3775 40605a wsprintfA 3772->3775 3773->3643 3774 406021 CloseHandle GetShortPathNameA 3774->3773 3777 406035 3774->3777 3776 40641b 17 API calls 3775->3776 3778 406082 3776->3778 3777->3770 3777->3773 3796 405f1b GetFileAttributesA CreateFileA 3778->3796 3780 40608f 3780->3773 3781 40609e GetFileSize GlobalAlloc 3780->3781 3782 4060c0 3781->3782 3783 406155 CloseHandle 3781->3783 3784 405f93 ReadFile 3782->3784 3783->3773 3785 4060c8 3784->3785 3785->3783 3797 405e80 lstrlenA 3785->3797 3788 4060f3 3790 405e80 4 API calls 3788->3790 3789 4060df lstrcpyA 3791 406101 3789->3791 3790->3791 3792 406138 SetFilePointer 3791->3792 3793 405fc2 WriteFile 3792->3793 3794 40614e GlobalFree 3793->3794 3794->3783 3795->3774 3796->3780 3798 405ec1 lstrlenA 3797->3798 3799 405ec9 3798->3799 3800 405e9a lstrcmpiA 3798->3800 3799->3788 3799->3789 3800->3799 3801 405eb8 CharNextA 3800->3801 3801->3798 4065 404850 4066 404860 4065->4066 4067 404886 4065->4067 4072 404405 4066->4072 4075 40446c 4067->4075 4070 40486d SetDlgItemTextA 4070->4067 4073 40641b 17 API calls 4072->4073 4074 404410 SetDlgItemTextA 4073->4074 4074->4070 4076 40452f 4075->4076 4077 404484 GetWindowLongA 4075->4077 4077->4076 4078 404499 4077->4078 4078->4076 4079 4044c6 GetSysColor 4078->4079 4080 4044c9 4078->4080 4079->4080 4081 4044d9 SetBkMode 4080->4081 4082 4044cf SetTextColor 4080->4082 4083 4044f1 GetSysColor 4081->4083 4084 4044f7 4081->4084 4082->4081 4083->4084 4085 4044fe SetBkColor 4084->4085 4086 404508 4084->4086 4085->4086 4086->4076 4087 404522 CreateBrushIndirect 4086->4087 4088 40451b DeleteObject 4086->4088 4087->4076 4088->4087 4096 4014d6 4097 402c17 17 API calls 4096->4097 4098 4014dc Sleep 4097->4098 4100 402ac5 4098->4100 3897 401759 3898 402c39 17 API calls 3897->3898 3899 401760 3898->3899 3900 401786 3899->3900 3901 40177e 3899->3901 3937 406388 lstrcpynA 3900->3937 3936 406388 lstrcpynA 3901->3936 3904 401784 3908 406666 5 API calls 3904->3908 3905 401791 3906 405d1a 3 API calls 3905->3906 3907 401797 lstrcatA 3906->3907 3907->3904 3923 4017a3 3908->3923 3909 4066ff 2 API calls 3909->3923 3910 405ef6 2 API calls 3910->3923 3912 4017ba CompareFileTime 3912->3923 3913 40187e 3914 4054a9 24 API calls 3913->3914 3916 401888 3914->3916 3915 401855 3917 4054a9 24 API calls 3915->3917 3924 40186a 3915->3924 3918 4031fd 44 API calls 3916->3918 3917->3924 3919 40189b 3918->3919 3920 4018af SetFileTime 3919->3920 3922 4018c1 FindCloseChangeNotification 3919->3922 3920->3922 3921 40641b 17 API calls 3921->3923 3922->3924 3925 4018d2 3922->3925 3923->3909 3923->3910 3923->3912 3923->3913 3923->3915 3923->3921 3926 406388 lstrcpynA 3923->3926 3931 405a9e MessageBoxIndirectA 3923->3931 3935 405f1b GetFileAttributesA CreateFileA 3923->3935 3927 4018d7 3925->3927 3928 4018ea 3925->3928 3926->3923 3929 40641b 17 API calls 3927->3929 3930 40641b 17 API calls 3928->3930 3932 4018df lstrcatA 3929->3932 3933 4018f2 3930->3933 3931->3923 3932->3933 3934 405a9e MessageBoxIndirectA 3933->3934 3934->3924 3935->3923 3936->3904 3937->3905 4101 401659 4102 402c39 17 API calls 4101->4102 4103 40165f 4102->4103 4104 4066ff 2 API calls 4103->4104 4105 401665 4104->4105 4106 401959 4107 402c17 17 API calls 4106->4107 4108 401960 4107->4108 4109 402c17 17 API calls 4108->4109 4110 40196d 4109->4110 4111 402c39 17 API calls 4110->4111 4112 401984 lstrlenA 4111->4112 4114 401994 4112->4114 4113 4019d4 4114->4113 4118 406388 lstrcpynA 4114->4118 4116 4019c4 4116->4113 4117 4019c9 lstrlenA 4116->4117 4117->4113 4118->4116 4119 401a5e 4120 402c17 17 API calls 4119->4120 4121 401a67 4120->4121 4122 402c17 17 API calls 4121->4122 4123 401a0e 4122->4123 4124 401563 4125 402a42 4124->4125 4128 4062e6 wsprintfA 4125->4128 4127 402a47 4128->4127 4129 401b63 4130 402c39 17 API calls 4129->4130 4131 401b6a 4130->4131 4132 402c17 17 API calls 4131->4132 4133 401b73 wsprintfA 4132->4133 4134 402ac5 4133->4134 4135 100013a4 4142 10001426 4135->4142 4143 100013d0 4142->4143 4145 1000142f 4142->4145 4147 100010d0 GetVersionExA 4143->4147 4144 1000145f GlobalFree 4144->4143 4145->4143 4145->4144 4146 1000144b lstrcpynA 4145->4146 4146->4144 4148 10001106 4147->4148 4149 100010fc 4147->4149 4150 10001122 LoadLibraryW 4148->4150 4151 1000110e 4148->4151 4173 100014ba wsprintfA 4149->4173 4153 100011a5 4150->4153 4154 1000113b GetProcAddress 4150->4154 4151->4149 4152 10001225 LoadLibraryA 4151->4152 4152->4149 4157 1000123d GetProcAddress GetProcAddress GetProcAddress 4152->4157 4153->4149 4162 100011c1 WideCharToMultiByte lstrcmpiA 4153->4162 4164 10001217 LocalFree 4153->4164 4166 100011f7 4153->4166 4155 1000118e 4154->4155 4156 1000114e LocalAlloc 4154->4156 4159 1000119a FreeLibrary 4155->4159 4158 10001189 4156->4158 4160 10001323 FreeLibrary 4157->4160 4171 1000126b 4157->4171 4158->4155 4161 1000115c NtQuerySystemInformation 4158->4161 4159->4153 4160->4149 4161->4159 4163 1000116f LocalFree 4161->4163 4162->4153 4163->4155 4165 10001180 LocalAlloc 4163->4165 4164->4149 4165->4158 4166->4153 4167 1000103f 8 API calls 4166->4167 4167->4166 4168 100012a2 lstrlenA 4168->4171 4169 1000131c CloseHandle 4169->4160 4170 100012c4 lstrcpynA lstrcmpiA 4170->4171 4171->4160 4171->4168 4171->4169 4171->4170 4172 1000103f 8 API calls 4171->4172 4172->4171 4176 10001475 4173->4176 4177 100013e3 4176->4177 4178 1000147e GlobalAlloc lstrcpynA 4176->4178 4178->4177 4179 401d65 4180 401d78 GetDlgItem 4179->4180 4181 401d6b 4179->4181 4182 401d72 4180->4182 4183 402c17 17 API calls 4181->4183 4184 401db9 GetClientRect LoadImageA SendMessageA 4182->4184 4185 402c39 17 API calls 4182->4185 4183->4182 4187 401e26 4184->4187 4188 401e1a 4184->4188 4185->4184 4188->4187 4189 401e1f DeleteObject 4188->4189 4189->4187 3376 10001426 3377 1000146f 3376->3377 3379 1000142f 3376->3379 3378 1000145f GlobalFree 3378->3377 3379->3377 3379->3378 3380 1000144b lstrcpynA 3379->3380 3380->3378 4190 402766 4191 40276c 4190->4191 4192 402774 FindClose 4191->4192 4193 402ac5 4191->4193 4192->4193 4194 4055e7 4195 405792 4194->4195 4196 405609 GetDlgItem GetDlgItem GetDlgItem 4194->4196 4198 40579a GetDlgItem CreateThread CloseHandle 4195->4198 4201 4057c2 4195->4201 4239 40443a SendMessageA 4196->4239 4198->4201 4199 405679 4205 405680 GetClientRect GetSystemMetrics SendMessageA SendMessageA 4199->4205 4200 4057f0 4204 40584b 4200->4204 4207 405800 4200->4207 4208 405824 ShowWindow 4200->4208 4201->4200 4202 405811 4201->4202 4203 4057d8 ShowWindow ShowWindow 4201->4203 4209 40446c 8 API calls 4202->4209 4241 40443a SendMessageA 4203->4241 4204->4202 4214 405858 SendMessageA 4204->4214 4212 4056d2 SendMessageA SendMessageA 4205->4212 4213 4056ee 4205->4213 4242 4043de 4207->4242 4210 405844 4208->4210 4211 405836 4208->4211 4216 40581d 4209->4216 4218 4043de SendMessageA 4210->4218 4217 4054a9 24 API calls 4211->4217 4212->4213 4219 405701 4213->4219 4220 4056f3 SendMessageA 4213->4220 4214->4216 4221 405871 CreatePopupMenu 4214->4221 4217->4210 4218->4204 4223 404405 18 API calls 4219->4223 4220->4219 4222 40641b 17 API calls 4221->4222 4224 405881 AppendMenuA 4222->4224 4225 405711 4223->4225 4226 4058b2 TrackPopupMenu 4224->4226 4227 40589f GetWindowRect 4224->4227 4228 40571a ShowWindow 4225->4228 4229 40574e GetDlgItem SendMessageA 4225->4229 4226->4216 4231 4058ce 4226->4231 4227->4226 4232 405730 ShowWindow 4228->4232 4233 40573d 4228->4233 4229->4216 4230 405775 SendMessageA SendMessageA 4229->4230 4230->4216 4234 4058ed SendMessageA 4231->4234 4232->4233 4240 40443a SendMessageA 4233->4240 4234->4234 4235 40590a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4234->4235 4237 40592c SendMessageA 4235->4237 4237->4237 4238 40594e GlobalUnlock SetClipboardData CloseClipboard 4237->4238 4238->4216 4239->4199 4240->4229 4241->4200 4243 4043e5 4242->4243 4244 4043eb SendMessageA 4242->4244 4243->4244 4244->4202 4245 404be8 4246 404c14 4245->4246 4247 404bf8 4245->4247 4249 404c47 4246->4249 4250 404c1a SHGetPathFromIDListA 4246->4250 4256 405a82 GetDlgItemTextA 4247->4256 4252 404c31 SendMessageA 4250->4252 4253 404c2a 4250->4253 4251 404c05 SendMessageA 4251->4246 4252->4249 4254 40140b 2 API calls 4253->4254 4254->4252 4256->4251 4257 4023e8 4258 402c39 17 API calls 4257->4258 4259 4023f9 4258->4259 4260 402c39 17 API calls 4259->4260 4261 402402 4260->4261 4262 402c39 17 API calls 4261->4262 4263 40240c GetPrivateProfileStringA 4262->4263 4264 4027e8 4265 402c39 17 API calls 4264->4265 4266 4027f4 4265->4266 4267 40280a 4266->4267 4268 402c39 17 API calls 4266->4268 4269 405ef6 2 API calls 4267->4269 4268->4267 4270 402810 4269->4270 4292 405f1b GetFileAttributesA CreateFileA 4270->4292 4272 40281d 4273 4028d9 4272->4273 4274 4028c1 4272->4274 4275 402838 GlobalAlloc 4272->4275 4276 4028e0 DeleteFileA 4273->4276 4277 4028f3 4273->4277 4279 4031fd 44 API calls 4274->4279 4275->4274 4278 402851 4275->4278 4276->4277 4293 403484 SetFilePointer 4278->4293 4281 4028ce CloseHandle 4279->4281 4281->4273 4282 402857 4283 40346e ReadFile 4282->4283 4284 402860 GlobalAlloc 4283->4284 4285 402870 4284->4285 4286 4028aa 4284->4286 4288 4031fd 44 API calls 4285->4288 4287 405fc2 WriteFile 4286->4287 4289 4028b6 GlobalFree 4287->4289 4291 40287d 4288->4291 4289->4274 4290 4028a1 GlobalFree 4290->4286 4291->4290 4292->4272 4293->4282 4294 40166a 4295 402c39 17 API calls 4294->4295 4296 401671 4295->4296 4297 402c39 17 API calls 4296->4297 4298 40167a 4297->4298 4299 402c39 17 API calls 4298->4299 4300 401683 MoveFileA 4299->4300 4301 401696 4300->4301 4307 40168f 4300->4307 4303 4066ff 2 API calls 4301->4303 4305 4022ea 4301->4305 4302 401423 24 API calls 4302->4305 4304 4016a5 4303->4304 4304->4305 4306 406161 36 API calls 4304->4306 4306->4307 4307->4302 4315 4019ed 4316 402c39 17 API calls 4315->4316 4317 4019f4 4316->4317 4318 402c39 17 API calls 4317->4318 4319 4019fd 4318->4319 4320 401a04 lstrcmpiA 4319->4320 4321 401a16 lstrcmpA 4319->4321 4322 401a0a 4320->4322 4321->4322 4323 40156f 4324 401586 4323->4324 4325 40157f ShowWindow 4323->4325 4326 401594 ShowWindow 4324->4326 4327 402ac5 4324->4327 4325->4324 4326->4327 4328 404570 4329 404586 4328->4329 4334 404692 4328->4334 4332 404405 18 API calls 4329->4332 4330 404701 4331 4047cb 4330->4331 4333 40470b GetDlgItem 4330->4333 4340 40446c 8 API calls 4331->4340 4335 4045dc 4332->4335 4336 404721 4333->4336 4337 404789 4333->4337 4334->4330 4334->4331 4338 4046d6 GetDlgItem SendMessageA 4334->4338 4339 404405 18 API calls 4335->4339 4336->4337 4341 404747 SendMessageA LoadCursorA SetCursor 4336->4341 4337->4331 4342 40479b 4337->4342 4361 404427 EnableWindow 4338->4361 4344 4045e9 CheckDlgButton 4339->4344 4345 4047c6 4340->4345 4365 404814 4341->4365 4347 4047a1 SendMessageA 4342->4347 4348 4047b2 4342->4348 4359 404427 EnableWindow 4344->4359 4347->4348 4348->4345 4352 4047b8 SendMessageA 4348->4352 4349 4046fc 4362 4047f0 4349->4362 4352->4345 4354 404607 GetDlgItem 4360 40443a SendMessageA 4354->4360 4356 40461d SendMessageA 4357 404644 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4356->4357 4358 40463b GetSysColor 4356->4358 4357->4345 4358->4357 4359->4354 4360->4356 4361->4349 4363 404803 SendMessageA 4362->4363 4364 4047fe 4362->4364 4363->4330 4364->4363 4368 405a64 ShellExecuteExA 4365->4368 4367 40477a LoadCursorA SetCursor 4367->4337 4368->4367 4369 402173 4370 402c39 17 API calls 4369->4370 4371 40217a 4370->4371 4372 402c39 17 API calls 4371->4372 4373 402184 4372->4373 4374 402c39 17 API calls 4373->4374 4375 40218e 4374->4375 4376 402c39 17 API calls 4375->4376 4377 40219b 4376->4377 4378 402c39 17 API calls 4377->4378 4379 4021a5 4378->4379 4380 4021e7 CoCreateInstance 4379->4380 4381 402c39 17 API calls 4379->4381 4384 402206 4380->4384 4386 4022b4 4380->4386 4381->4380 4382 401423 24 API calls 4383 4022ea 4382->4383 4385 402294 MultiByteToWideChar 4384->4385 4384->4386 4385->4386 4386->4382 4386->4383 4387 4022f3 4388 402c39 17 API calls 4387->4388 4389 4022f9 4388->4389 4390 402c39 17 API calls 4389->4390 4391 402302 4390->4391 4392 402c39 17 API calls 4391->4392 4393 40230b 4392->4393 4394 4066ff 2 API calls 4393->4394 4395 402314 4394->4395 4396 402325 lstrlenA lstrlenA 4395->4396 4397 402318 4395->4397 4399 4054a9 24 API calls 4396->4399 4398 4054a9 24 API calls 4397->4398 4400 402320 4397->4400 4398->4400 4401 402361 SHFileOperationA 4399->4401 4401->4397 4401->4400 4402 4014f4 SetForegroundWindow 4403 402ac5 4402->4403 4404 402375 4405 40237c 4404->4405 4409 40238f 4404->4409 4406 40641b 17 API calls 4405->4406 4407 402389 4406->4407 4408 405a9e MessageBoxIndirectA 4407->4408 4408->4409 4410 402675 4411 402c17 17 API calls 4410->4411 4412 40267f 4411->4412 4413 405f93 ReadFile 4412->4413 4414 4026ef 4412->4414 4417 4026ff 4412->4417 4418 4026ed 4412->4418 4413->4412 4419 4062e6 wsprintfA 4414->4419 4416 402715 SetFilePointer 4416->4418 4417->4416 4417->4418 4419->4418 4420 4029f6 4421 402a49 4420->4421 4422 4029fd 4420->4422 4423 406794 5 API calls 4421->4423 4424 402c17 17 API calls 4422->4424 4430 402a47 4422->4430 4425 402a50 4423->4425 4426 402a0b 4424->4426 4427 402c39 17 API calls 4425->4427 4428 402c17 17 API calls 4426->4428 4429 402a59 4427->4429 4432 402a1a 4428->4432 4429->4430 4438 4063db 4429->4438 4437 4062e6 wsprintfA 4432->4437 4434 402a67 4434->4430 4442 4063c5 4434->4442 4437->4430 4440 4063e6 4438->4440 4439 406409 IIDFromString 4439->4434 4440->4439 4441 406402 4440->4441 4441->4434 4445 4063aa WideCharToMultiByte 4442->4445 4444 402a88 CoTaskMemFree 4444->4430 4445->4444 4446 401ef9 4447 402c39 17 API calls 4446->4447 4448 401eff 4447->4448 4449 402c39 17 API calls 4448->4449 4450 401f08 4449->4450 4451 402c39 17 API calls 4450->4451 4452 401f11 4451->4452 4453 402c39 17 API calls 4452->4453 4454 401f1a 4453->4454 4455 401423 24 API calls 4454->4455 4456 401f21 4455->4456 4463 405a64 ShellExecuteExA 4456->4463 4458 401f5c 4459 406809 5 API calls 4458->4459 4460 4027c8 4458->4460 4461 401f76 FindCloseChangeNotification 4459->4461 4461->4460 4463->4458 3938 401f7b 3939 402c39 17 API calls 3938->3939 3940 401f81 3939->3940 3941 4054a9 24 API calls 3940->3941 3942 401f8b 3941->3942 3943 405a21 2 API calls 3942->3943 3944 401f91 3943->3944 3947 4027c8 3944->3947 3948 401fb2 FindCloseChangeNotification 3944->3948 3951 406809 WaitForSingleObject 3944->3951 3948->3947 3949 401fa6 3949->3948 3956 4062e6 wsprintfA 3949->3956 3952 406823 3951->3952 3953 406835 GetExitCodeProcess 3952->3953 3954 4067d0 2 API calls 3952->3954 3953->3949 3955 40682a WaitForSingleObject 3954->3955 3955->3952 3956->3948 4471 401ffb 4472 402c39 17 API calls 4471->4472 4473 402002 4472->4473 4474 406794 5 API calls 4473->4474 4475 402011 4474->4475 4476 402099 4475->4476 4477 402029 GlobalAlloc 4475->4477 4477->4476 4478 40203d 4477->4478 4479 406794 5 API calls 4478->4479 4480 402044 4479->4480 4481 406794 5 API calls 4480->4481 4482 40204e 4481->4482 4482->4476 4486 4062e6 wsprintfA 4482->4486 4484 402089 4487 4062e6 wsprintfA 4484->4487 4486->4484 4487->4476 3977 403a7c 3978 403a97 3977->3978 3979 403a8d CloseHandle 3977->3979 3980 403aa1 CloseHandle 3978->3980 3981 403aab 3978->3981 3979->3978 3980->3981 3986 403ad9 3981->3986 3984 405b4a 67 API calls 3985 403abc 3984->3985 3987 403ae7 3986->3987 3988 403ab0 3987->3988 3989 403aec FreeLibrary GlobalFree 3987->3989 3988->3984 3989->3988 3989->3989 4488 4018fd 4489 401934 4488->4489 4490 402c39 17 API calls 4489->4490 4491 401939 4490->4491 4492 405b4a 67 API calls 4491->4492 4493 401942 4492->4493 3990 40247e 3991 402c39 17 API calls 3990->3991 3992 402490 3991->3992 3993 402c39 17 API calls 3992->3993 3994 40249a 3993->3994 4007 402cc9 3994->4007 3997 402ac5 3998 4024cf 4000 4024db 3998->4000 4011 402c17 3998->4011 3999 402c39 17 API calls 4001 4024c8 lstrlenA 3999->4001 4003 4024fd RegSetValueExA 4000->4003 4004 4031fd 44 API calls 4000->4004 4001->3998 4005 402513 RegCloseKey 4003->4005 4004->4003 4005->3997 4008 402ce4 4007->4008 4014 40623c 4008->4014 4012 40641b 17 API calls 4011->4012 4013 402c2c 4012->4013 4013->4000 4015 40624b 4014->4015 4016 4024aa 4015->4016 4017 406256 RegCreateKeyExA 4015->4017 4016->3997 4016->3998 4016->3999 4017->4016 4494 401cfe 4495 402c17 17 API calls 4494->4495 4496 401d04 IsWindow 4495->4496 4497 401a0e 4496->4497 4498 401000 4499 401037 BeginPaint GetClientRect 4498->4499 4500 40100c DefWindowProcA 4498->4500 4502 4010f3 4499->4502 4503 401179 4500->4503 4504 401073 CreateBrushIndirect FillRect DeleteObject 4502->4504 4505 4010fc 4502->4505 4504->4502 4506 401102 CreateFontIndirectA 4505->4506 4507 401167 EndPaint 4505->4507 4506->4507 4508 401112 6 API calls 4506->4508 4507->4503 4508->4507 4509 401900 4510 402c39 17 API calls 4509->4510 4511 401907 4510->4511 4512 405a9e MessageBoxIndirectA 4511->4512 4513 401910 4512->4513 4514 402780 4515 402786 4514->4515 4516 40278a FindNextFileA 4515->4516 4517 40279c 4515->4517 4516->4517 4518 4027db 4516->4518 4520 406388 lstrcpynA 4518->4520 4520->4517 4521 401502 4522 40150a 4521->4522 4524 40151d 4521->4524 4523 402c17 17 API calls 4522->4523 4523->4524 3381 401b87 3382 401bd8 3381->3382 3387 401b94 3381->3387 3383 401c01 GlobalAlloc 3382->3383 3384 401bdc 3382->3384 3386 40641b 17 API calls 3383->3386 3395 40238f 3384->3395 3402 406388 lstrcpynA 3384->3402 3385 40641b 17 API calls 3388 402389 3385->3388 3390 401c1c 3386->3390 3387->3390 3391 401bab 3387->3391 3403 405a9e 3388->3403 3390->3385 3390->3395 3400 406388 lstrcpynA 3391->3400 3392 401bee GlobalFree 3392->3395 3396 401bba 3401 406388 lstrcpynA 3396->3401 3398 401bc9 3407 406388 lstrcpynA 3398->3407 3400->3396 3401->3398 3402->3392 3404 405ab3 3403->3404 3405 405aff 3404->3405 3406 405ac7 MessageBoxIndirectA 3404->3406 3405->3395 3406->3405 3407->3395 4525 406a88 4529 40690c 4525->4529 4526 407277 4527 406996 GlobalAlloc 4527->4526 4527->4529 4528 40698d GlobalFree 4528->4527 4529->4526 4529->4527 4529->4528 4530 406a04 GlobalFree 4529->4530 4531 406a0d GlobalAlloc 4529->4531 4530->4531 4531->4526 4531->4529 3408 401389 3410 401390 3408->3410 3409 4013fe 3410->3409 3411 4013cb MulDiv SendMessageA 3410->3411 3411->3410 4532 404e0a GetDlgItem GetDlgItem 4533 404e60 7 API calls 4532->4533 4540 405087 4532->4540 4534 404f08 DeleteObject 4533->4534 4535 404efc SendMessageA 4533->4535 4536 404f13 4534->4536 4535->4534 4538 404f4a 4536->4538 4541 40641b 17 API calls 4536->4541 4537 405169 4539 405215 4537->4539 4543 40507a 4537->4543 4549 4051c2 SendMessageA 4537->4549 4542 404405 18 API calls 4538->4542 4544 405227 4539->4544 4545 40521f SendMessageA 4539->4545 4540->4537 4564 4050f6 4540->4564 4586 404d58 SendMessageA 4540->4586 4546 404f2c SendMessageA SendMessageA 4541->4546 4547 404f5e 4542->4547 4551 40446c 8 API calls 4543->4551 4556 405240 4544->4556 4557 405239 ImageList_Destroy 4544->4557 4561 405250 4544->4561 4545->4544 4546->4536 4548 404405 18 API calls 4547->4548 4565 404f6f 4548->4565 4549->4543 4554 4051d7 SendMessageA 4549->4554 4550 40515b SendMessageA 4550->4537 4555 405416 4551->4555 4553 4053ca 4553->4543 4562 4053dc ShowWindow GetDlgItem ShowWindow 4553->4562 4559 4051ea 4554->4559 4560 405249 GlobalFree 4556->4560 4556->4561 4557->4556 4558 405049 GetWindowLongA SetWindowLongA 4563 405062 4558->4563 4571 4051fb SendMessageA 4559->4571 4560->4561 4561->4553 4566 40528b 4561->4566 4591 404dd8 4561->4591 4562->4543 4567 405067 ShowWindow 4563->4567 4568 40507f 4563->4568 4564->4537 4564->4550 4565->4558 4570 404fc1 SendMessageA 4565->4570 4572 405044 4565->4572 4574 405013 SendMessageA 4565->4574 4575 404fff SendMessageA 4565->4575 4579 4052b9 SendMessageA 4566->4579 4583 4052cf 4566->4583 4584 40443a SendMessageA 4567->4584 4585 40443a SendMessageA 4568->4585 4570->4565 4571->4539 4572->4558 4572->4563 4574->4565 4575->4565 4577 405395 4578 4053a0 InvalidateRect 4577->4578 4580 4053ac 4577->4580 4578->4580 4579->4583 4580->4553 4600 404d13 4580->4600 4582 405343 SendMessageA SendMessageA 4582->4583 4583->4577 4583->4582 4584->4543 4585->4540 4587 404db7 SendMessageA 4586->4587 4588 404d7b GetMessagePos ScreenToClient SendMessageA 4586->4588 4590 404daf 4587->4590 4589 404db4 4588->4589 4588->4590 4589->4587 4590->4564 4603 406388 lstrcpynA 4591->4603 4593 404deb 4604 4062e6 wsprintfA 4593->4604 4595 404df5 4596 40140b 2 API calls 4595->4596 4597 404dfe 4596->4597 4605 406388 lstrcpynA 4597->4605 4599 404e05 4599->4566 4606 404c4e 4600->4606 4602 404d28 4602->4553 4603->4593 4604->4595 4605->4599 4607 404c64 4606->4607 4608 40641b 17 API calls 4607->4608 4609 404cc8 4608->4609 4610 40641b 17 API calls 4609->4610 4611 404cd3 4610->4611 4612 40641b 17 API calls 4611->4612 4613 404ce9 lstrlenA wsprintfA SetDlgItemTextA 4612->4613 4613->4602 4614 40298a 4615 402c17 17 API calls 4614->4615 4617 402990 4615->4617 4616 40641b 17 API calls 4618 4027c8 4616->4618 4617->4616 4617->4618 4619 403f0b 4620 403f23 4619->4620 4621 404084 4619->4621 4620->4621 4622 403f2f 4620->4622 4623 4040d5 4621->4623 4624 404095 GetDlgItem GetDlgItem 4621->4624 4625 403f3a SetWindowPos 4622->4625 4626 403f4d 4622->4626 4628 40412f 4623->4628 4639 401389 2 API calls 4623->4639 4627 404405 18 API calls 4624->4627 4625->4626 4630 403f56 ShowWindow 4626->4630 4631 403f98 4626->4631 4632 4040bf SetClassLongA 4627->4632 4629 404451 SendMessageA 4628->4629 4633 40407f 4628->4633 4660 404141 4629->4660 4634 404042 4630->4634 4635 403f76 GetWindowLongA 4630->4635 4636 403fa0 DestroyWindow 4631->4636 4637 403fb7 4631->4637 4638 40140b 2 API calls 4632->4638 4640 40446c 8 API calls 4634->4640 4635->4634 4641 403f8f ShowWindow 4635->4641 4689 40438e 4636->4689 4642 403fbc SetWindowLongA 4637->4642 4643 403fcd 4637->4643 4638->4623 4644 404107 4639->4644 4640->4633 4641->4631 4642->4633 4643->4634 4648 403fd9 GetDlgItem 4643->4648 4644->4628 4645 40410b SendMessageA 4644->4645 4645->4633 4646 40140b 2 API calls 4646->4660 4647 404390 DestroyWindow EndDialog 4647->4689 4650 404007 4648->4650 4651 403fea SendMessageA IsWindowEnabled 4648->4651 4649 4043bf ShowWindow 4649->4633 4653 404014 4650->4653 4654 40405b SendMessageA 4650->4654 4655 404027 4650->4655 4663 40400c 4650->4663 4651->4633 4651->4650 4652 40641b 17 API calls 4652->4660 4653->4654 4653->4663 4654->4634 4658 404044 4655->4658 4659 40402f 4655->4659 4656 4043de SendMessageA 4656->4634 4657 404405 18 API calls 4657->4660 4662 40140b 2 API calls 4658->4662 4661 40140b 2 API calls 4659->4661 4660->4633 4660->4646 4660->4647 4660->4652 4660->4657 4664 404405 18 API calls 4660->4664 4680 4042d0 DestroyWindow 4660->4680 4661->4663 4662->4663 4663->4634 4663->4656 4665 4041bc GetDlgItem 4664->4665 4666 4041d1 4665->4666 4667 4041d9 ShowWindow EnableWindow 4665->4667 4666->4667 4690 404427 EnableWindow 4667->4690 4669 404203 EnableWindow 4674 404217 4669->4674 4670 40421c GetSystemMenu EnableMenuItem SendMessageA 4671 40424c SendMessageA 4670->4671 4670->4674 4671->4674 4673 403eec 18 API calls 4673->4674 4674->4670 4674->4673 4691 40443a SendMessageA 4674->4691 4692 406388 lstrcpynA 4674->4692 4676 40427b lstrlenA 4677 40641b 17 API calls 4676->4677 4678 40428c SetWindowTextA 4677->4678 4679 401389 2 API calls 4678->4679 4679->4660 4681 4042ea CreateDialogParamA 4680->4681 4680->4689 4682 40431d 4681->4682 4681->4689 4683 404405 18 API calls 4682->4683 4684 404328 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4683->4684 4685 401389 2 API calls 4684->4685 4686 40436e 4685->4686 4686->4633 4687 404376 ShowWindow 4686->4687 4688 404451 SendMessageA 4687->4688 4688->4689 4689->4633 4689->4649 4690->4669 4691->4674 4692->4676 4693 40260c 4694 402c39 17 API calls 4693->4694 4695 402613 4694->4695 4698 405f1b GetFileAttributesA CreateFileA 4695->4698 4697 40261f 4698->4697 3802 100010d0 GetVersionExA 3803 10001106 3802->3803 3804 100010fc 3802->3804 3805 10001122 LoadLibraryW 3803->3805 3806 1000110e 3803->3806 3808 100011a5 3805->3808 3809 1000113b GetProcAddress 3805->3809 3806->3804 3807 10001225 LoadLibraryA 3806->3807 3807->3804 3812 1000123d GetProcAddress GetProcAddress GetProcAddress 3807->3812 3808->3804 3817 100011c1 WideCharToMultiByte lstrcmpiA 3808->3817 3819 10001217 LocalFree 3808->3819 3821 100011f7 3808->3821 3810 1000118e 3809->3810 3811 1000114e LocalAlloc 3809->3811 3814 1000119a FreeLibrary 3810->3814 3813 10001189 3811->3813 3815 10001323 FreeLibrary 3812->3815 3826 1000126b 3812->3826 3813->3810 3816 1000115c NtQuerySystemInformation 3813->3816 3814->3808 3815->3804 3816->3814 3818 1000116f LocalFree 3816->3818 3817->3808 3818->3810 3820 10001180 LocalAlloc 3818->3820 3819->3804 3820->3813 3821->3808 3828 1000103f OpenProcess 3821->3828 3823 100012a2 lstrlenA 3823->3826 3824 1000131c CloseHandle 3824->3815 3825 100012c4 lstrcpynA lstrcmpiA 3825->3826 3826->3815 3826->3823 3826->3824 3826->3825 3827 1000103f 8 API calls 3826->3827 3827->3826 3829 10001060 3828->3829 3830 100010cb 3828->3830 3831 1000106b EnumWindows 3829->3831 3832 100010ac TerminateProcess 3829->3832 3830->3821 3831->3832 3833 1000107f GetExitCodeProcess 3831->3833 3838 10001007 GetWindowThreadProcessId 3831->3838 3834 100010be CloseHandle 3832->3834 3835 100010a7 3832->3835 3833->3835 3836 1000108e 3833->3836 3834->3830 3835->3834 3836->3835 3837 10001097 WaitForSingleObject 3836->3837 3837->3832 3837->3835 3839 10001024 PostMessageA 3838->3839 3840 10001036 3838->3840 3839->3840 4699 401490 4700 4054a9 24 API calls 4699->4700 4701 401497 4700->4701 4702 402590 4703 402c79 17 API calls 4702->4703 4704 40259a 4703->4704 4705 402c17 17 API calls 4704->4705 4706 4025a3 4705->4706 4707 4025ca RegEnumValueA 4706->4707 4708 4025be RegEnumKeyA 4706->4708 4710 4027c8 4706->4710 4709 4025df RegCloseKey 4707->4709 4708->4709 4709->4710 4712 406d91 4714 40690c 4712->4714 4713 407277 4714->4713 4714->4714 4715 406996 GlobalAlloc 4714->4715 4716 40698d GlobalFree 4714->4716 4717 406a04 GlobalFree 4714->4717 4718 406a0d GlobalAlloc 4714->4718 4715->4713 4715->4714 4716->4715 4717->4718 4718->4713 4718->4714 4719 404897 4720 4048c3 4719->4720 4721 4048d4 4719->4721 4780 405a82 GetDlgItemTextA 4720->4780 4723 4048e0 GetDlgItem 4721->4723 4724 40493f 4721->4724 4726 4048f4 4723->4726 4731 40641b 17 API calls 4724->4731 4740 404a23 4724->4740 4778 404bcd 4724->4778 4725 4048ce 4727 406666 5 API calls 4725->4727 4729 404908 SetWindowTextA 4726->4729 4730 405db3 4 API calls 4726->4730 4727->4721 4733 404405 18 API calls 4729->4733 4735 4048fe 4730->4735 4736 4049b3 SHBrowseForFolderA 4731->4736 4732 404a53 4737 405e08 18 API calls 4732->4737 4738 404924 4733->4738 4734 40446c 8 API calls 4739 404be1 4734->4739 4735->4729 4744 405d1a 3 API calls 4735->4744 4736->4740 4741 4049cb CoTaskMemFree 4736->4741 4742 404a59 4737->4742 4743 404405 18 API calls 4738->4743 4740->4778 4782 405a82 GetDlgItemTextA 4740->4782 4745 405d1a 3 API calls 4741->4745 4783 406388 lstrcpynA 4742->4783 4746 404932 4743->4746 4744->4729 4747 4049d8 4745->4747 4781 40443a SendMessageA 4746->4781 4750 404a0f SetDlgItemTextA 4747->4750 4755 40641b 17 API calls 4747->4755 4750->4740 4751 404938 4753 406794 5 API calls 4751->4753 4752 404a70 4754 406794 5 API calls 4752->4754 4753->4724 4761 404a77 4754->4761 4756 4049f7 lstrcmpiA 4755->4756 4756->4750 4759 404a08 lstrcatA 4756->4759 4757 404ab3 4784 406388 lstrcpynA 4757->4784 4759->4750 4760 404aba 4762 405db3 4 API calls 4760->4762 4761->4757 4765 405d61 2 API calls 4761->4765 4767 404b0b 4761->4767 4763 404ac0 GetDiskFreeSpaceA 4762->4763 4766 404ae4 MulDiv 4763->4766 4763->4767 4765->4761 4766->4767 4768 404b7c 4767->4768 4770 404d13 20 API calls 4767->4770 4769 404b9f 4768->4769 4771 40140b 2 API calls 4768->4771 4785 404427 EnableWindow 4769->4785 4772 404b69 4770->4772 4771->4769 4774 404b7e SetDlgItemTextA 4772->4774 4775 404b6e 4772->4775 4774->4768 4777 404c4e 20 API calls 4775->4777 4776 404bbb 4776->4778 4779 4047f0 SendMessageA 4776->4779 4777->4768 4778->4734 4779->4778 4780->4725 4781->4751 4782->4732 4783->4752 4784->4760 4785->4776 4786 40541d 4787 405441 4786->4787 4788 40542d 4786->4788 4791 405449 IsWindowVisible 4787->4791 4797 405460 4787->4797 4789 405433 4788->4789 4790 40548a 4788->4790 4792 404451 SendMessageA 4789->4792 4794 40548f CallWindowProcA 4790->4794 4791->4790 4793 405456 4791->4793 4795 40543d 4792->4795 4796 404d58 5 API calls 4793->4796 4794->4795 4796->4797 4797->4794 4798 404dd8 4 API calls 4797->4798 4798->4790 4799 40149d 4800 4014ab PostQuitMessage 4799->4800 4801 40238f 4799->4801 4800->4801 4802 40159d 4803 402c39 17 API calls 4802->4803 4804 4015a4 SetFileAttributesA 4803->4804 4805 4015b6 4804->4805 4018 40251e 4029 402c79 4018->4029 4021 402c39 17 API calls 4022 402531 4021->4022 4023 40253b RegQueryValueExA 4022->4023 4027 4027c8 4022->4027 4024 402561 RegCloseKey 4023->4024 4025 40255b 4023->4025 4024->4027 4025->4024 4034 4062e6 wsprintfA 4025->4034 4030 402c39 17 API calls 4029->4030 4031 402c90 4030->4031 4032 40620e RegOpenKeyExA 4031->4032 4033 402528 4032->4033 4033->4021 4034->4024 4806 401a1e 4807 402c39 17 API calls 4806->4807 4808 401a27 ExpandEnvironmentStringsA 4807->4808 4809 401a3b 4808->4809 4811 401a4e 4808->4811 4810 401a40 lstrcmpA 4809->4810 4809->4811 4810->4811 4817 40171f 4818 402c39 17 API calls 4817->4818 4819 401726 SearchPathA 4818->4819 4820 401741 4819->4820 4821 401d1f 4822 402c17 17 API calls 4821->4822 4823 401d26 4822->4823 4824 402c17 17 API calls 4823->4824 4825 401d32 GetDlgItem 4824->4825 4826 402628 4825->4826 4827 402aa0 SendMessageA 4828 402ac5 4827->4828 4829 402aba InvalidateRect 4827->4829 4829->4828 4830 10001363 4831 10001426 2 API calls 4830->4831 4832 1000138f 4831->4832 4833 100010d0 28 API calls 4832->4833 4834 10001399 4833->4834 4835 100014ba 3 API calls 4834->4835 4836 100013a2 4835->4836 4837 4023a4 4838 4023b2 4837->4838 4839 4023ac 4837->4839 4841 4023c2 4838->4841 4843 402c39 17 API calls 4838->4843 4840 402c39 17 API calls 4839->4840 4840->4838 4842 4023d0 4841->4842 4844 402c39 17 API calls 4841->4844 4845 402c39 17 API calls 4842->4845 4843->4841 4844->4842 4846 4023d9 WritePrivateProfileStringA 4845->4846 3286 4020a5 3287 4020b7 3286->3287 3297 402165 3286->3297 3304 402c39 3287->3304 3289 401423 24 API calls 3292 4022ea 3289->3292 3291 402c39 17 API calls 3293 4020c7 3291->3293 3294 4020dc LoadLibraryExA 3293->3294 3295 4020cf GetModuleHandleA 3293->3295 3296 4020ec GetProcAddress 3294->3296 3294->3297 3295->3294 3295->3296 3298 402138 3296->3298 3299 4020fb 3296->3299 3297->3289 3313 4054a9 3298->3313 3302 40210b 3299->3302 3310 401423 3299->3310 3302->3292 3303 402159 FreeLibrary 3302->3303 3303->3292 3305 402c45 3304->3305 3324 40641b 3305->3324 3307 4020be 3307->3291 3311 4054a9 24 API calls 3310->3311 3312 401431 3311->3312 3312->3302 3314 4054c4 3313->3314 3323 405567 3313->3323 3315 4054e1 lstrlenA 3314->3315 3316 40641b 17 API calls 3314->3316 3317 40550a 3315->3317 3318 4054ef lstrlenA 3315->3318 3316->3315 3320 405510 SetWindowTextA 3317->3320 3321 40551d 3317->3321 3319 405501 lstrcatA 3318->3319 3318->3323 3319->3317 3320->3321 3322 405523 SendMessageA SendMessageA SendMessageA 3321->3322 3321->3323 3322->3323 3323->3302 3325 406428 3324->3325 3326 40664d 3325->3326 3329 406627 lstrlenA 3325->3329 3330 40641b 10 API calls 3325->3330 3334 406543 GetSystemDirectoryA 3325->3334 3335 406556 GetWindowsDirectoryA 3325->3335 3336 406666 5 API calls 3325->3336 3337 40641b 10 API calls 3325->3337 3338 4065d0 lstrcatA 3325->3338 3339 40658a SHGetSpecialFolderLocation 3325->3339 3350 40626f 3325->3350 3355 4062e6 wsprintfA 3325->3355 3356 406388 lstrcpynA 3325->3356 3327 402c66 3326->3327 3357 406388 lstrcpynA 3326->3357 3327->3307 3341 406666 3327->3341 3329->3325 3330->3329 3334->3325 3335->3325 3336->3325 3337->3325 3338->3325 3339->3325 3340 4065a2 SHGetPathFromIDListA CoTaskMemFree 3339->3340 3340->3325 3347 406672 3341->3347 3342 4066da 3343 4066de CharPrevA 3342->3343 3346 4066f9 3342->3346 3343->3342 3344 4066cf CharNextA 3344->3342 3344->3347 3346->3307 3347->3342 3347->3344 3348 4066bd CharNextA 3347->3348 3349 4066ca CharNextA 3347->3349 3362 405d45 3347->3362 3348->3347 3349->3344 3358 40620e 3350->3358 3353 4062a3 RegQueryValueExA RegCloseKey 3354 4062d2 3353->3354 3354->3325 3355->3325 3356->3325 3357->3327 3359 40621d 3358->3359 3360 406221 3359->3360 3361 406226 RegOpenKeyExA 3359->3361 3360->3353 3360->3354 3361->3360 3363 405d4b 3362->3363 3364 405d5e 3363->3364 3365 405d51 CharNextA 3363->3365 3364->3347 3365->3363 4847 402e25 4848 402e34 SetTimer 4847->4848 4849 402e4d 4847->4849 4848->4849 4850 402e9b 4849->4850 4851 402ea1 MulDiv 4849->4851 4852 402e5b wsprintfA SetWindowTextA SetDlgItemTextA 4851->4852 4852->4850 4868 402429 4869 402430 4868->4869 4870 40245b 4868->4870 4871 402c79 17 API calls 4869->4871 4872 402c39 17 API calls 4870->4872 4873 402437 4871->4873 4874 402462 4872->4874 4876 402c39 17 API calls 4873->4876 4877 40246f 4873->4877 4879 402cf7 4874->4879 4878 402448 RegDeleteValueA RegCloseKey 4876->4878 4878->4877 4880 402d03 4879->4880 4881 402d0a 4879->4881 4880->4877 4881->4880 4883 402d3b 4881->4883 4884 40620e RegOpenKeyExA 4883->4884 4885 402d69 4884->4885 4886 402d79 RegEnumValueA 4885->4886 4887 402d9c 4885->4887 4894 402e13 4885->4894 4886->4887 4888 402e03 RegCloseKey 4886->4888 4887->4888 4889 402dd8 RegEnumKeyA 4887->4889 4890 402de1 RegCloseKey 4887->4890 4893 402d3b 6 API calls 4887->4893 4888->4894 4889->4887 4889->4890 4891 406794 5 API calls 4890->4891 4892 402df1 4891->4892 4892->4894 4895 402df5 RegDeleteKeyA 4892->4895 4893->4887 4894->4880 4895->4894 4896 4027aa 4897 402c39 17 API calls 4896->4897 4898 4027b1 FindFirstFileA 4897->4898 4899 4027d4 4898->4899 4900 4027c4 4898->4900 4901 4027db 4899->4901 4904 4062e6 wsprintfA 4899->4904 4905 406388 lstrcpynA 4901->4905 4904->4901 4905->4900 4906 403b2c 4907 403b37 4906->4907 4908 403b3b 4907->4908 4909 403b3e GlobalAlloc 4907->4909 4909->4908 4910 401c2e 4911 402c17 17 API calls 4910->4911 4912 401c35 4911->4912 4913 402c17 17 API calls 4912->4913 4914 401c42 4913->4914 4915 402c39 17 API calls 4914->4915 4916 401c57 4914->4916 4915->4916 4917 401c67 4916->4917 4918 402c39 17 API calls 4916->4918 4919 401c72 4917->4919 4920 401cbe 4917->4920 4918->4917 4922 402c17 17 API calls 4919->4922 4921 402c39 17 API calls 4920->4921 4923 401cc3 4921->4923 4924 401c77 4922->4924 4925 402c39 17 API calls 4923->4925 4926 402c17 17 API calls 4924->4926 4927 401ccc FindWindowExA 4925->4927 4928 401c83 4926->4928 4931 401cea 4927->4931 4929 401c90 SendMessageTimeoutA 4928->4929 4930 401cae SendMessageA 4928->4930 4929->4931 4930->4931 4932 40262e 4933 402633 4932->4933 4934 402647 4932->4934 4935 402c17 17 API calls 4933->4935 4936 402c39 17 API calls 4934->4936 4938 40263c 4935->4938 4937 40264e lstrlenA 4936->4937 4937->4938 4939 402670 4938->4939 4940 405fc2 WriteFile 4938->4940 4940->4939 3841 401932 3842 401934 3841->3842 3843 402c39 17 API calls 3842->3843 3844 401939 3843->3844 3847 405b4a 3844->3847 3848 405e08 18 API calls 3847->3848 3849 405b6a 3848->3849 3850 405b72 DeleteFileA 3849->3850 3851 405b89 3849->3851 3880 401942 3850->3880 3852 405cb7 3851->3852 3884 406388 lstrcpynA 3851->3884 3857 4066ff 2 API calls 3852->3857 3852->3880 3854 405baf 3855 405bc2 3854->3855 3856 405bb5 lstrcatA 3854->3856 3859 405d61 2 API calls 3855->3859 3858 405bc8 3856->3858 3860 405cdb 3857->3860 3861 405bd6 lstrcatA 3858->3861 3862 405be1 lstrlenA FindFirstFileA 3858->3862 3859->3858 3863 405d1a 3 API calls 3860->3863 3860->3880 3861->3862 3862->3852 3871 405c05 3862->3871 3865 405ce5 3863->3865 3864 405d45 CharNextA 3864->3871 3866 405b02 5 API calls 3865->3866 3867 405cf1 3866->3867 3868 405cf5 3867->3868 3869 405d0b 3867->3869 3875 4054a9 24 API calls 3868->3875 3868->3880 3870 4054a9 24 API calls 3869->3870 3870->3880 3871->3864 3872 405c96 FindNextFileA 3871->3872 3879 405b4a 60 API calls 3871->3879 3881 4054a9 24 API calls 3871->3881 3882 4054a9 24 API calls 3871->3882 3883 406161 36 API calls 3871->3883 3885 406388 lstrcpynA 3871->3885 3886 405b02 3871->3886 3872->3871 3874 405cae FindClose 3872->3874 3874->3852 3876 405d02 3875->3876 3877 406161 36 API calls 3876->3877 3877->3880 3879->3871 3881->3872 3882->3871 3883->3871 3884->3854 3885->3871 3894 405ef6 GetFileAttributesA 3886->3894 3889 405b2f 3889->3871 3890 405b25 DeleteFileA 3892 405b2b 3890->3892 3891 405b1d RemoveDirectoryA 3891->3892 3892->3889 3893 405b3b SetFileAttributesA 3892->3893 3893->3889 3895 405b0e 3894->3895 3896 405f08 SetFileAttributesA 3894->3896 3895->3889 3895->3890 3895->3891 3896->3895 4941 402733 4942 40273a 4941->4942 4944 402a47 4941->4944 4943 402c17 17 API calls 4942->4943 4945 402741 4943->4945 4946 402750 SetFilePointer 4945->4946 4946->4944 4947 402760 4946->4947 4949 4062e6 wsprintfA 4947->4949 4949->4944 4950 401e35 GetDC 4951 402c17 17 API calls 4950->4951 4952 401e47 GetDeviceCaps MulDiv ReleaseDC 4951->4952 4953 402c17 17 API calls 4952->4953 4954 401e78 4953->4954 4955 40641b 17 API calls 4954->4955 4956 401eb5 CreateFontIndirectA 4955->4956 4957 402628 4956->4957 4958 4014b7 4959 4014bd 4958->4959 4960 401389 2 API calls 4959->4960 4961 4014c5 4960->4961 3957 4015bb 3958 402c39 17 API calls 3957->3958 3959 4015c2 3958->3959 3960 405db3 4 API calls 3959->3960 3973 4015ca 3960->3973 3961 401624 3963 401652 3961->3963 3964 401629 3961->3964 3962 405d45 CharNextA 3962->3973 3966 401423 24 API calls 3963->3966 3965 401423 24 API calls 3964->3965 3967 401630 3965->3967 3972 40164a 3966->3972 3976 406388 lstrcpynA 3967->3976 3968 4059ec 2 API calls 3968->3973 3970 405a09 5 API calls 3970->3973 3971 40163b SetCurrentDirectoryA 3971->3972 3973->3961 3973->3962 3973->3968 3973->3970 3974 40160c GetFileAttributesA 3973->3974 3975 40596f 4 API calls 3973->3975 3974->3973 3975->3973 3976->3971 4962 40453b lstrcpynA lstrlenA 4963 4016bb 4964 402c39 17 API calls 4963->4964 4965 4016c1 GetFullPathNameA 4964->4965 4966 4016d8 4965->4966 4972 4016f9 4965->4972 4969 4066ff 2 API calls 4966->4969 4966->4972 4967 402ac5 4968 40170d GetShortPathNameA 4968->4967 4970 4016e9 4969->4970 4970->4972 4973 406388 lstrcpynA 4970->4973 4972->4967 4972->4968 4973->4972

                                                              Executed Functions

                                                              Function 004034CC Relevance: 94.9, APIs: 34, Strings: 20, Instructions: 417stringfilecomCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 4034cc-40351c SetErrorMode GetVersionExA 1 40355d 0->1 2 40351e-403538 GetVersionExA 0->2 3 403564 1->3 2->3 4 40353a-403559 2->4 5 403566-403571 3->5 6 403588-40358f 3->6 4->1 7 403573-403582 5->7 8 403584 5->8 9 403591 6->9 10 403599-4035d9 6->10 7->6 8->6 9->10 11 4035db-4035e3 call 406794 10->11 12 4035ec 10->12 11->12 18 4035e5 11->18 14 4035f1-403605 call 406726 lstrlenA 12->14 19 403607-403623 call 406794 * 3 14->19 18->12 26 403634-403694 #17 OleInitialize SHGetFileInfoA call 406388 GetCommandLineA call 406388 19->26 27 403625-40362b 19->27 34 403696-40369a 26->34 35 40369f-4036b2 call 405d45 CharNextA 26->35 27->26 32 40362d 27->32 32->26 34->35 38 403773-403777 35->38 39 4036b7-4036ba 38->39 40 40377d 38->40 41 4036c2-4036c9 39->41 42 4036bc-4036c0 39->42 43 403791-4037ab GetTempPathA call 40349b 40->43 44 4036d0-4036d3 41->44 45 4036cb-4036cc 41->45 42->41 42->42 53 403803-40381b DeleteFileA call 402f5c 43->53 54 4037ad-4037cb GetWindowsDirectoryA lstrcatA call 40349b 43->54 47 403764-403770 call 405d45 44->47 48 4036d9-4036dd 44->48 45->44 47->38 66 403772 47->66 51 4036f5-403722 48->51 52 4036df-4036e5 48->52 55 403734-403762 51->55 56 403724-40372a 51->56 60 4036e7-4036e9 52->60 61 4036eb 52->61 69 403821-403827 53->69 70 4038ae-4038bf ExitProcess OleUninitialize 53->70 54->53 68 4037cd-4037fd GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 40349b 54->68 55->47 65 40377f-40378c call 406388 55->65 62 403730 56->62 63 40372c-40372e 56->63 60->51 60->61 61->51 62->55 63->55 63->62 65->43 66->38 68->53 68->70 73 403829-403834 call 405d45 69->73 74 40389f-4038a6 call 403b6e 69->74 75 4038c5-4038d4 call 405a9e ExitProcess 70->75 76 4039e8-4039ee 70->76 91 403836-40385f 73->91 92 40386a-403873 73->92 85 4038ab 74->85 77 4039f0-403a05 GetCurrentProcess OpenProcessToken 76->77 78 403a66-403a6e 76->78 83 403a36-403a44 call 406794 77->83 84 403a07-403a30 LookupPrivilegeValueA AdjustTokenPrivileges 77->84 87 403a70 78->87 88 403a73-403a76 ExitProcess 78->88 99 403a52-403a5d ExitWindowsEx 83->99 100 403a46-403a50 83->100 84->83 85->70 87->88 96 403861-403863 91->96 93 403875-403883 call 405e08 92->93 94 4038da-4038ee call 405a09 lstrcatA 92->94 93->70 107 403885-40389b call 406388 * 2 93->107 105 4038f0-4038f6 lstrcatA 94->105 106 4038fb-403915 lstrcatA lstrcmpiA 94->106 96->92 101 403865-403868 96->101 99->78 104 403a5f-403a61 call 40140b 99->104 100->99 100->104 101->92 101->96 104->78 105->106 106->70 110 403917-40391a 106->110 107->74 112 403923 call 4059ec 110->112 113 40391c-403921 call 40596f 110->113 120 403928-403936 SetCurrentDirectoryA 112->120 113->120 121 403943-40396e call 406388 120->121 122 403938-40393e call 406388 120->122 126 403974-403991 call 40641b DeleteFileA 121->126 122->121 129 4039d1-4039da 126->129 130 403993-4039a3 CopyFileA 126->130 129->126 132 4039dc-4039e3 call 406161 129->132 130->129 131 4039a5-4039c5 call 406161 call 40641b call 405a21 130->131 131->129 141 4039c7-4039ce CloseHandle 131->141 132->70 141->129
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00008001), ref: 004034EF
                                                              • GetVersionExA.KERNEL32(?), ref: 00403518
                                                              • GetVersionExA.KERNEL32(0000009C), ref: 0040352F
                                                              • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F8
                                                              • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403635
                                                              • OleInitialize.OLE32(00000000), ref: 0040363C
                                                              • SHGetFileInfoA.SHELL32(0041FD10,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040365A
                                                              • GetCommandLineA.KERNEL32(00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 0040366F
                                                              • CharNextA.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe",00000020,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe",00000000,?,00000007,00000009,0000000B), ref: 004036A9
                                                              • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 004037A2
                                                              • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004037B3
                                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037BF
                                                              • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037D3
                                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037DB
                                                              • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037EC
                                                              • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004037F4
                                                              • DeleteFileA.KERNEL32(1033,?,00000007,00000009,0000000B), ref: 00403808
                                                              • ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 004038AE
                                                              • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004038B3
                                                              • ExitProcess.KERNEL32 ref: 004038D4
                                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004038E7
                                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A1B0,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004038F6
                                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe",00000000,?,?,00000007,00000009,0000000B), ref: 00403901
                                                              • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 0040390D
                                                              • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403929
                                                              • DeleteFileA.KERNEL32(0041F910,0041F910,?,00425000,?,?,00000007,00000009,0000000B), ref: 00403986
                                                              • CopyFileA.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe,0041F910,00000001), ref: 0040399B
                                                              • CloseHandle.KERNEL32(00000000,0041F910,0041F910,?,0041F910,00000000,?,00000007,00000009,0000000B), ref: 004039C8
                                                              • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004039F6
                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 004039FD
                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A11
                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A30
                                                              • ExitWindowsEx.USER32(00000002,80040002), ref: 00403A55
                                                              • ExitProcess.KERNEL32 ref: 00403A76
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                                              • String ID: "$"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe"$.tmp$1033$A$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\GamePall$C:\Users\user\AppData\Roaming\GamePall\update$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                              • API String ID: 2882342585-4032267494
                                                              • Opcode ID: d8607602e3c077556342ba5fadc775b1d1828e72ea1310baa32c0a7e59fa0962
                                                              • Instruction ID: 1a4863036e4e50ed5e1acae1e6299f6db15da00d6e87979e5214c03ba8a99dba
                                                              • Opcode Fuzzy Hash: d8607602e3c077556342ba5fadc775b1d1828e72ea1310baa32c0a7e59fa0962
                                                              • Instruction Fuzzy Hash: 99E1D270A04354AADB21AF659D49B6F7EB89F86306F0540BFF441B61D2CB7C4A05CB2E
                                                              Function 100010D0 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 218COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 216 100010d0-100010fa GetVersionExA 217 10001106-1000110c 216->217 218 100010fc-10001101 216->218 219 10001122-10001139 LoadLibraryW 217->219 220 1000110e-10001112 217->220 221 1000135d-10001362 218->221 224 100011a5 219->224 225 1000113b-1000114c GetProcAddress 219->225 222 10001225-10001237 LoadLibraryA 220->222 223 10001118-1000111d 220->223 229 10001332-10001337 222->229 230 1000123d-10001265 GetProcAddress * 3 222->230 226 1000135b-1000135c 223->226 231 100011aa-100011ae 224->231 227 10001195 225->227 228 1000114e-1000115a LocalAlloc 225->228 226->221 233 1000119a-100011a3 FreeLibrary 227->233 232 10001189-1000118c 228->232 229->226 234 10001323-10001326 FreeLibrary 230->234 235 1000126b-1000126d 230->235 236 100011b0-100011b2 231->236 237 100011b7 231->237 240 1000115c-1000116d NtQuerySystemInformation 232->240 241 1000118e-10001193 232->241 233->231 239 1000132c-10001330 234->239 235->234 242 10001273-10001275 235->242 236->226 238 100011ba-100011bf 237->238 243 100011c1-100011ec WideCharToMultiByte lstrcmpiA 238->243 244 1000120d-10001211 238->244 239->229 245 10001339-1000133d 239->245 240->233 246 1000116f-1000117e LocalFree 240->246 241->233 242->234 247 1000127b-10001286 242->247 243->244 248 100011ee-100011f5 243->248 251 10001213-10001215 244->251 252 10001217-10001220 LocalFree 244->252 249 10001359 245->249 250 1000133f-10001343 245->250 246->241 253 10001180-10001187 LocalAlloc 246->253 247->234 258 1000128c-100012a0 247->258 248->252 254 100011f7-1000120a call 1000103f 248->254 249->226 255 10001345-1000134a 250->255 256 1000134c-10001350 250->256 251->238 252->239 253->232 254->244 255->226 256->249 260 10001352-10001357 256->260 263 10001318-1000131a 258->263 260->226 264 100012a2-100012b6 lstrlenA 263->264 265 1000131c-1000131d CloseHandle 263->265 266 100012bd-100012c2 264->266 265->234 267 100012c4-100012ea lstrcpynA lstrcmpiA 266->267 268 100012b8-100012ba 266->268 270 100012ec-100012f3 267->270 271 1000130e-10001315 267->271 268->267 269 100012bc 268->269 269->266 270->265 272 100012f5-1000130b call 1000103f 270->272 271->263 272->271
                                                              APIs
                                                              • GetVersionExA.KERNEL32(?), ref: 100010F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3221901387.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000000.00000002.3221882363.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.3221921723.0000000010002000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.3221941500.0000000010004000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Version
                                                              • String ID: CreateToolhelp32Snapshot$KERNEL32.DLL$NTDLL.DLL$NtQuerySystemInformation$Process32First$Process32Next
                                                              • API String ID: 1889659487-877962304
                                                              • Opcode ID: 65e34132412926b77cd70352a95a1b322544ba155a4a88647b4c9b484df59334
                                                              • Instruction ID: 3df706415bff85d1043f51983ae3f68c733976b3404a17f8fb4488dcc6387507
                                                              • Opcode Fuzzy Hash: 65e34132412926b77cd70352a95a1b322544ba155a4a88647b4c9b484df59334
                                                              • Instruction Fuzzy Hash: 19715871900659EFFB11DFA4CC88ADE3BEAEB483C4F250026FA19D2159E6358E49CB50
                                                              Function 00405B4A Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159filestringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 410 405b4a-405b70 call 405e08 413 405b72-405b84 DeleteFileA 410->413 414 405b89-405b90 410->414 415 405d13-405d17 413->415 416 405b92-405b94 414->416 417 405ba3-405bb3 call 406388 414->417 418 405cc1-405cc6 416->418 419 405b9a-405b9d 416->419 425 405bc2-405bc3 call 405d61 417->425 426 405bb5-405bc0 lstrcatA 417->426 418->415 421 405cc8-405ccb 418->421 419->417 419->418 423 405cd5-405cdd call 4066ff 421->423 424 405ccd-405cd3 421->424 423->415 434 405cdf-405cf3 call 405d1a call 405b02 423->434 424->415 428 405bc8-405bcb 425->428 426->428 431 405bd6-405bdc lstrcatA 428->431 432 405bcd-405bd4 428->432 433 405be1-405bff lstrlenA FindFirstFileA 431->433 432->431 432->433 435 405c05-405c1c call 405d45 433->435 436 405cb7-405cbb 433->436 449 405cf5-405cf8 434->449 450 405d0b-405d0e call 4054a9 434->450 443 405c27-405c2a 435->443 444 405c1e-405c22 435->444 436->418 438 405cbd 436->438 438->418 447 405c2c-405c31 443->447 448 405c3d-405c4b call 406388 443->448 444->443 446 405c24 444->446 446->443 452 405c33-405c35 447->452 453 405c96-405ca8 FindNextFileA 447->453 461 405c62-405c6d call 405b02 448->461 462 405c4d-405c55 448->462 449->424 455 405cfa-405d09 call 4054a9 call 406161 449->455 450->415 452->448 456 405c37-405c3b 452->456 453->435 458 405cae-405cb1 FindClose 453->458 455->415 456->448 456->453 458->436 470 405c8e-405c91 call 4054a9 461->470 471 405c6f-405c72 461->471 462->453 465 405c57-405c60 call 405b4a 462->465 465->453 470->453 472 405c74-405c84 call 4054a9 call 406161 471->472 473 405c86-405c8c 471->473 472->453 473->453
                                                              APIs
                                                              • DeleteFileA.KERNEL32(?,?,75923410,75922EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe"), ref: 00405B73
                                                              • lstrcatA.KERNEL32(00421D58,\*.*,00421D58,?,?,75923410,75922EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe"), ref: 00405BBB
                                                              • lstrcatA.KERNEL32(?,0040A014,?,00421D58,?,?,75923410,75922EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe"), ref: 00405BDC
                                                              • lstrlenA.KERNEL32(?,?,0040A014,?,00421D58,?,?,75923410,75922EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe"), ref: 00405BE2
                                                              • FindFirstFileA.KERNEL32(00421D58,?,?,?,0040A014,?,00421D58,?,?,75923410,75922EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe"), ref: 00405BF3
                                                              • FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405CA0
                                                              • FindClose.KERNEL32(00000000), ref: 00405CB1
                                                              Strings
                                                              • "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe", xrefs: 00405B53
                                                              • \*.*, xrefs: 00405BB5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                              • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe"$\*.*
                                                              • API String ID: 2035342205-1200136720
                                                              • Opcode ID: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
                                                              • Instruction ID: 9e5d3321e74a3647b1fb2cdcf4bec0a51507e3563529971eb59e862f6dba24c5
                                                              • Opcode Fuzzy Hash: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
                                                              • Instruction Fuzzy Hash: 2B519130908B04AAEB316B61CC49BAF7AB8DF82755F14813FF851B51D2C73C5982DE69
                                                              Function 00406A88 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 683 406a88-406a8d 684 406afe-406b1c 683->684 685 406a8f-406abe 683->685 686 4070f4-407109 684->686 687 406ac0-406ac3 685->687 688 406ac5-406ac9 685->688 689 407123-407139 686->689 690 40710b-407121 686->690 691 406ad5-406ad8 687->691 692 406ad1 688->692 693 406acb-406acf 688->693 694 40713c-407143 689->694 690->694 695 406af6-406af9 691->695 696 406ada-406ae3 691->696 692->691 693->691 698 407145-407149 694->698 699 40716a-407176 694->699 697 406ccb-406ce9 695->697 700 406ae5 696->700 701 406ae8-406af4 696->701 702 406d01-406d13 697->702 703 406ceb-406cff 697->703 704 4072f8-407302 698->704 705 40714f-407167 698->705 712 40690c-406915 699->712 700->701 707 406b5e-406b8c 701->707 711 406d16-406d20 702->711 703->711 710 40730e-407321 704->710 705->699 708 406ba8-406bc2 707->708 709 406b8e-406ba6 707->709 713 406bc5-406bcf 708->713 709->713 718 407326-40732a 710->718 716 406d22 711->716 717 406cc3-406cc9 711->717 714 407323 712->714 715 40691b 712->715 720 406bd5 713->720 721 406b46-406b4c 713->721 714->718 722 406922-406926 715->722 723 406a62-406a83 715->723 724 4069c7-4069cb 715->724 725 406a37-406a3b 715->725 726 406e33-406e40 716->726 727 406c9e-406ca2 716->727 717->697 719 406c67-406c71 717->719 728 4072b6-4072c0 719->728 729 406c77-406c99 719->729 741 407292-40729c 720->741 742 406b2b-406b43 720->742 730 406b52-406b58 721->730 731 406bff-406c05 721->731 722->710 738 40692c-406939 722->738 723->686 732 4069d1-4069ea 724->732 733 407277-407281 724->733 739 406a41-406a55 725->739 740 407286-407290 725->740 726->712 737 406e8f-406e9e 726->737 734 406ca8-406cc0 727->734 735 4072aa-4072b4 727->735 728->710 729->726 730->707 743 406c63 730->743 731->743 745 406c07-406c25 731->745 746 4069ed-4069f1 732->746 733->710 734->717 735->710 737->686 738->714 744 40693f-406985 738->744 747 406a58-406a60 739->747 740->710 741->710 742->721 743->719 749 406987-40698b 744->749 750 4069ad-4069af 744->750 751 406c27-406c3b 745->751 752 406c3d-406c4f 745->752 746->724 748 4069f3-4069f9 746->748 747->723 747->725 758 406a23-406a35 748->758 759 4069fb-406a02 748->759 753 406996-4069a4 GlobalAlloc 749->753 754 40698d-406990 GlobalFree 749->754 756 4069b1-4069bb 750->756 757 4069bd-4069c5 750->757 755 406c52-406c5c 751->755 752->755 753->714 760 4069aa 753->760 754->753 755->731 761 406c5e 755->761 756->756 756->757 757->746 758->747 762 406a04-406a07 GlobalFree 759->762 763 406a0d-406a1d GlobalAlloc 759->763 760->750 765 406be4-406bfc 761->765 766 40729e-4072a8 761->766 762->763 763->714 763->758 765->731 766->710
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
                                                              • Instruction ID: c2ee61ea0ab5e5811791f69f03c7ffba3fbd093a674906ee4b434ab4c587e2e9
                                                              • Opcode Fuzzy Hash: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
                                                              • Instruction Fuzzy Hash: 0FF18A70D04269CBDF28CF98C8946ADBBB0FF44305F24816ED856BB281D7786A86DF45
                                                              Function 004066FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileA.KERNEL32(75923410,004225A0,C:\,00405E4B,C:\,C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0), ref: 0040670A
                                                              • FindClose.KERNEL32(00000000), ref: 00406716
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Find$CloseFileFirst
                                                              • String ID: C:\
                                                              • API String ID: 2295610775-3404278061
                                                              • Opcode ID: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
                                                              • Instruction ID: 083b1303d1f5dd1ba3b50291930e0491dd498af142a60d7bee4daa0eb941c193
                                                              • Opcode Fuzzy Hash: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
                                                              • Instruction Fuzzy Hash: B3D01231515120BBC3405B38AE0C95B7E589F093747618A36F066F22E4DB74CC6286AC
                                                              Function 00403B6E Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 215stringregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 142 403b6e-403b86 call 406794 145 403b88-403b98 call 4062e6 142->145 146 403b9a-403bcb call 40626f 142->146 154 403bee-403c17 call 403e33 call 405e08 145->154 150 403be3-403be9 lstrcatA 146->150 151 403bcd-403bde call 40626f 146->151 150->154 151->150 160 403c1d-403c22 154->160 161 403c9e-403ca6 call 405e08 154->161 160->161 162 403c24-403c48 call 40626f 160->162 167 403cb4-403cd9 LoadImageA 161->167 168 403ca8-403caf call 40641b 161->168 162->161 171 403c4a-403c4c 162->171 169 403d5a-403d62 call 40140b 167->169 170 403cdb-403d0b RegisterClassA 167->170 168->167 185 403d64-403d67 169->185 186 403d6c-403d77 call 403e33 169->186 173 403d11-403d55 SystemParametersInfoA CreateWindowExA 170->173 174 403e29 170->174 176 403c5d-403c69 lstrlenA 171->176 177 403c4e-403c5b call 405d45 171->177 173->169 178 403e2b-403e32 174->178 179 403c91-403c99 call 405d1a call 406388 176->179 180 403c6b-403c79 lstrcmpiA 176->180 177->176 179->161 180->179 184 403c7b-403c85 GetFileAttributesA 180->184 188 403c87-403c89 184->188 189 403c8b-403c8c call 405d61 184->189 185->178 195 403e00-403e08 call 40557b 186->195 196 403d7d-403d97 ShowWindow call 406726 186->196 188->179 188->189 189->179 201 403e22-403e24 call 40140b 195->201 202 403e0a-403e10 195->202 203 403da3-403db5 GetClassInfoA 196->203 204 403d99-403d9e call 406726 196->204 201->174 202->185 207 403e16-403e1d call 40140b 202->207 205 403db7-403dc7 GetClassInfoA RegisterClassA 203->205 206 403dcd-403dfe DialogBoxParamA call 40140b call 403abe 203->206 204->203 205->206 206->178 207->185
                                                              APIs
                                                                • Part of subcall function 00406794: GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
                                                                • Part of subcall function 00406794: GetProcAddress.KERNEL32(00000000,?), ref: 004067C1
                                                              • lstrcatA.KERNEL32(1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,75923410,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe",00000009,0000000B), ref: 00403BE9
                                                              • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,?,?,?,C:\Users\user\AppData\Local\Temp\setup.exe,00000000,C:\Users\user\AppData\Roaming\GamePall,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,75923410), ref: 00403C5E
                                                              • lstrcmpiA.KERNEL32(?,.exe), ref: 00403C71
                                                              • GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,?,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe",00000009,0000000B), ref: 00403C7C
                                                              • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\GamePall), ref: 00403CC5
                                                                • Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3
                                                              • RegisterClassA.USER32(00423EE0), ref: 00403D02
                                                              • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403D1A
                                                              • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403D4F
                                                              • ShowWindow.USER32(00000005,00000000,?,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe",00000009,0000000B), ref: 00403D85
                                                              • GetClassInfoA.USER32(00000000,RichEdit20A,00423EE0), ref: 00403DB1
                                                              • GetClassInfoA.USER32(00000000,RichEdit,00423EE0), ref: 00403DBE
                                                              • RegisterClassA.USER32(00423EE0), ref: 00403DC7
                                                              • DialogBoxParamA.USER32(?,00000000,00403F0B,00000000), ref: 00403DE6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                              • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\GamePall$Control Panel\Desktop\ResourceLocale$PB$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$>B
                                                              • API String ID: 1975747703-2003197939
                                                              • Opcode ID: dbde64bc3a376ab52a9cb3762a64ce6a0c2f330f4a95e62c6433b020d27b21d7
                                                              • Instruction ID: 5836c5bb6a6ef8c4ff0aed12ec42ff3eebf2d58129c507535c8ab2622d1094a3
                                                              • Opcode Fuzzy Hash: dbde64bc3a376ab52a9cb3762a64ce6a0c2f330f4a95e62c6433b020d27b21d7
                                                              • Instruction Fuzzy Hash: 4F61D670204200AED620AF65AD45F3B3A7CEB8574AF41453FF951B62E2CB7D9D028B6D
                                                              Function 00402F5C Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 275 402f5c-402faa GetTickCount GetModuleFileNameA call 405f1b 278 402fb6-402fe4 call 406388 call 405d61 call 406388 GetFileSize 275->278 279 402fac-402fb1 275->279 287 402fea 278->287 288 4030cf-4030dd call 402ebd 278->288 280 4031f6-4031fa 279->280 290 402fef-403006 287->290 295 4030e3-4030e6 288->295 296 4031ae-4031b3 288->296 292 403008 290->292 293 40300a-403013 call 40346e 290->293 292->293 300 403019-403020 293->300 301 40316a-403172 call 402ebd 293->301 298 403112-40315e GlobalAlloc call 4068b9 call 405f4a CreateFileA 295->298 299 4030e8-403100 call 403484 call 40346e 295->299 296->280 326 403160-403165 298->326 327 403174-4031a4 call 403484 call 4031fd 298->327 299->296 321 403106-40310c 299->321 305 403022-403036 call 405ed6 300->305 306 40309c-4030a0 300->306 301->296 311 4030aa-4030b0 305->311 324 403038-40303f 305->324 310 4030a2-4030a9 call 402ebd 306->310 306->311 310->311 317 4030b2-4030bc call 40684b 311->317 318 4030bf-4030c7 311->318 317->318 318->290 325 4030cd 318->325 321->296 321->298 324->311 329 403041-403048 324->329 325->288 326->280 335 4031a9-4031ac 327->335 329->311 331 40304a-403051 329->331 331->311 334 403053-40305a 331->334 334->311 336 40305c-40307c 334->336 335->296 337 4031b5-4031c6 335->337 336->296 338 403082-403086 336->338 339 4031c8 337->339 340 4031ce-4031d3 337->340 341 403088-40308c 338->341 342 40308e-403096 338->342 339->340 343 4031d4-4031da 340->343 341->325 341->342 342->311 344 403098-40309a 342->344 343->343 345 4031dc-4031f4 call 405ed6 343->345 344->311 345->280
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 00402F70
                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe,00000400), ref: 00402F8C
                                                                • Part of subcall function 00405F1B: GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe,80000000,00000003), ref: 00405F1F
                                                                • Part of subcall function 00405F1B: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                                                              • GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe,80000000,00000003), ref: 00402FD5
                                                              • GlobalAlloc.KERNEL32(00000040,00000009), ref: 00403117
                                                              Strings
                                                              • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004031AE
                                                              • Error launching installer, xrefs: 00402FAC
                                                              • Null, xrefs: 00403053
                                                              • "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe", xrefs: 00402F65
                                                              • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403160
                                                              • Inst, xrefs: 00403041
                                                              • C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, xrefs: 00402F76, 00402F85, 00402F99, 00402FB6
                                                              • C:\Users\user\Desktop, xrefs: 00402FB7, 00402FBC, 00402FC2
                                                              • soft, xrefs: 0040304A
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00402F66, 0040312F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                              • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                              • API String ID: 2803837635-378742195
                                                              • Opcode ID: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
                                                              • Instruction ID: 8a05da1d373fd2b3e089436e62a275652004ed3b6aa6cfe031be989f12afac8e
                                                              • Opcode Fuzzy Hash: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
                                                              • Instruction Fuzzy Hash: 0771E231A01218ABDB20EF65DD85B9E7BACEB44356F10813BF910BA2C1D77C9E458B5C
                                                              Function 0040641B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 348 40641b-406426 349 406428-406437 348->349 350 406439-40644f 348->350 349->350 351 406643-406647 350->351 352 406455-406460 350->352 354 406472-40647c 351->354 355 40664d-406657 351->355 352->351 353 406466-40646d 352->353 353->351 354->355 356 406482-406489 354->356 357 406662-406663 355->357 358 406659-40665d call 406388 355->358 359 406636 356->359 360 40648f-4064c3 356->360 358->357 362 406640-406642 359->362 363 406638-40663e 359->363 364 4065e3-4065e6 360->364 365 4064c9-4064d3 360->365 362->351 363->351 368 406616-406619 364->368 369 4065e8-4065eb 364->369 366 4064f0 365->366 367 4064d5-4064de 365->367 375 4064f7-4064fe 366->375 367->366 372 4064e0-4064e3 367->372 370 406627-406634 lstrlenA 368->370 371 40661b-406622 call 40641b 368->371 373 4065fb-406607 call 406388 369->373 374 4065ed-4065f9 call 4062e6 369->374 370->351 371->370 372->366 377 4064e5-4064e8 372->377 386 40660c-406612 373->386 374->386 379 406500-406502 375->379 380 406503-406505 375->380 377->366 382 4064ea-4064ee 377->382 379->380 384 406507-40652a call 40626f 380->384 385 40653e-406541 380->385 382->375 396 406530-406539 call 40641b 384->396 397 4065ca-4065ce 384->397 389 406551-406554 385->389 390 406543-40654f GetSystemDirectoryA 385->390 386->370 388 406614 386->388 392 4065db-4065e1 call 406666 388->392 394 4065c1-4065c3 389->394 395 406556-406564 GetWindowsDirectoryA 389->395 393 4065c5-4065c8 390->393 392->370 393->392 393->397 394->393 398 406566-406570 394->398 395->394 396->393 397->392 401 4065d0-4065d6 lstrcatA 397->401 403 406572-406575 398->403 404 40658a-4065a0 SHGetSpecialFolderLocation 398->404 401->392 403->404 406 406577-40657e 403->406 407 4065a2-4065bc SHGetPathFromIDListA CoTaskMemFree 404->407 408 4065be 404->408 409 406586-406588 406->409 407->393 407->408 408->394 409->393 409->404
                                                              APIs
                                                              • GetSystemDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,00000400), ref: 00406549
                                                              • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,00000400,?,00420530,00000000,004054E1,00420530,00000000), ref: 0040655C
                                                              • SHGetSpecialFolderLocation.SHELL32(004054E1,00000000,?,00420530,00000000,004054E1,00420530,00000000), ref: 00406598
                                                              • SHGetPathFromIDListA.SHELL32(00000000,C:\Users\user\AppData\Local\Temp\setup.exe), ref: 004065A6
                                                              • CoTaskMemFree.OLE32(00000000), ref: 004065B2
                                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D6
                                                              • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,?,00420530,00000000,004054E1,00420530,00000000,00000000,00000000,00000000), ref: 00406628
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                              • String ID: C:\Users\user\AppData\Local\Temp\setup.exe$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                              • API String ID: 717251189-3033995795
                                                              • Opcode ID: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
                                                              • Instruction ID: f38e20b3a3e0c1a2470d5ac0c6d90f06be75126661b475aa23e0086d5b044b98
                                                              • Opcode Fuzzy Hash: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
                                                              • Instruction Fuzzy Hash: 9F612370900114AEDF205F24EC90BBA3BA4EB52314F52403FE913B62D1D37D8A62DB4E
                                                              Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Roaming\GamePall\update,00000000,00000000,00000031), ref: 00401798
                                                              • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,00000000,00000000,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Roaming\GamePall\update,00000000,00000000,00000031), ref: 004017C2
                                                                • Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395
                                                                • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                              • String ID: C:\Users\user\AppData\Local\Temp\nsb470F.tmp\INetC.dll$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\GamePall\update
                                                              • API String ID: 1941528284-3404335098
                                                              • Opcode ID: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
                                                              • Instruction ID: 0d76be79c55a0237b493b10f9ec5be6125ba7ce9be49b25e4c886387d44134cc
                                                              • Opcode Fuzzy Hash: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
                                                              • Instruction Fuzzy Hash: E141B731900615BBCB107BB5CC45DAF3668EF45329B61833BF422F10E1D67C8A529AAE
                                                              Function 0040596F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 546 40596f-4059ba CreateDirectoryA 547 4059c0-4059cd GetLastError 546->547 548 4059bc-4059be 546->548 549 4059e7-4059e9 547->549 550 4059cf-4059e3 SetFileSecurityA 547->550 548->549 550->548 551 4059e5 GetLastError 550->551 551->549
                                                              APIs
                                                              • CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
                                                              • GetLastError.KERNEL32 ref: 004059C6
                                                              • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004059DB
                                                              • GetLastError.KERNEL32 ref: 004059E5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                              • String ID: !9@$C:\Users\user\AppData\Local\Temp\
                                                              • API String ID: 3449924974-3700438604
                                                              • Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                                                              • Instruction ID: 4cd508ff09270142ca7a6984d66ae253fefa4e1f6983b248f3af4f59f5a14231
                                                              • Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                                                              • Instruction Fuzzy Hash: 610108B1D00259DAEF109BA0CA45BEFBBB8EB04354F00403AD645B6290D7789648CF99
                                                              Function 00406726 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 552 406726-406746 GetSystemDirectoryA 553 406748 552->553 554 40674a-40674c 552->554 553->554 555 40675c-40675e 554->555 556 40674e-406756 554->556 558 40675f-406791 wsprintfA LoadLibraryExA 555->558 556->555 557 406758-40675a 556->557 557->558
                                                              APIs
                                                              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
                                                              • wsprintfA.USER32 ref: 00406776
                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0040678A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: DirectoryLibraryLoadSystemwsprintf
                                                              • String ID: %s%s.dll$UXTHEME$\
                                                              • API String ID: 2200240437-4240819195
                                                              • Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                                                              • Instruction ID: 0c3db372634d2cfba6f48721b0c795b31ebca02323a8b7d7371d162bf0ec7b9a
                                                              • Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                                                              • Instruction Fuzzy Hash: FBF0FC7050021966DB15A764DD0DFEA365CAB08309F1404BEA586E20C1D6B8D5258B69
                                                              Function 004068D9 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 559 4068d9-4068fc 560 406906-406909 559->560 561 4068fe-406901 559->561 563 40690c-406915 560->563 562 407326-40732a 561->562 564 407323 563->564 565 40691b 563->565 564->562 566 406922-406926 565->566 567 406a62-407109 565->567 568 4069c7-4069cb 565->568 569 406a37-406a3b 565->569 573 40692c-406939 566->573 574 40730e-407321 566->574 578 407123-407139 567->578 579 40710b-407121 567->579 571 4069d1-4069ea 568->571 572 407277-407281 568->572 575 406a41-406a55 569->575 576 407286-407290 569->576 577 4069ed-4069f1 571->577 572->574 573->564 580 40693f-406985 573->580 574->562 581 406a58-406a60 575->581 576->574 577->568 583 4069f3-4069f9 577->583 582 40713c-407143 578->582 579->582 584 406987-40698b 580->584 585 4069ad-4069af 580->585 581->567 581->569 590 407145-407149 582->590 591 40716a-407176 582->591 588 406a23-406a35 583->588 589 4069fb-406a02 583->589 592 406996-4069a4 GlobalAlloc 584->592 593 40698d-406990 GlobalFree 584->593 586 4069b1-4069bb 585->586 587 4069bd-4069c5 585->587 586->586 586->587 587->577 588->581 595 406a04-406a07 GlobalFree 589->595 596 406a0d-406a1d GlobalAlloc 589->596 597 4072f8-407302 590->597 598 40714f-407167 590->598 591->563 592->564 594 4069aa 592->594 593->592 594->585 595->596 596->564 596->588 597->574 598->591
                                                              Strings
                                                              • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 004068E3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                                                              • API String ID: 0-292220189
                                                              • Opcode ID: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
                                                              • Instruction ID: 8182d74baebb800b0d472bca2432a1a472ea96a2662ae7b36db949844af6c4d7
                                                              • Opcode Fuzzy Hash: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
                                                              • Instruction Fuzzy Hash: DF815971E04228DBEF24CFA8C844BADBBB1FF44305F10816AD956BB281C7786986DF45
                                                              Function 00403305 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 600 403305-40332d GetTickCount 601 403333-40335e call 403484 SetFilePointer 600->601 602 40345d-403465 call 402ebd 600->602 608 403363-403375 601->608 607 403467-40346b 602->607 609 403377 608->609 610 403379-403387 call 40346e 608->610 609->610 613 40338d-403399 610->613 614 40344f-403452 610->614 615 40339f-4033a5 613->615 614->607 616 4033d0-4033ec call 4068d9 615->616 617 4033a7-4033ad 615->617 623 403458 616->623 624 4033ee-4033f6 616->624 617->616 618 4033af-4033cf call 402ebd 617->618 618->616 625 40345a-40345b 623->625 626 4033f8-403400 call 405fc2 624->626 627 403419-40341f 624->627 625->607 631 403405-403407 626->631 627->623 629 403421-403423 627->629 629->623 630 403425-403438 629->630 630->608 632 40343e-40344d SetFilePointer 630->632 633 403454-403456 631->633 634 403409-403415 631->634 632->602 633->625 634->615 635 403417 634->635 635->630
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 00403319
                                                                • Part of subcall function 00403484: SetFilePointer.KERNEL32(00000000,00000000,00000000,00403182,?), ref: 00403492
                                                              • SetFilePointer.KERNEL32(00000000,00000000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 0040334C
                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000), ref: 00403447
                                                              Strings
                                                              • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00403379, 0040337F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: FilePointer$CountTick
                                                              • String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                                                              • API String ID: 1092082344-292220189
                                                              • Opcode ID: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
                                                              • Instruction ID: 5f41a1ef9683aad456499e8308d87ccfcfa217f8aa92108fcff4f05b83e24891
                                                              • Opcode Fuzzy Hash: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
                                                              • Instruction Fuzzy Hash: 1F319F72A002059FC711BF2AFE849663BACE741356710C13BE814B62F0CB3859458FAD
                                                              Function 00405F4A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 636 405f4a-405f54 637 405f55-405f80 GetTickCount GetTempFileNameA 636->637 638 405f82-405f84 637->638 639 405f8f-405f91 637->639 638->637 641 405f86 638->641 640 405f89-405f8c 639->640 641->640
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 00405F5E
                                                              • GetTempFileNameA.KERNEL32(0000000B,?,00000000,?,?,004034CA,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007), ref: 00405F78
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CountFileNameTempTick
                                                              • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                              • API String ID: 1716503409-44229769
                                                              • Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                                                              • Instruction ID: 05c77450f8afc2c62a5a11a921c51d956a1ea51751b09822177720344b0c8500
                                                              • Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                                                              • Instruction Fuzzy Hash: 02F082363042087BDB109F55DD44BAB7B9CDF91750F14C03BFE48DA180D6B4D9988798
                                                              Function 004020A5 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 642 4020a5-4020b1 643 4020b7-4020cd call 402c39 * 2 642->643 644 40216c-40216e 642->644 654 4020dc-4020ea LoadLibraryExA 643->654 655 4020cf-4020da GetModuleHandleA 643->655 646 4022e5-4022ea call 401423 644->646 651 402ac5-402ad4 646->651 657 4020ec-4020f9 GetProcAddress 654->657 658 402165-402167 654->658 655->654 655->657 659 402138-40213d call 4054a9 657->659 660 4020fb-402101 657->660 658->646 664 402142-402145 659->664 662 402103-40210f call 401423 660->662 663 40211a-402136 660->663 662->664 673 402111-402118 662->673 663->664 664->651 667 40214b-402153 call 403b0e 664->667 667->651 672 402159-402160 FreeLibrary 667->672 672->651 673->664
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020D0
                                                                • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                              • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020E0
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 004020F0
                                                              • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040215A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                              • String ID:
                                                              • API String ID: 2987980305-0
                                                              • Opcode ID: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
                                                              • Instruction ID: efc1da79dccaef9ffb2761d2644f5cd4432d5c2edc08e83b6cf0327c91c21bf2
                                                              • Opcode Fuzzy Hash: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
                                                              • Instruction Fuzzy Hash: 2B210832904214E7CF207FA58E4DAAE3A60AF44358F60413FF601B61E0DBBD49819A6E
                                                              Function 00403A7C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 674 403a7c-403a8b 675 403a97-403a9f 674->675 676 403a8d-403a90 CloseHandle 674->676 677 403aa1-403aa4 CloseHandle 675->677 678 403aab-403ab7 call 403ad9 call 405b4a 675->678 676->675 677->678 682 403abc-403abd 678->682
                                                              APIs
                                                              • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403A8E
                                                              • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403AA2
                                                              Strings
                                                              • C:\Users\user\AppData\Local\Temp\nsb470F.tmp\, xrefs: 00403AB2
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00403A81
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsb470F.tmp\
                                                              • API String ID: 2962429428-1323097433
                                                              • Opcode ID: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
                                                              • Instruction ID: f2bf129958ed6937e4157d035670f95a6da1e01cb45a681b65e96f9405f647bf
                                                              • Opcode Fuzzy Hash: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
                                                              • Instruction Fuzzy Hash: F4E08631640B1896C130EF7CAD4D8853B189B413357204726F1B9F20F0C738A9574EE9
                                                              Function 004031FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNEL32(00000009,00000000,00000000,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 00403222
                                                              Strings
                                                              • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00403277, 0040328E, 004032A4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: FilePointer
                                                              • String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                                                              • API String ID: 973152223-292220189
                                                              • Opcode ID: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
                                                              • Instruction ID: 301e065564a74905a78554ad982773151ad037ba2d6e6f8d8cd401a7b941de18
                                                              • Opcode Fuzzy Hash: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
                                                              • Instruction Fuzzy Hash: E2318D30200219FFDB109F95ED45A9A3FA8EB05755B20847EB914E61D0D738DB509FA9
                                                              Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe"), ref: 00405DC1
                                                                • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
                                                                • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA
                                                              • GetFileAttributesA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                                • Part of subcall function 0040596F: CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
                                                              • SetCurrentDirectoryA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\GamePall\update,00000000,00000000,000000F0), ref: 0040163C
                                                              Strings
                                                              • C:\Users\user\AppData\Roaming\GamePall\update, xrefs: 00401631
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                              • String ID: C:\Users\user\AppData\Roaming\GamePall\update
                                                              • API String ID: 1892508949-2725132131
                                                              • Opcode ID: 686546c29d77d16800122f5f58dad040e92f1cd5cb46c8d43cba2cc5979698c7
                                                              • Instruction ID: f3b3600b6319d637c5497ea1020ed17c5aedac6227b62b2eaa768bc98e31f113
                                                              • Opcode Fuzzy Hash: 686546c29d77d16800122f5f58dad040e92f1cd5cb46c8d43cba2cc5979698c7
                                                              • Instruction Fuzzy Hash: 09115731508140EBCF306FA54D405BF23B09E96324B28453FF8D1B22E2DA3D0C42AA3E
                                                              Function 00401EF9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00405A64: ShellExecuteExA.SHELL32(?,0040484C,?), ref: 00405A73
                                                                • Part of subcall function 00406809: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
                                                                • Part of subcall function 00406809: GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C
                                                              • FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?), ref: 00401FC0
                                                              Strings
                                                              • @, xrefs: 00401F64
                                                              • C:\Users\user\AppData\Roaming\GamePall\update, xrefs: 00401F47
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ChangeCloseCodeExecuteExitFindNotificationObjectProcessShellSingleWait
                                                              • String ID: @$C:\Users\user\AppData\Roaming\GamePall\update
                                                              • API String ID: 4215836453-930141728
                                                              • Opcode ID: ca5dcfe273db322cd2b1047bb711393c2fd6e1299f05b5bb146021fbefc2bce0
                                                              • Instruction ID: 6aaf433614bda070767cb5ada7d625c506587397f4dc3d97d216a8830c7633e1
                                                              • Opcode Fuzzy Hash: ca5dcfe273db322cd2b1047bb711393c2fd6e1299f05b5bb146021fbefc2bce0
                                                              • Instruction Fuzzy Hash: 25113A75E042089ADB11EFB9DA4968DBBF4AF48304F24453AE415FB2D2DBBD88019F58
                                                              Function 00405E08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395
                                                                • Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe"), ref: 00405DC1
                                                                • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
                                                                • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA
                                                              • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe"), ref: 00405E5B
                                                              • GetFileAttributesA.KERNEL32(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0), ref: 00405E6B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                              • String ID: C:\
                                                              • API String ID: 3248276644-3404278061
                                                              • Opcode ID: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
                                                              • Instruction ID: eca821d8ca18e415d707ee210574ba5bb9731226a542ad11e9256983d04766a4
                                                              • Opcode Fuzzy Hash: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
                                                              • Instruction Fuzzy Hash: F7F02831105D5116C6223336AD09AAF1644CE9732471A453FFCE1B52D2DB3C8A539CEE
                                                              Function 00406EBD Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
                                                              • Instruction ID: 14484b0326c8a5630d33184448731c7578348ec986130544f859662fecd3ad08
                                                              • Opcode Fuzzy Hash: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
                                                              • Instruction Fuzzy Hash: 04A12471E04229CBDF28CFA8C844BADBBB1FF44305F14816AD956BB281C7786986DF45
                                                              Function 004070BE Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
                                                              • Instruction ID: 16a3963220edad981734dfbd86db7ae4535d0e52bcc7a87e0ef86c627c8cfaa4
                                                              • Opcode Fuzzy Hash: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
                                                              • Instruction Fuzzy Hash: 2D912370D04268CBDF28CF98C854BADBBB1FF44305F14816AD956BB281C7786986DF45
                                                              Function 00406DD4 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
                                                              • Instruction ID: e981be8a744509f315cfd76b32476d9c10b76e0a4aa84739a8d113cb33934a41
                                                              • Opcode Fuzzy Hash: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
                                                              • Instruction Fuzzy Hash: 37812471E04228CBDF24CFA8C844BADBBB1FF45305F24816AD856BB291C7789986DF45
                                                              Function 00406D27 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
                                                              • Instruction ID: 516ab04208dd2bc2fd7cdea6c41d3130492ff38fa800e35acf718bd73fbf6333
                                                              • Opcode Fuzzy Hash: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
                                                              • Instruction Fuzzy Hash: A4712271E04228CBDF24CF98C844BADBBB1FF48305F14806AD856BB281C778A986DF45
                                                              Function 00406E45 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
                                                              • Instruction ID: 835baf8de871759411e2c74e4a47f0112f02d54065241c3c7dcda5dc236b3f46
                                                              • Opcode Fuzzy Hash: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
                                                              • Instruction Fuzzy Hash: 92712571E04228CBEF28CF98C844BADBBB1FF44305F15816AD856BB281C7786996DF45
                                                              Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
                                                              • Instruction ID: ccec74d0ee3a806077926e8984c2e201e8b1f3d886c73ab216be699138b2bca7
                                                              • Opcode Fuzzy Hash: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
                                                              • Instruction Fuzzy Hash: 39715771E04228CBEF28CF98C844BADBBB1FF44305F14806AD956BB281C778A946DF45
                                                              Function 00401B87 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalFree.KERNEL32(00000000), ref: 00401BF6
                                                              • GlobalAlloc.KERNEL32(00000040,00000404), ref: 00401C08
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Global$AllocFree
                                                              • String ID: C:\Users\user\AppData\Local\Temp\setup.exe
                                                              • API String ID: 3394109436-4037476823
                                                              • Opcode ID: 1742c790c76e1204b36b83cb8595e4f796a64baec2cc559805630d203923ff3a
                                                              • Instruction ID: d16732292a7d53aa36264d1983316191a85a40c43d81ca2894a5c6bdb3dae948
                                                              • Opcode Fuzzy Hash: 1742c790c76e1204b36b83cb8595e4f796a64baec2cc559805630d203923ff3a
                                                              • Instruction Fuzzy Hash: 6921A872600208ABC720EB65CEC495E73E8EB89314765493BF502F72E1DB7CA8518B9D
                                                              Function 0040247E Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenA.KERNEL32(0040AC20,00000023,00000011,00000002), ref: 004024C9
                                                              • RegSetValueExA.KERNEL32(?,?,?,?,0040AC20,00000000,00000011,00000002), ref: 00402509
                                                              • RegCloseKey.KERNEL32(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CloseValuelstrlen
                                                              • String ID:
                                                              • API String ID: 2655323295-0
                                                              • Opcode ID: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
                                                              • Instruction ID: e1e6ae2a7b536448810537a1ffa9a52b32d6c636ce9630cd27147c6707bb0a71
                                                              • Opcode Fuzzy Hash: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
                                                              • Instruction Fuzzy Hash: 04116371E04208AFEB10AFA5DE49AAEBA74EB84714F21443BF504F71C1DAB94D409B68
                                                              Function 00402590 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C2
                                                              • RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025D5
                                                              • RegCloseKey.KERNEL32(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Enum$CloseValue
                                                              • String ID:
                                                              • API String ID: 397863658-0
                                                              • Opcode ID: 705f8b49631554dcec7b4eb98624595070a3904998d9344154508b49de78e75c
                                                              • Instruction ID: 33ff3e85e785963e302667c06a3cb1355a7acd8bf142a31c2560ef5bcfc7d759
                                                              • Opcode Fuzzy Hash: 705f8b49631554dcec7b4eb98624595070a3904998d9344154508b49de78e75c
                                                              • Instruction Fuzzy Hash: 2C017571904104FFE7158F54DE88ABF7BACEF81358F20443EF101A61C0DAB44E449679
                                                              Function 00405B02 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00405EF6: GetFileAttributesA.KERNEL32(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
                                                                • Part of subcall function 00405EF6: SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F0F
                                                              • RemoveDirectoryA.KERNEL32(?,?,?,00000000,00405CF1), ref: 00405B1D
                                                              • DeleteFileA.KERNEL32(?,?,?,00000000,00405CF1), ref: 00405B25
                                                              • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B3D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: File$Attributes$DeleteDirectoryRemove
                                                              • String ID:
                                                              • API String ID: 1655745494-0
                                                              • Opcode ID: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
                                                              • Instruction ID: eeb49a2f717892c2e0964ab94aaac89db2a73fdd151ed94c70539e0cf44bba43
                                                              • Opcode Fuzzy Hash: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
                                                              • Instruction Fuzzy Hash: 6CE0E531109A9097C62067349908A5B7AF8EF86314F094D3AF9A1F20D0DB38B9468EBD
                                                              Function 00406809 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
                                                              • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 0040682F
                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ObjectSingleWait$CodeExitProcess
                                                              • String ID:
                                                              • API String ID: 2567322000-0
                                                              • Opcode ID: d1ff3f73a38d8d565191ded27fad29c52e1940f561348969c9200a5cb4687b78
                                                              • Instruction ID: abee92fc01d0549169be82d64ea8a54f8020188e09ec540bf7ef67874f21f581
                                                              • Opcode Fuzzy Hash: d1ff3f73a38d8d565191ded27fad29c52e1940f561348969c9200a5cb4687b78
                                                              • Instruction Fuzzy Hash: 9DE0D832600118FBDB00AB54DD05E9E7F6EEB44704F114033F601B6190C7B59E21DB98
                                                              Function 00405F93 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadFile.KERNEL32(00000009,00000000,00000000,00000000,00000000,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,0040B8F8,00403481,00000009,00000009,00403385,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,0040322F), ref: 00405FA7
                                                              Strings
                                                              • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00405F96
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                                                              • API String ID: 2738559852-292220189
                                                              • Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                                                              • Instruction ID: 61a6516da629700e98a59d605e8380186fb5f41ecf47873683bd74a9a2ef61d4
                                                              • Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                                                              • Instruction Fuzzy Hash: 8BE08C3220161EEBEF119E508C00AEBBB6CEB00360F004433FD25E3140E234E9218BA8
                                                              Function 0040251E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegQueryValueExA.KERNEL32(00000000,00000000,?,?,?,?), ref: 0040254E
                                                              • RegCloseKey.KERNEL32(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CloseQueryValue
                                                              • String ID:
                                                              • API String ID: 3356406503-0
                                                              • Opcode ID: acecc3e732b5dbd74a9740bd21ea2b495ff764a52a6e8e2361329d984987feff
                                                              • Instruction ID: 7c766f3f1fb2abd04e903467a79d83897fdaad9d0bba0580308fe752c8381985
                                                              • Opcode Fuzzy Hash: acecc3e732b5dbd74a9740bd21ea2b495ff764a52a6e8e2361329d984987feff
                                                              • Instruction Fuzzy Hash: 1B11BF71905205EFDB25CF64DA985AE7BB4AF11355F20483FE042B72C0D6B88A85DA1D
                                                              Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                              • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
                                                              • Instruction ID: c6e23866af321c238b4b59365f681da1ab702c54c00e726fca3ee5b0521d1f72
                                                              • Opcode Fuzzy Hash: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
                                                              • Instruction Fuzzy Hash: 5201D131B242109BE7194B38AE04B2A36A8E754315F51813AF851F61F1DB78CC129B4D
                                                              Function 00405A21 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
                                                              • CloseHandle.KERNEL32(?), ref: 00405A57
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateHandleProcess
                                                              • String ID:
                                                              • API String ID: 3712363035-0
                                                              • Opcode ID: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
                                                              • Instruction ID: 70dcd79ab4e1e9e84cc9ba673cd08f466e07e48f17d85ed3475224309c024e1a
                                                              • Opcode Fuzzy Hash: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
                                                              • Instruction Fuzzy Hash: A5E04FB4600209BFEB009B64ED09F7B77ACFB04244F808421BE40F2150D67899658A78
                                                              Function 00406794 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 004067C1
                                                                • Part of subcall function 00406726: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
                                                                • Part of subcall function 00406726: wsprintfA.USER32 ref: 00406776
                                                                • Part of subcall function 00406726: LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0040678A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                              • String ID:
                                                              • API String ID: 2547128583-0
                                                              • Opcode ID: c54c0e861ed706937e547878721e8d44c7a1bbc080d115c20b20089ef5e69713
                                                              • Instruction ID: 2a593beb9babc16b4b5ae8275dbdfb46ef4ebf17ea7291b62b5d373670c31446
                                                              • Opcode Fuzzy Hash: c54c0e861ed706937e547878721e8d44c7a1bbc080d115c20b20089ef5e69713
                                                              • Instruction Fuzzy Hash: B6E0863260421157D21067705E4897773ACAF94B54302043EF546F3144D7389C76966D
                                                              Function 00405F1B Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe,80000000,00000003), ref: 00405F1F
                                                              • CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: File$AttributesCreate
                                                              • String ID:
                                                              • API String ID: 415043291-0
                                                              • Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                                                              • Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
                                                              • Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                                                              • Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19
                                                              Function 00405EF6 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesA.KERNEL32(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
                                                              • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F0F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                              • Instruction ID: 2a9487917742c73a52daa6fa2dda6e447083e2efb983b62a69771bacbdb33add
                                                              • Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                              • Instruction Fuzzy Hash: E3D0C972504422ABD2102728AE0889BBB55DB94271702CA35FDA5A26F1DB304C569A9C
                                                              Function 004059EC Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateDirectoryA.KERNEL32(?,00000000,004034BF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004059F2
                                                              • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405A00
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectoryErrorLast
                                                              • String ID:
                                                              • API String ID: 1375471231-0
                                                              • Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                                                              • Instruction ID: 42ce2bd36b25b14d2ed8d631edf33fc643f4c4eb5ed9af5e51ab4a49ffb09bba
                                                              • Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                                                              • Instruction Fuzzy Hash: 9BC04C303145419AD6505B309F4DB177A54AB50741F51553A638AE01A0DA348465DD2D
                                                              Function 10001426 Relevance: 2.5, APIs: 2, Instructions: 29stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrcpynA.KERNEL32(?,10003024,?,10003020,1000138F,10003020,00000400), ref: 10001454
                                                              • GlobalFree.KERNELBASE(10003020), ref: 10001464
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3221901387.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000000.00000002.3221882363.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.3221921723.0000000010002000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.3221941500.0000000010004000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: FreeGloballstrcpyn
                                                              • String ID:
                                                              • API String ID: 1459762280-0
                                                              • Opcode ID: d37c7429f21efaa5103ac68eecef2f505b672404a3497301ec3293a1c9b8d6fd
                                                              • Instruction ID: 61cff6a9ed434c6726c3e265b98623322506fe6e864b2b4fb358a1092e6d6a6c
                                                              • Opcode Fuzzy Hash: d37c7429f21efaa5103ac68eecef2f505b672404a3497301ec3293a1c9b8d6fd
                                                              • Instruction Fuzzy Hash: 8DF0F8312152209FE315DF24CC94B9777E9FB0A385F018429E691C7278D770E804CB22
                                                              Function 00401F7B Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                                • Part of subcall function 00405A21: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
                                                                • Part of subcall function 00405A21: CloseHandle.KERNEL32(?), ref: 00405A57
                                                              • FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?), ref: 00401FC0
                                                                • Part of subcall function 00406809: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
                                                                • Part of subcall function 00406809: GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C
                                                                • Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CloseProcesslstrlen$ChangeCodeCreateExitFindHandleNotificationObjectSingleTextWaitWindowlstrcatwsprintf
                                                              • String ID:
                                                              • API String ID: 1543427666-0
                                                              • Opcode ID: 5a6c6c0fb7ef29f4985f4766a88127bea2ca1a19b834f4a1a12170b8a3b172af
                                                              • Instruction ID: dce1314ccbc215d7d9c334b017be086f7c4cc40ba0f87dfe0d8145fd67a5eb82
                                                              • Opcode Fuzzy Hash: 5a6c6c0fb7ef29f4985f4766a88127bea2ca1a19b834f4a1a12170b8a3b172af
                                                              • Instruction Fuzzy Hash: 2DF0B432A05121DBDB20BFA59EC49EEB2A4DF41318B25463FF502B21D1CB7C4D418A6E
                                                              Function 0040623C Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegCreateKeyExA.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CEA,00000000,?,?), ref: 00406265
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                              • Instruction ID: 57b18be241489d6c3509c0f1b2cb500900bdd64e2c84313365475615acd8ae2e
                                                              • Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                              • Instruction Fuzzy Hash: 16E0E672010109BEDF196F50DD0AD7B371DEB04341F01492EF916D4091E6B5A9309734
                                                              Function 00405FC2 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteFile.KERNEL32(00000009,00000000,00000000,00000000,00000000,00411340,0040B8F8,00403405,0040B8F8,00411340,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,0040322F,00000004), ref: 00405FD6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: FileWrite
                                                              • String ID:
                                                              • API String ID: 3934441357-0
                                                              • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                              • Instruction ID: d5187e51ab0d96a1766449b5dbb93cac2cdd9e80b7d20ab2fc0b5d8c8d5322e8
                                                              • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                              • Instruction Fuzzy Hash: 4AE0EC3221065BABDF109E659C04EEB7B6CEB05360F004437FA55E3150D675E8219BA4
                                                              Function 0040620E Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExA.KERNEL32(00000000,?,00000000,?,?,00420530,?,?,0040629C,00420530,?,?,?,00000002,C:\Users\user\AppData\Local\Temp\setup.exe), ref: 00406232
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Open
                                                              • String ID:
                                                              • API String ID: 71445658-0
                                                              • Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                              • Instruction ID: e678259d492eddc69303d735af6c58fa5eb03465f078c5ba6a1a088e01eebb4c
                                                              • Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                              • Instruction Fuzzy Hash: 64D0123244020DBBDF116F90ED01FAB3B1DEB18350F014826FE06A80A1D775D530A725
                                                              Function 00406161 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MoveFileExA.KERNEL32(?,?,00000005(MOVEFILE_REPLACE_EXISTING|MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 0040616B
                                                                • Part of subcall function 00405FF1: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406182,?,?), ref: 00406022
                                                                • Part of subcall function 00405FF1: GetShortPathNameA.KERNEL32(?,00422AE0,00000400), ref: 0040602B
                                                                • Part of subcall function 00405FF1: GetShortPathNameA.KERNEL32(?,00422EE0,00000400), ref: 00406048
                                                                • Part of subcall function 00405FF1: wsprintfA.USER32 ref: 00406066
                                                                • Part of subcall function 00405FF1: GetFileSize.KERNEL32(00000000,00000000,00422EE0,C0000000,00000004,00422EE0,?,?,?,?,?), ref: 004060A1
                                                                • Part of subcall function 00405FF1: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060B0
                                                                • Part of subcall function 00405FF1: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E8
                                                                • Part of subcall function 00405FF1: SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,004226E0,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 0040613E
                                                                • Part of subcall function 00405FF1: GlobalFree.KERNEL32(00000000), ref: 0040614F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: File$GlobalNamePathShort$AllocCloseFreeHandleMovePointerSizelstrcpywsprintf
                                                              • String ID:
                                                              • API String ID: 299535525-0
                                                              • Opcode ID: e5ed7b2843c229ea28ef8c1ce415cb2f1f2a9dfc0e88d0e1822b60b3228602b1
                                                              • Instruction ID: 0556bd0dd0e376f9d1944fcc72f0db357db156cd0d89a75f2f72d3c973fa690a
                                                              • Opcode Fuzzy Hash: e5ed7b2843c229ea28ef8c1ce415cb2f1f2a9dfc0e88d0e1822b60b3228602b1
                                                              • Instruction Fuzzy Hash: F0D0C731108602FFDB111B10ED0591B7BA5FF90355F11943EF599940B1DB368461DF09
                                                              Function 00403484 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00403182,?), ref: 00403492
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: FilePointer
                                                              • String ID:
                                                              • API String ID: 973152223-0
                                                              • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                              • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                                                              • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                              • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

                                                              Non-executed Functions

                                                              Function 004055E7 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,00000403), ref: 00405646
                                                              • GetDlgItem.USER32(?,000003EE), ref: 00405655
                                                              • GetClientRect.USER32(?,?), ref: 00405692
                                                              • GetSystemMetrics.USER32(00000002), ref: 00405699
                                                              • SendMessageA.USER32(?,0000101B,00000000,?), ref: 004056BA
                                                              • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004056CB
                                                              • SendMessageA.USER32(?,00001001,00000000,?), ref: 004056DE
                                                              • SendMessageA.USER32(?,00001026,00000000,?), ref: 004056EC
                                                              • SendMessageA.USER32(?,00001024,00000000,?), ref: 004056FF
                                                              • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405721
                                                              • ShowWindow.USER32(?,00000008), ref: 00405735
                                                              • GetDlgItem.USER32(?,000003EC), ref: 00405756
                                                              • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405766
                                                              • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040577F
                                                              • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040578B
                                                              • GetDlgItem.USER32(?,000003F8), ref: 00405664
                                                                • Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448
                                                              • GetDlgItem.USER32(?,000003EC), ref: 004057A7
                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0000557B,00000000), ref: 004057B5
                                                              • CloseHandle.KERNEL32(00000000), ref: 004057BC
                                                              • ShowWindow.USER32(00000000), ref: 004057DF
                                                              • ShowWindow.USER32(?,00000008), ref: 004057E6
                                                              • ShowWindow.USER32(00000008), ref: 0040582C
                                                              • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405860
                                                              • CreatePopupMenu.USER32 ref: 00405871
                                                              • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405886
                                                              • GetWindowRect.USER32(?,000000FF), ref: 004058A6
                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004058BF
                                                              • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004058FB
                                                              • OpenClipboard.USER32(00000000), ref: 0040590B
                                                              • EmptyClipboard.USER32 ref: 00405911
                                                              • GlobalAlloc.KERNEL32(00000042,?), ref: 0040591A
                                                              • GlobalLock.KERNEL32(00000000), ref: 00405924
                                                              • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405938
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00405951
                                                              • SetClipboardData.USER32(00000001,00000000), ref: 0040595C
                                                              • CloseClipboard.USER32 ref: 00405962
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                              • String ID: PB
                                                              • API String ID: 590372296-3196168531
                                                              • Opcode ID: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
                                                              • Instruction ID: 44a2cb424ceca129f1c721a27905a8e57bc1109532c064cce4e419f7e60c3497
                                                              • Opcode Fuzzy Hash: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
                                                              • Instruction Fuzzy Hash: 18A13971900608FFDB11AF64DE85AAE7BB9FB48355F00403AFA41BA1A0CB754E51DF58
                                                              Function 00404897 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003FB), ref: 004048E6
                                                              • SetWindowTextA.USER32(00000000,?), ref: 00404910
                                                              • SHBrowseForFolderA.SHELL32(?,00420128,?), ref: 004049C1
                                                              • CoTaskMemFree.OLE32(00000000), ref: 004049CC
                                                              • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,00420D50), ref: 004049FE
                                                              • lstrcatA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\setup.exe), ref: 00404A0A
                                                              • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404A1C
                                                                • Part of subcall function 00405A82: GetDlgItemTextA.USER32(?,?,00000400,00404A53), ref: 00405A95
                                                                • Part of subcall function 00406666: CharNextA.USER32(0000000B,*?|<>/":,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
                                                                • Part of subcall function 00406666: CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
                                                                • Part of subcall function 00406666: CharNextA.USER32(0000000B,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
                                                                • Part of subcall function 00406666: CharPrevA.USER32(0000000B,0000000B,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0
                                                              • GetDiskFreeSpaceA.KERNEL32(0041FD20,?,?,0000040F,?,0041FD20,0041FD20,?,00000001,0041FD20,?,?,000003FB,?), ref: 00404ADA
                                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AF5
                                                                • Part of subcall function 00404C4E: lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
                                                                • Part of subcall function 00404C4E: wsprintfA.USER32 ref: 00404CF4
                                                                • Part of subcall function 00404C4E: SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                              • String ID: A$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\GamePall$PB
                                                              • API String ID: 2624150263-3989672957
                                                              • Opcode ID: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
                                                              • Instruction ID: 03633cdec68ae3b48ba4c7d33c4768738bfb21d85bfcf2e4b9185cba9ee35c0f
                                                              • Opcode Fuzzy Hash: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
                                                              • Instruction Fuzzy Hash: 7DA150B1A00208AADB11EFA5DD45BAFB6B8EF84315F10803BF601B62D1D77C99418F6D
                                                              Function 00402173 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8
                                                              • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AA
                                                              Strings
                                                              • C:\Users\user\AppData\Roaming\GamePall\update, xrefs: 00402238
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ByteCharCreateInstanceMultiWide
                                                              • String ID: C:\Users\user\AppData\Roaming\GamePall\update
                                                              • API String ID: 123533781-2725132131
                                                              • Opcode ID: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
                                                              • Instruction ID: 4a55140eb955682c0845ac661669d1effe53c60cfc8a987c49de3bb9103baba8
                                                              • Opcode Fuzzy Hash: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
                                                              • Instruction Fuzzy Hash: B2513575A00208AFDF10DFE4CA88A9D7BB5EF48314F2045BAF505EB2D1DA799981CB54
                                                              Function 004027AA Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: FileFindFirst
                                                              • String ID:
                                                              • API String ID: 1974802433-0
                                                              • Opcode ID: 3697544f2be0618a58616ff40495ed399055e36512a5e022deae8fba2564a7e1
                                                              • Instruction ID: 9767438fe71d1176ff9aac627a01f72906af616df08219c0cc944b63bddc0547
                                                              • Opcode Fuzzy Hash: 3697544f2be0618a58616ff40495ed399055e36512a5e022deae8fba2564a7e1
                                                              • Instruction Fuzzy Hash: CCF0A0726082049AD710EBA49A49AEEB7689F51324F60057BF142F20C1D6B889459B2A
                                                              Function 00404E0A Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003F9), ref: 00404E21
                                                              • GetDlgItem.USER32(?,00000408), ref: 00404E2E
                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00404E7D
                                                              • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E94
                                                              • SetWindowLongA.USER32(?,000000FC,0040541D), ref: 00404EAE
                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404EC0
                                                              • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404ED4
                                                              • SendMessageA.USER32(?,00001109,00000002), ref: 00404EEA
                                                              • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404EF6
                                                              • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404F06
                                                              • DeleteObject.GDI32(00000110), ref: 00404F0B
                                                              • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404F36
                                                              • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404F42
                                                              • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404FDC
                                                              • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 0040500C
                                                                • Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448
                                                              • SendMessageA.USER32(?,00001100,00000000,?), ref: 00405020
                                                              • GetWindowLongA.USER32(?,000000F0), ref: 0040504E
                                                              • SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040505C
                                                              • ShowWindow.USER32(?,00000005), ref: 0040506C
                                                              • SendMessageA.USER32(?,00000419,00000000,?), ref: 00405167
                                                              • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004051CC
                                                              • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 004051E1
                                                              • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00405205
                                                              • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00405225
                                                              • ImageList_Destroy.COMCTL32(?), ref: 0040523A
                                                              • GlobalFree.KERNEL32(?), ref: 0040524A
                                                              • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004052C3
                                                              • SendMessageA.USER32(?,00001102,?,?), ref: 0040536C
                                                              • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040537B
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 004053A6
                                                              • ShowWindow.USER32(?,00000000), ref: 004053F4
                                                              • GetDlgItem.USER32(?,000003FE), ref: 004053FF
                                                              • ShowWindow.USER32(00000000), ref: 00405406
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                              • String ID: $M$N
                                                              • API String ID: 2564846305-813528018
                                                              • Opcode ID: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
                                                              • Instruction ID: c306c4130ea67d8582adb4b0d0e706bf782d7aff15223233fd0d43401108afdf
                                                              • Opcode Fuzzy Hash: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
                                                              • Instruction Fuzzy Hash: 6C025CB0A00609AFDB209F94DD45AAE7BB5FB84354F10817AF610BA2E1D7789D42CF58
                                                              Function 00403F0B Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403F47
                                                              • ShowWindow.USER32(?), ref: 00403F67
                                                              • GetWindowLongA.USER32(?,000000F0), ref: 00403F79
                                                              • ShowWindow.USER32(?,00000004), ref: 00403F92
                                                              • DestroyWindow.USER32 ref: 00403FA6
                                                              • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403FBF
                                                              • GetDlgItem.USER32(?,?), ref: 00403FDE
                                                              • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403FF2
                                                              • IsWindowEnabled.USER32(00000000), ref: 00403FF9
                                                              • GetDlgItem.USER32(?,00000001), ref: 004040A4
                                                              • GetDlgItem.USER32(?,00000002), ref: 004040AE
                                                              • SetClassLongA.USER32(?,000000F2,?), ref: 004040C8
                                                              • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00404119
                                                              • GetDlgItem.USER32(?,00000003), ref: 004041BF
                                                              • ShowWindow.USER32(00000000,?), ref: 004041E0
                                                              • EnableWindow.USER32(?,?), ref: 004041F2
                                                              • EnableWindow.USER32(?,?), ref: 0040420D
                                                              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404223
                                                              • EnableMenuItem.USER32(00000000), ref: 0040422A
                                                              • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00404242
                                                              • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00404255
                                                              • lstrlenA.KERNEL32(00420D50,?,00420D50,00000000), ref: 0040427F
                                                              • SetWindowTextA.USER32(?,00420D50), ref: 0040428E
                                                              • ShowWindow.USER32(?,0000000A), ref: 004043C2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                                              • String ID: PB
                                                              • API String ID: 1860320154-3196168531
                                                              • Opcode ID: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
                                                              • Instruction ID: 6b3c419a8b2de2434844e8cd53afab52d63163afb5b1bd925d395a768d9dd0e6
                                                              • Opcode Fuzzy Hash: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
                                                              • Instruction Fuzzy Hash: ECC1D2B1A00204BBCB206F61EE45E2B3A78EB85745F41053EF781B61F1CB3998929B5D
                                                              Function 00404570 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004045FB
                                                              • GetDlgItem.USER32(00000000,000003E8), ref: 0040460F
                                                              • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040462D
                                                              • GetSysColor.USER32(?), ref: 0040463E
                                                              • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040464D
                                                              • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040465C
                                                              • lstrlenA.KERNEL32(?), ref: 0040465F
                                                              • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040466E
                                                              • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404683
                                                              • GetDlgItem.USER32(?,0000040A), ref: 004046E5
                                                              • SendMessageA.USER32(00000000), ref: 004046E8
                                                              • GetDlgItem.USER32(?,000003E8), ref: 00404713
                                                              • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404753
                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 00404762
                                                              • SetCursor.USER32(00000000), ref: 0040476B
                                                              • LoadCursorA.USER32(00000000,00007F00), ref: 00404781
                                                              • SetCursor.USER32(00000000), ref: 00404784
                                                              • SendMessageA.USER32(00000111,00000001,00000000), ref: 004047B0
                                                              • SendMessageA.USER32(00000010,00000000,00000000), ref: 004047C4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                              • String ID: N$6B
                                                              • API String ID: 3103080414-649610290
                                                              • Opcode ID: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
                                                              • Instruction ID: 424ea1d81b5f8fd67bb79b8421ee67f108f717641e3cc5fc4ea293435da972af
                                                              • Opcode Fuzzy Hash: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
                                                              • Instruction Fuzzy Hash: CE6190B1A40208BFDB109F61DD45B6A7B69FB84715F10843AFB01BB2D1C7B8A951CF98
                                                              Function 00405FF1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 129memorystringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406182,?,?), ref: 00406022
                                                              • GetShortPathNameA.KERNEL32(?,00422AE0,00000400), ref: 0040602B
                                                                • Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
                                                                • Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2
                                                              • GetShortPathNameA.KERNEL32(?,00422EE0,00000400), ref: 00406048
                                                              • wsprintfA.USER32 ref: 00406066
                                                              • GetFileSize.KERNEL32(00000000,00000000,00422EE0,C0000000,00000004,00422EE0,?,?,?,?,?), ref: 004060A1
                                                              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060B0
                                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E8
                                                              • SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,004226E0,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 0040613E
                                                              • GlobalFree.KERNEL32(00000000), ref: 0040614F
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406156
                                                                • Part of subcall function 00405F1B: GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe,80000000,00000003), ref: 00405F1F
                                                                • Part of subcall function 00405F1B: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                              • String ID: %s=%s$[Rename]$*B$.B$.B
                                                              • API String ID: 2171350718-3836630945
                                                              • Opcode ID: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
                                                              • Instruction ID: 7566a5a9e9d08134d14435fb5d3e1561ad96112206bac95af022f508aac3f812
                                                              • Opcode Fuzzy Hash: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
                                                              • Instruction Fuzzy Hash: 68310531200715BBC2207B659D49F6B3A5DDF85754F15003EFE42BA2C3EA7CD8228AAD
                                                              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                              • DeleteObject.GDI32(?), ref: 004010ED
                                                              • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                                              • DrawTextA.USER32(00000000,00423F40,000000FF,00000010,00000820), ref: 00401156
                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                              • DeleteObject.GDI32(?), ref: 00401165
                                                              • EndPaint.USER32(?,?), ref: 0040116E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                              • String ID: F
                                                              • API String ID: 941294808-1304234792
                                                              • Opcode ID: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
                                                              • Instruction ID: bc851ab26da2bb863bf3a2ee07eb2f950de800ada4cbee7b2d64f78586a04119
                                                              • Opcode Fuzzy Hash: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
                                                              • Instruction Fuzzy Hash: 2C419D71800249AFCF058FA5DE459AF7FB9FF45314F00802AF991AA1A0C734DA55DFA4
                                                              Function 004054A9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                              • lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                              • lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                              • SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                              • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                              • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                              • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                              • String ID: 4/@
                                                              • API String ID: 2531174081-3101945251
                                                              • Opcode ID: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
                                                              • Instruction ID: 7ab3267fb946cf8e7efc5916356ec1270af3577e2396c2c3629ce5ef3fcb69de
                                                              • Opcode Fuzzy Hash: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
                                                              • Instruction Fuzzy Hash: 0F217A71E00118BBCF119FA5DD8099EBFB9EF09354F04807AF944A6291C7788A90CFA8
                                                              Function 00406666 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharNextA.USER32(0000000B,*?|<>/":,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
                                                              • CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
                                                              • CharNextA.USER32(0000000B,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
                                                              • CharPrevA.USER32(0000000B,0000000B,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0
                                                              Strings
                                                              • *?|<>/":, xrefs: 004066AE
                                                              • "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe", xrefs: 00406666
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00406667
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Char$Next$Prev
                                                              • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                              • API String ID: 589700163-3877490064
                                                              • Opcode ID: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
                                                              • Instruction ID: 80d428334b402c3338f843ea799862c1973996ffb1638880579f4ae0c72fc655
                                                              • Opcode Fuzzy Hash: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
                                                              • Instruction Fuzzy Hash: 7E1108518047902DEB3206340C04B7B7F894F977A0F2A087FD8C6722C2D67E5C62967D
                                                              Function 00402EBD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DestroyWindow.USER32(?,00000000), ref: 00402ED5
                                                              • GetTickCount.KERNEL32 ref: 00402EF3
                                                              • wsprintfA.USER32 ref: 00402F21
                                                                • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                              • CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402F45
                                                              • ShowWindow.USER32(00000000,00000005), ref: 00402F53
                                                                • Part of subcall function 00402EA1: MulDiv.KERNEL32(?,00000064,?), ref: 00402EB6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                              • String ID: ... %d%%$#Vh%.@
                                                              • API String ID: 722711167-1706192003
                                                              • Opcode ID: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
                                                              • Instruction ID: ac0ca11ee9366edb0cc6a28cc5aeb329eacd7d00ab00b3c3670f6d564c8935e4
                                                              • Opcode Fuzzy Hash: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
                                                              • Instruction Fuzzy Hash: 3F01A170542225EBCB21BB50EF0CBAB3778EB40744B04443BF505B21D0C7F894469AEE
                                                              Function 0040446C Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowLongA.USER32(?,000000EB), ref: 00404489
                                                              • GetSysColor.USER32(00000000), ref: 004044C7
                                                              • SetTextColor.GDI32(?,00000000), ref: 004044D3
                                                              • SetBkMode.GDI32(?,?), ref: 004044DF
                                                              • GetSysColor.USER32(?), ref: 004044F2
                                                              • SetBkColor.GDI32(?,?), ref: 00404502
                                                              • DeleteObject.GDI32(?), ref: 0040451C
                                                              • CreateBrushIndirect.GDI32(?), ref: 00404526
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                              • String ID:
                                                              • API String ID: 2320649405-0
                                                              • Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                                                              • Instruction ID: 76b6fc4927f6120469f5ffa52701fcd3ddd76896e52d32ad6f55637f73cee333
                                                              • Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                                                              • Instruction Fuzzy Hash: 9E2147B1501704AFCB31DF68ED08B5BBBF8AF41715B04892EEA96A26E0D734E904CB54
                                                              Function 00404D58 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404D73
                                                              • GetMessagePos.USER32 ref: 00404D7B
                                                              • ScreenToClient.USER32(?,?), ref: 00404D95
                                                              • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404DA7
                                                              • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404DCD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Message$Send$ClientScreen
                                                              • String ID: f
                                                              • API String ID: 41195575-1993550816
                                                              • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                              • Instruction ID: de178be9688f757f82ef56a4cbeb6693d0582b60b2ea90e1a00f6814b48fd044
                                                              • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                              • Instruction Fuzzy Hash: BB014871900219BADB01DBA4DD85BFEBBF8AF95B11F10016ABA40B61C0C6B499058BA4
                                                              Function 00402E25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E40
                                                              • wsprintfA.USER32 ref: 00402E74
                                                              • SetWindowTextA.USER32(?,?), ref: 00402E84
                                                              • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E96
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Text$ItemTimerWindowwsprintf
                                                              • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                              • API String ID: 1451636040-1158693248
                                                              • Opcode ID: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
                                                              • Instruction ID: 7ad4584a5e884be7344c254f70e0401137e7e46ce86c3cf658bb2ab9d23be74a
                                                              • Opcode Fuzzy Hash: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
                                                              • Instruction Fuzzy Hash: 1DF01D7054020DBAEF219F60DE0ABAE3769EB44344F00803AFA16B91D0DBB899558F99
                                                              Function 004027E8 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402849
                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402865
                                                              • GlobalFree.KERNEL32(?), ref: 004028A4
                                                              • GlobalFree.KERNEL32(00000000), ref: 004028B7
                                                              • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028D3
                                                              • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028E6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                              • String ID:
                                                              • API String ID: 2667972263-0
                                                              • Opcode ID: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
                                                              • Instruction ID: cd924008ac91bdcd896aacfcc8aadc4f9c7de1b4393fc14a433ce499bdbf1d56
                                                              • Opcode Fuzzy Hash: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
                                                              • Instruction Fuzzy Hash: D931AC32800128ABDF216FA5DE49D9E7A75FF08364F24423AF450B62D0CB7949419F68
                                                              Function 1000103F Relevance: 9.1, APIs: 6, Instructions: 55synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenProcess.KERNEL32(00100401,00000000,?,0000025E,?,00000000,?), ref: 10001054
                                                              • EnumWindows.USER32(10001007,?), ref: 10001074
                                                              • GetExitCodeProcess.KERNEL32(00000000,?), ref: 10001084
                                                              • WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 1000109D
                                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 100010AE
                                                              • CloseHandle.KERNEL32(00000000), ref: 100010C5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3221901387.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000000.00000002.3221882363.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.3221921723.0000000010002000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000000.00000002.3221941500.0000000010004000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Process$CloseCodeEnumExitHandleObjectOpenSingleTerminateWaitWindows
                                                              • String ID:
                                                              • API String ID: 3465249596-0
                                                              • Opcode ID: 45a2251c50cfe7217ad4567bb79eedec0e3199e983198285888405aa9b7494a4
                                                              • Instruction ID: 6b4dcd5717a232181223c093e4f4244ae1ce1555a3c8e15b92772d9ea2fb9ae7
                                                              • Opcode Fuzzy Hash: 45a2251c50cfe7217ad4567bb79eedec0e3199e983198285888405aa9b7494a4
                                                              • Instruction Fuzzy Hash: 5211E235A00299EFFB00DFA5CCC8AEE77BCEB456C5F014069FA4192149D7B49981CB62
                                                              Function 00404C4E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
                                                              • wsprintfA.USER32 ref: 00404CF4
                                                              • SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ItemTextlstrlenwsprintf
                                                              • String ID: %u.%u%s%s$PB
                                                              • API String ID: 3540041739-838025833
                                                              • Opcode ID: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
                                                              • Instruction ID: 635705270cf82d3fa6c033b13715314544988666452c3f341a93ad76d23c3d90
                                                              • Opcode Fuzzy Hash: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
                                                              • Instruction Fuzzy Hash: 5F11E77360512837EB00656D9D45EAE3298DB85374F26423BFE26F71D1E978CC1286E8
                                                              Function 00402D3B Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D8F
                                                              • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DDB
                                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE4
                                                              • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402DFB
                                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402E06
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CloseEnum$DeleteValue
                                                              • String ID:
                                                              • API String ID: 1354259210-0
                                                              • Opcode ID: 6a17d2dfc8014f9998472e4bb2df9c50261cd009cc462a72ab7525fe56808e65
                                                              • Instruction ID: 1f7d8097ab2fb743d310579a2b4365e3e31c1a4ec17ce584dda370d325fd3950
                                                              • Opcode Fuzzy Hash: 6a17d2dfc8014f9998472e4bb2df9c50261cd009cc462a72ab7525fe56808e65
                                                              • Instruction Fuzzy Hash: 1D214B7150010CBBDF129F90CE89EEB7B7DEF44344F11007AF955B11A0D7B49EA49AA8
                                                              Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,?), ref: 00401D7E
                                                              • GetClientRect.USER32(?,?), ref: 00401DCC
                                                              • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
                                                              • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
                                                              • DeleteObject.GDI32(00000000), ref: 00401E20
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                              • String ID:
                                                              • API String ID: 1849352358-0
                                                              • Opcode ID: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
                                                              • Instruction ID: cb7cd4706ec086029cb46641885d9617bace417a5341e65c45b3777010ef1041
                                                              • Opcode Fuzzy Hash: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
                                                              • Instruction Fuzzy Hash: 35212A72E00109AFDF15DFA4DD85AAEBBB5EB88300F24417EF911F62A0DB389941DB14
                                                              Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(?), ref: 00401E38
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
                                                              • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
                                                              • ReleaseDC.USER32(?,00000000), ref: 00401E6B
                                                              • CreateFontIndirectA.GDI32(0040B820), ref: 00401EBA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CapsCreateDeviceFontIndirectRelease
                                                              • String ID:
                                                              • API String ID: 3808545654-0
                                                              • Opcode ID: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
                                                              • Instruction ID: bfe7ce59390996d5b2ac71ca67757b7c78ff13e1b53bdd881068f9c0e557254e
                                                              • Opcode Fuzzy Hash: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
                                                              • Instruction Fuzzy Hash: 66018072504340AEE7007BB0AF8AA9A7FE8E755701F109439F241B61E2CB790449CB6C
                                                              Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                                                              • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Timeout
                                                              • String ID: !
                                                              • API String ID: 1777923405-2657877971
                                                              • Opcode ID: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
                                                              • Instruction ID: a12cfbdd51ff26f17676da16b1bc06906883597644a76ef85f46b7bf1251d8d3
                                                              • Opcode Fuzzy Hash: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
                                                              • Instruction Fuzzy Hash: 2A218271948208BEEB059FF5DA8AAAD7FB4EF84304F20447EF101B61D1D7B989819B18
                                                              Function 00405D1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D20
                                                              • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D29
                                                              • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405D3A
                                                              Strings
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405D1A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CharPrevlstrcatlstrlen
                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                              • API String ID: 2659869361-823278215
                                                              • Opcode ID: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                                                              • Instruction ID: 6a6775ee8fa4d5d8d60a890cb1840bbff54d6a4bc9e312217f61a2b57c53a4e0
                                                              • Opcode Fuzzy Hash: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                                                              • Instruction Fuzzy Hash: 82D0A7625015307AD20167154C09DDF29488F523017094027F501B7191C67C5C1187FD
                                                              Function 00405DB3 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe"), ref: 00405DC1
                                                              • CharNextA.USER32(00000000), ref: 00405DC6
                                                              • CharNextA.USER32(00000000), ref: 00405DDA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CharNext
                                                              • String ID: C:\
                                                              • API String ID: 3213498283-3404278061
                                                              • Opcode ID: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
                                                              • Instruction ID: a81d310af092f64b8c374c4571b8fed5a60269d48026fa3bbeeaae68e06855d2
                                                              • Opcode Fuzzy Hash: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
                                                              • Instruction Fuzzy Hash: 71F09661904F542BFB3293648C4CB776B8DCF55351F28947BE6807A6C1C27C59808FEA
                                                              Function 0040541D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindowVisible.USER32(?), ref: 0040544C
                                                              • CallWindowProcA.USER32(?,?,?,?), ref: 0040549D
                                                                • Part of subcall function 00404451: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00404463
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Window$CallMessageProcSendVisible
                                                              • String ID:
                                                              • API String ID: 3748168415-3916222277
                                                              • Opcode ID: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
                                                              • Instruction ID: ce4d6245f7a5538c18ae28323cba1b5bdda0ccdff68052f186ad3da5f1ae13b7
                                                              • Opcode Fuzzy Hash: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
                                                              • Instruction Fuzzy Hash: 2A015E31200608AFDF216F51DD80BAF3A66EB84716F104537FA05761D2C7799CD29F6A
                                                              Function 0040626F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,C:\Users\user\AppData\Local\Temp\setup.exe,00420530,?,?,?,00000002,C:\Users\user\AppData\Local\Temp\setup.exe,?,00406527,80000002), ref: 004062B5
                                                              • RegCloseKey.ADVAPI32(?,?,00406527,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,?,00420530), ref: 004062C0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CloseQueryValue
                                                              • String ID: C:\Users\user\AppData\Local\Temp\setup.exe
                                                              • API String ID: 3356406503-4037476823
                                                              • Opcode ID: b5b3bad3c76d40b2ede80ce474e794f1db4bf40d8bfbb80b5b2804fbfeedd4a0
                                                              • Instruction ID: 5c8aa4f59809ec7c4ed175be077f356401e74c3ba082423fbe1b6bbc42bea5f4
                                                              • Opcode Fuzzy Hash: b5b3bad3c76d40b2ede80ce474e794f1db4bf40d8bfbb80b5b2804fbfeedd4a0
                                                              • Instruction Fuzzy Hash: 8101BC72100209ABDF229F60CC09FDB3FA8EF45364F01407AFD56A6190D638C974CBA8
                                                              Function 00405D61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402FC8,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe,80000000,00000003), ref: 00405D67
                                                              • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402FC8,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe,80000000,00000003), ref: 00405D75
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CharPrevlstrlen
                                                              • String ID: C:\Users\user\Desktop
                                                              • API String ID: 2709904686-1246513382
                                                              • Opcode ID: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                                                              • Instruction ID: 27c40c0738421aba4af956c8f0f705930dfe744a77a65273bf6dbb66402e0641
                                                              • Opcode Fuzzy Hash: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                                                              • Instruction Fuzzy Hash: CBD0A772409D706EE31353208C04B8F6A48CF13300F0D4063E481A6190C2785C424BFD
                                                              Function 00405E80 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
                                                              • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405EA8
                                                              • CharNextA.USER32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EB9
                                                              • lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3220838155.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.3220818460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220857949.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220875601.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.3220974156.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                              • String ID:
                                                              • API String ID: 190613189-0
                                                              • Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                                                              • Instruction ID: 98ea32bb50e75ca8be10b873c57fc005eda9f523d07111d413316ed06cfa332a
                                                              • Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                                                              • Instruction Fuzzy Hash: 5FF06235104918AFCB129BA5DD4099EBFA8EF55350B2540B9E880F7211D674DF019BA9

                                                              Execution Graph

                                                              Execution Coverage:17.8%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:1367
                                                              Total number of Limit Nodes:26
                                                              execution_graph 3878 401ec5 3879 402c17 17 API calls 3878->3879 3880 401ecb 3879->3880 3881 402c17 17 API calls 3880->3881 3882 401ed7 3881->3882 3883 401ee3 ShowWindow 3882->3883 3884 401eee EnableWindow 3882->3884 3885 402ac5 3883->3885 3884->3885 3384 401746 3385 402c39 17 API calls 3384->3385 3386 40174d 3385->3386 3390 405f4a 3386->3390 3388 401754 3389 405f4a 2 API calls 3388->3389 3389->3388 3391 405f55 GetTickCount GetTempFileNameA 3390->3391 3392 405f82 3391->3392 3393 405f86 3391->3393 3392->3391 3392->3393 3393->3388 3886 401947 3887 402c39 17 API calls 3886->3887 3888 40194e lstrlenA 3887->3888 3889 402628 3888->3889 3893 401fcb 3894 402c39 17 API calls 3893->3894 3895 401fd2 3894->3895 3896 4066ff 2 API calls 3895->3896 3897 401fd8 3896->3897 3899 401fea 3897->3899 3900 4062e6 wsprintfA 3897->3900 3900->3899 3598 4034cc SetErrorMode GetVersionExA 3599 40351e GetVersionExA 3598->3599 3601 40355d 3598->3601 3600 40353a 3599->3600 3599->3601 3600->3601 3602 4035e1 3601->3602 3603 406794 5 API calls 3601->3603 3604 406726 3 API calls 3602->3604 3603->3602 3605 4035f7 lstrlenA 3604->3605 3605->3602 3606 403607 3605->3606 3607 406794 5 API calls 3606->3607 3608 40360e 3607->3608 3609 406794 5 API calls 3608->3609 3610 403615 3609->3610 3611 406794 5 API calls 3610->3611 3612 403621 #17 OleInitialize SHGetFileInfoA 3611->3612 3690 406388 lstrcpynA 3612->3690 3615 40366f GetCommandLineA 3691 406388 lstrcpynA 3615->3691 3617 403681 3618 405d45 CharNextA 3617->3618 3619 4036a8 CharNextA 3618->3619 3628 4036b7 3619->3628 3620 40377d 3621 403791 GetTempPathA 3620->3621 3692 40349b 3621->3692 3623 4037a9 3625 403803 DeleteFileA 3623->3625 3626 4037ad GetWindowsDirectoryA lstrcatA 3623->3626 3624 405d45 CharNextA 3624->3628 3702 402f5c GetTickCount GetModuleFileNameA 3625->3702 3629 40349b 12 API calls 3626->3629 3628->3620 3628->3624 3630 40377f 3628->3630 3632 4037c9 3629->3632 3789 406388 lstrcpynA 3630->3789 3631 403816 3633 4038ae ExitProcess OleUninitialize 3631->3633 3641 405d45 CharNextA 3631->3641 3672 40389b 3631->3672 3632->3625 3635 4037cd GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3632->3635 3637 4038c5 3633->3637 3638 4039e8 3633->3638 3636 40349b 12 API calls 3635->3636 3639 4037fb 3636->3639 3642 405a9e MessageBoxIndirectA 3637->3642 3643 4039f0 GetCurrentProcess OpenProcessToken 3638->3643 3644 403a66 ExitProcess 3638->3644 3639->3625 3639->3633 3646 403830 3641->3646 3648 4038d2 ExitProcess 3642->3648 3649 403a36 3643->3649 3650 403a07 LookupPrivilegeValueA AdjustTokenPrivileges 3643->3650 3653 403875 3646->3653 3654 4038da 3646->3654 3651 406794 5 API calls 3649->3651 3650->3649 3652 403a3d 3651->3652 3655 403a52 ExitWindowsEx 3652->3655 3658 403a5f 3652->3658 3657 405e08 18 API calls 3653->3657 3656 405a09 5 API calls 3654->3656 3655->3644 3655->3658 3659 4038df lstrcatA 3656->3659 3660 403881 3657->3660 3794 40140b 3658->3794 3662 4038f0 lstrcatA 3659->3662 3663 4038fb lstrcatA lstrcmpiA 3659->3663 3660->3633 3790 406388 lstrcpynA 3660->3790 3662->3663 3663->3633 3665 403917 3663->3665 3667 403923 3665->3667 3668 40391c 3665->3668 3666 403890 3791 406388 lstrcpynA 3666->3791 3671 4059ec 2 API calls 3667->3671 3670 40596f 4 API calls 3668->3670 3673 403921 3670->3673 3674 403928 SetCurrentDirectoryA 3671->3674 3732 403b6e 3672->3732 3673->3674 3675 403943 3674->3675 3676 403938 3674->3676 3793 406388 lstrcpynA 3675->3793 3792 406388 lstrcpynA 3676->3792 3679 40641b 17 API calls 3680 403985 DeleteFileA 3679->3680 3681 403993 CopyFileA 3680->3681 3687 403950 3680->3687 3681->3687 3682 4039dc 3684 406161 36 API calls 3682->3684 3683 406161 36 API calls 3683->3687 3685 4039e3 3684->3685 3685->3633 3686 40641b 17 API calls 3686->3687 3687->3679 3687->3682 3687->3683 3687->3686 3688 405a21 2 API calls 3687->3688 3689 4039c7 CloseHandle 3687->3689 3688->3687 3689->3687 3690->3615 3691->3617 3693 406666 5 API calls 3692->3693 3695 4034a7 3693->3695 3694 4034b1 3694->3623 3695->3694 3696 405d1a 3 API calls 3695->3696 3697 4034b9 3696->3697 3698 4059ec 2 API calls 3697->3698 3699 4034bf 3698->3699 3700 405f4a 2 API calls 3699->3700 3701 4034ca 3700->3701 3701->3623 3797 405f1b GetFileAttributesA CreateFileA 3702->3797 3704 402f9f 3731 402fac 3704->3731 3798 406388 lstrcpynA 3704->3798 3706 402fc2 3707 405d61 2 API calls 3706->3707 3708 402fc8 3707->3708 3799 406388 lstrcpynA 3708->3799 3710 402fd3 GetFileSize 3711 4030cd 3710->3711 3730 402fea 3710->3730 3712 402ebd 32 API calls 3711->3712 3713 4030d6 3712->3713 3715 403112 GlobalAlloc 3713->3715 3713->3731 3801 403484 SetFilePointer 3713->3801 3714 40346e ReadFile 3714->3730 3716 403129 3715->3716 3721 405f4a 2 API calls 3716->3721 3718 40316a 3719 402ebd 32 API calls 3718->3719 3719->3731 3720 4030f3 3722 40346e ReadFile 3720->3722 3723 40313a CreateFileA 3721->3723 3724 4030fe 3722->3724 3726 403174 3723->3726 3723->3731 3724->3715 3724->3731 3725 402ebd 32 API calls 3725->3730 3800 403484 SetFilePointer 3726->3800 3728 403182 3729 4031fd 44 API calls 3728->3729 3729->3731 3730->3711 3730->3714 3730->3718 3730->3725 3730->3731 3731->3631 3733 406794 5 API calls 3732->3733 3734 403b82 3733->3734 3735 403b88 3734->3735 3736 403b9a 3734->3736 3810 4062e6 wsprintfA 3735->3810 3737 40626f 3 API calls 3736->3737 3738 403bc5 3737->3738 3739 403be3 lstrcatA 3738->3739 3741 40626f 3 API calls 3738->3741 3742 403b98 3739->3742 3741->3739 3802 403e33 3742->3802 3745 405e08 18 API calls 3746 403c15 3745->3746 3747 403c9e 3746->3747 3749 40626f 3 API calls 3746->3749 3748 405e08 18 API calls 3747->3748 3750 403ca4 3748->3750 3752 403c41 3749->3752 3751 403cb4 LoadImageA 3750->3751 3753 40641b 17 API calls 3750->3753 3754 403d5a 3751->3754 3755 403cdb RegisterClassA 3751->3755 3752->3747 3756 403c5d lstrlenA 3752->3756 3759 405d45 CharNextA 3752->3759 3753->3751 3758 40140b 2 API calls 3754->3758 3757 403d11 SystemParametersInfoA CreateWindowExA 3755->3757 3765 4038ab 3755->3765 3760 403c91 3756->3760 3761 403c6b lstrcmpiA 3756->3761 3757->3754 3762 403d60 3758->3762 3763 403c5b 3759->3763 3766 405d1a 3 API calls 3760->3766 3761->3760 3764 403c7b GetFileAttributesA 3761->3764 3762->3765 3768 403e33 18 API calls 3762->3768 3763->3756 3767 403c87 3764->3767 3765->3633 3769 403c97 3766->3769 3767->3760 3770 405d61 2 API calls 3767->3770 3771 403d71 3768->3771 3811 406388 lstrcpynA 3769->3811 3770->3760 3773 403e00 3771->3773 3774 403d7d ShowWindow 3771->3774 3812 40557b OleInitialize 3773->3812 3776 406726 3 API calls 3774->3776 3778 403d95 3776->3778 3777 403e06 3779 403e22 3777->3779 3780 403e0a 3777->3780 3781 403da3 GetClassInfoA 3778->3781 3783 406726 3 API calls 3778->3783 3782 40140b 2 API calls 3779->3782 3780->3765 3787 40140b 2 API calls 3780->3787 3784 403db7 GetClassInfoA RegisterClassA 3781->3784 3785 403dcd DialogBoxParamA 3781->3785 3782->3765 3783->3781 3784->3785 3786 40140b 2 API calls 3785->3786 3788 403df5 3786->3788 3787->3765 3788->3765 3789->3621 3790->3666 3791->3672 3792->3675 3793->3687 3795 401389 2 API calls 3794->3795 3796 401420 3795->3796 3796->3644 3797->3704 3798->3706 3799->3710 3800->3728 3801->3720 3803 403e47 3802->3803 3819 4062e6 wsprintfA 3803->3819 3805 403eb8 3820 403eec 3805->3820 3807 403bf3 3807->3745 3808 403ebd 3808->3807 3809 40641b 17 API calls 3808->3809 3809->3808 3810->3742 3811->3747 3823 404451 3812->3823 3814 40559e 3818 4055c5 3814->3818 3826 401389 3814->3826 3815 404451 SendMessageA 3816 4055d7 OleUninitialize 3815->3816 3816->3777 3818->3815 3819->3805 3821 40641b 17 API calls 3820->3821 3822 403efa SetWindowTextA 3821->3822 3822->3808 3824 404469 3823->3824 3825 40445a SendMessageA 3823->3825 3824->3814 3825->3824 3828 401390 3826->3828 3827 4013fe 3827->3814 3828->3827 3829 4013cb MulDiv SendMessageA 3828->3829 3829->3828 3901 404850 3902 404860 3901->3902 3903 404886 3901->3903 3908 404405 3902->3908 3911 40446c 3903->3911 3907 40486d SetDlgItemTextA 3907->3903 3909 40641b 17 API calls 3908->3909 3910 404410 SetDlgItemTextA 3909->3910 3910->3907 3912 40452f 3911->3912 3913 404484 GetWindowLongA 3911->3913 3913->3912 3914 404499 3913->3914 3914->3912 3915 4044c6 GetSysColor 3914->3915 3916 4044c9 3914->3916 3915->3916 3917 4044d9 SetBkMode 3916->3917 3918 4044cf SetTextColor 3916->3918 3919 4044f1 GetSysColor 3917->3919 3920 4044f7 3917->3920 3918->3917 3919->3920 3921 404508 3920->3921 3922 4044fe SetBkColor 3920->3922 3921->3912 3923 404522 CreateBrushIndirect 3921->3923 3924 40451b DeleteObject 3921->3924 3922->3921 3923->3912 3924->3923 3932 4014d6 3933 402c17 17 API calls 3932->3933 3934 4014dc Sleep 3933->3934 3936 402ac5 3934->3936 3485 401759 3486 402c39 17 API calls 3485->3486 3487 401760 3486->3487 3488 401786 3487->3488 3489 40177e 3487->3489 3525 406388 lstrcpynA 3488->3525 3524 406388 lstrcpynA 3489->3524 3492 401784 3496 406666 5 API calls 3492->3496 3493 401791 3494 405d1a 3 API calls 3493->3494 3495 401797 lstrcatA 3494->3495 3495->3492 3513 4017a3 3496->3513 3497 4066ff 2 API calls 3497->3513 3498 405ef6 2 API calls 3498->3513 3500 4017ba CompareFileTime 3500->3513 3501 40187e 3503 4054a9 24 API calls 3501->3503 3502 401855 3504 4054a9 24 API calls 3502->3504 3522 40186a 3502->3522 3506 401888 3503->3506 3504->3522 3505 406388 lstrcpynA 3505->3513 3507 4031fd 44 API calls 3506->3507 3508 40189b 3507->3508 3509 4018af SetFileTime 3508->3509 3510 4018c1 FindCloseChangeNotification 3508->3510 3509->3510 3512 4018d2 3510->3512 3510->3522 3511 40641b 17 API calls 3511->3513 3514 4018d7 3512->3514 3515 4018ea 3512->3515 3513->3497 3513->3498 3513->3500 3513->3501 3513->3502 3513->3505 3513->3511 3523 405f1b GetFileAttributesA CreateFileA 3513->3523 3526 405a9e 3513->3526 3516 40641b 17 API calls 3514->3516 3517 40641b 17 API calls 3515->3517 3519 4018df lstrcatA 3516->3519 3520 4018f2 3517->3520 3519->3520 3521 405a9e MessageBoxIndirectA 3520->3521 3521->3522 3523->3513 3524->3492 3525->3493 3527 405ab3 3526->3527 3528 405aff 3527->3528 3529 405ac7 MessageBoxIndirectA 3527->3529 3528->3513 3529->3528 3937 401659 3938 402c39 17 API calls 3937->3938 3939 40165f 3938->3939 3940 4066ff 2 API calls 3939->3940 3941 401665 3940->3941 3942 401959 3943 402c17 17 API calls 3942->3943 3944 401960 3943->3944 3945 402c17 17 API calls 3944->3945 3946 40196d 3945->3946 3947 402c39 17 API calls 3946->3947 3948 401984 lstrlenA 3947->3948 3950 401994 3948->3950 3949 4019d4 3950->3949 3954 406388 lstrcpynA 3950->3954 3952 4019c4 3952->3949 3953 4019c9 lstrlenA 3952->3953 3953->3949 3954->3952 3955 401a5e 3956 402c17 17 API calls 3955->3956 3957 401a67 3956->3957 3958 402c17 17 API calls 3957->3958 3959 401a0e 3958->3959 3960 401563 3961 402a42 3960->3961 3964 4062e6 wsprintfA 3961->3964 3963 402a47 3964->3963 3965 401b63 3966 402c39 17 API calls 3965->3966 3967 401b6a 3966->3967 3968 402c17 17 API calls 3967->3968 3969 401b73 wsprintfA 3968->3969 3970 402ac5 3969->3970 3971 401d65 3972 401d78 GetDlgItem 3971->3972 3973 401d6b 3971->3973 3975 401d72 3972->3975 3974 402c17 17 API calls 3973->3974 3974->3975 3976 401db9 GetClientRect LoadImageA SendMessageA 3975->3976 3978 402c39 17 API calls 3975->3978 3979 401e1a 3976->3979 3981 401e26 3976->3981 3978->3976 3980 401e1f DeleteObject 3979->3980 3979->3981 3980->3981 3982 402766 3983 40276c 3982->3983 3984 402774 FindClose 3983->3984 3985 402ac5 3983->3985 3984->3985 3986 4055e7 3987 405792 3986->3987 3988 405609 GetDlgItem GetDlgItem GetDlgItem 3986->3988 3990 4057c2 3987->3990 3991 40579a GetDlgItem CreateThread CloseHandle 3987->3991 4031 40443a SendMessageA 3988->4031 3993 4057f0 3990->3993 3994 405811 3990->3994 3995 4057d8 ShowWindow ShowWindow 3990->3995 3991->3990 3992 405679 3999 405680 GetClientRect GetSystemMetrics SendMessageA SendMessageA 3992->3999 3996 405800 3993->3996 3997 405824 ShowWindow 3993->3997 4000 40584b 3993->4000 3998 40446c 8 API calls 3994->3998 4033 40443a SendMessageA 3995->4033 4034 4043de 3996->4034 4004 405844 3997->4004 4005 405836 3997->4005 4003 40581d 3998->4003 4006 4056d2 SendMessageA SendMessageA 3999->4006 4007 4056ee 3999->4007 4000->3994 4008 405858 SendMessageA 4000->4008 4010 4043de SendMessageA 4004->4010 4009 4054a9 24 API calls 4005->4009 4006->4007 4011 405701 4007->4011 4012 4056f3 SendMessageA 4007->4012 4008->4003 4013 405871 CreatePopupMenu 4008->4013 4009->4004 4010->4000 4015 404405 18 API calls 4011->4015 4012->4011 4014 40641b 17 API calls 4013->4014 4017 405881 AppendMenuA 4014->4017 4016 405711 4015->4016 4020 40571a ShowWindow 4016->4020 4021 40574e GetDlgItem SendMessageA 4016->4021 4018 4058b2 TrackPopupMenu 4017->4018 4019 40589f GetWindowRect 4017->4019 4018->4003 4022 4058ce 4018->4022 4019->4018 4023 405730 ShowWindow 4020->4023 4024 40573d 4020->4024 4021->4003 4025 405775 SendMessageA SendMessageA 4021->4025 4026 4058ed SendMessageA 4022->4026 4023->4024 4032 40443a SendMessageA 4024->4032 4025->4003 4026->4026 4027 40590a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4026->4027 4029 40592c SendMessageA 4027->4029 4029->4029 4030 40594e GlobalUnlock SetClipboardData CloseClipboard 4029->4030 4030->4003 4031->3992 4032->4021 4033->3993 4035 4043e5 4034->4035 4036 4043eb SendMessageA 4034->4036 4035->4036 4036->3994 3394 4027e8 3395 402c39 17 API calls 3394->3395 3396 4027f4 3395->3396 3397 40280a 3396->3397 3399 402c39 17 API calls 3396->3399 3398 405ef6 2 API calls 3397->3398 3400 402810 3398->3400 3399->3397 3422 405f1b GetFileAttributesA CreateFileA 3400->3422 3402 40281d 3403 4028d9 3402->3403 3404 4028c1 3402->3404 3405 402838 GlobalAlloc 3402->3405 3406 4028e0 DeleteFileA 3403->3406 3407 4028f3 3403->3407 3409 4031fd 44 API calls 3404->3409 3405->3404 3408 402851 3405->3408 3406->3407 3423 403484 SetFilePointer 3408->3423 3411 4028ce FindCloseChangeNotification 3409->3411 3411->3403 3412 402857 3424 40346e 3412->3424 3415 402870 3427 4031fd 3415->3427 3416 4028aa 3417 405fc2 WriteFile 3416->3417 3419 4028b6 GlobalFree 3417->3419 3419->3404 3420 4028a1 GlobalFree 3420->3416 3421 40287d 3421->3420 3422->3402 3423->3412 3425 405f93 ReadFile 3424->3425 3426 402860 GlobalAlloc 3425->3426 3426->3415 3426->3416 3428 403228 3427->3428 3429 40320c SetFilePointer 3427->3429 3442 403305 GetTickCount 3428->3442 3429->3428 3432 405f93 ReadFile 3433 403248 3432->3433 3434 403305 42 API calls 3433->3434 3436 4032c5 3433->3436 3435 40325f 3434->3435 3435->3436 3437 4032cb ReadFile 3435->3437 3439 40326e 3435->3439 3436->3421 3437->3436 3439->3436 3440 405f93 ReadFile 3439->3440 3441 405fc2 WriteFile 3439->3441 3440->3439 3441->3439 3443 403333 3442->3443 3444 40345d 3442->3444 3455 403484 SetFilePointer 3443->3455 3445 402ebd 32 API calls 3444->3445 3451 40322f 3445->3451 3447 40333e SetFilePointer 3452 403363 3447->3452 3448 40346e ReadFile 3448->3452 3451->3432 3451->3436 3452->3448 3452->3451 3453 405fc2 WriteFile 3452->3453 3454 40343e SetFilePointer 3452->3454 3456 4068d9 3452->3456 3463 402ebd 3452->3463 3453->3452 3454->3444 3455->3447 3457 4068fe 3456->3457 3458 406906 3456->3458 3457->3452 3458->3457 3459 406996 GlobalAlloc 3458->3459 3460 40698d GlobalFree 3458->3460 3461 406a04 GlobalFree 3458->3461 3462 406a0d GlobalAlloc 3458->3462 3459->3457 3459->3458 3460->3459 3461->3462 3462->3457 3462->3458 3464 402ee3 3463->3464 3465 402ecb 3463->3465 3468 402ef3 GetTickCount 3464->3468 3469 402eeb 3464->3469 3466 402ed4 DestroyWindow 3465->3466 3467 402edb 3465->3467 3466->3467 3467->3452 3468->3467 3471 402f01 3468->3471 3478 4067d0 3469->3478 3472 402f36 CreateDialogParamA ShowWindow 3471->3472 3473 402f09 3471->3473 3472->3467 3473->3467 3482 402ea1 3473->3482 3475 402f17 wsprintfA 3476 4054a9 24 API calls 3475->3476 3477 402f34 3476->3477 3477->3467 3479 4067ed PeekMessageA 3478->3479 3480 4067e3 DispatchMessageA 3479->3480 3481 4067fd 3479->3481 3480->3479 3481->3467 3483 402eb0 3482->3483 3484 402eb2 MulDiv 3482->3484 3483->3484 3484->3475 4037 404be8 4038 404c14 4037->4038 4039 404bf8 4037->4039 4040 404c47 4038->4040 4041 404c1a SHGetPathFromIDListA 4038->4041 4048 405a82 GetDlgItemTextA 4039->4048 4044 404c2a 4041->4044 4047 404c31 SendMessageA 4041->4047 4043 404c05 SendMessageA 4043->4038 4045 40140b 2 API calls 4044->4045 4045->4047 4047->4040 4048->4043 4049 4023e8 4050 402c39 17 API calls 4049->4050 4051 4023f9 4050->4051 4052 402c39 17 API calls 4051->4052 4053 402402 4052->4053 4054 402c39 17 API calls 4053->4054 4055 40240c GetPrivateProfileStringA 4054->4055 4056 40166a 4057 402c39 17 API calls 4056->4057 4058 401671 4057->4058 4059 402c39 17 API calls 4058->4059 4060 40167a 4059->4060 4061 402c39 17 API calls 4060->4061 4062 401683 MoveFileA 4061->4062 4063 401696 4062->4063 4064 40168f 4062->4064 4066 4066ff 2 API calls 4063->4066 4068 4022ea 4063->4068 4065 401423 24 API calls 4064->4065 4065->4068 4067 4016a5 4066->4067 4067->4068 4069 406161 36 API calls 4067->4069 4069->4064 4077 4019ed 4078 402c39 17 API calls 4077->4078 4079 4019f4 4078->4079 4080 402c39 17 API calls 4079->4080 4081 4019fd 4080->4081 4082 401a04 lstrcmpiA 4081->4082 4083 401a16 lstrcmpA 4081->4083 4084 401a0a 4082->4084 4083->4084 4085 40156f 4086 401586 4085->4086 4087 40157f ShowWindow 4085->4087 4088 401594 ShowWindow 4086->4088 4089 402ac5 4086->4089 4087->4086 4088->4089 4090 404570 4092 404586 4090->4092 4093 404692 4090->4093 4091 404701 4094 4047cb 4091->4094 4096 40470b GetDlgItem 4091->4096 4095 404405 18 API calls 4092->4095 4093->4091 4093->4094 4101 4046d6 GetDlgItem SendMessageA 4093->4101 4100 40446c 8 API calls 4094->4100 4099 4045dc 4095->4099 4097 404721 4096->4097 4098 404789 4096->4098 4097->4098 4104 404747 SendMessageA LoadCursorA SetCursor 4097->4104 4098->4094 4105 40479b 4098->4105 4102 404405 18 API calls 4099->4102 4103 4047c6 4100->4103 4123 404427 EnableWindow 4101->4123 4107 4045e9 CheckDlgButton 4102->4107 4127 404814 4104->4127 4110 4047a1 SendMessageA 4105->4110 4111 4047b2 4105->4111 4121 404427 EnableWindow 4107->4121 4110->4111 4111->4103 4115 4047b8 SendMessageA 4111->4115 4112 4046fc 4124 4047f0 4112->4124 4113 404607 GetDlgItem 4122 40443a SendMessageA 4113->4122 4115->4103 4118 40461d SendMessageA 4119 404644 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4118->4119 4120 40463b GetSysColor 4118->4120 4119->4103 4120->4119 4121->4113 4122->4118 4123->4112 4125 404803 SendMessageA 4124->4125 4126 4047fe 4124->4126 4125->4091 4126->4125 4130 405a64 ShellExecuteExA 4127->4130 4129 40477a LoadCursorA SetCursor 4129->4098 4130->4129 4131 402173 4132 402c39 17 API calls 4131->4132 4133 40217a 4132->4133 4134 402c39 17 API calls 4133->4134 4135 402184 4134->4135 4136 402c39 17 API calls 4135->4136 4137 40218e 4136->4137 4138 402c39 17 API calls 4137->4138 4139 40219b 4138->4139 4140 402c39 17 API calls 4139->4140 4141 4021a5 4140->4141 4142 4021e7 CoCreateInstance 4141->4142 4143 402c39 17 API calls 4141->4143 4144 402206 4142->4144 4148 4022b4 4142->4148 4143->4142 4147 402294 MultiByteToWideChar 4144->4147 4144->4148 4145 401423 24 API calls 4146 4022ea 4145->4146 4147->4148 4148->4145 4148->4146 4149 4022f3 4150 402c39 17 API calls 4149->4150 4151 4022f9 4150->4151 4152 402c39 17 API calls 4151->4152 4153 402302 4152->4153 4154 402c39 17 API calls 4153->4154 4155 40230b 4154->4155 4156 4066ff 2 API calls 4155->4156 4157 402314 4156->4157 4158 402325 lstrlenA lstrlenA 4157->4158 4162 402318 4157->4162 4160 4054a9 24 API calls 4158->4160 4159 4054a9 24 API calls 4163 402320 4159->4163 4161 402361 SHFileOperationA 4160->4161 4161->4162 4161->4163 4162->4159 4162->4163 4164 4014f4 SetForegroundWindow 4165 402ac5 4164->4165 4166 402375 4167 40237c 4166->4167 4170 40238f 4166->4170 4168 40641b 17 API calls 4167->4168 4169 402389 4168->4169 4171 405a9e MessageBoxIndirectA 4169->4171 4171->4170 4172 402675 4173 402c17 17 API calls 4172->4173 4177 40267f 4173->4177 4174 4026ed 4175 405f93 ReadFile 4175->4177 4176 4026ef 4181 4062e6 wsprintfA 4176->4181 4177->4174 4177->4175 4177->4176 4178 4026ff 4177->4178 4178->4174 4180 402715 SetFilePointer 4178->4180 4180->4174 4181->4174 4182 4029f6 4183 402a49 4182->4183 4184 4029fd 4182->4184 4185 406794 5 API calls 4183->4185 4187 402c17 17 API calls 4184->4187 4190 402a47 4184->4190 4186 402a50 4185->4186 4188 402c39 17 API calls 4186->4188 4189 402a0b 4187->4189 4191 402a59 4188->4191 4192 402c17 17 API calls 4189->4192 4191->4190 4200 4063db 4191->4200 4194 402a1a 4192->4194 4199 4062e6 wsprintfA 4194->4199 4195 402a67 4195->4190 4204 4063c5 4195->4204 4199->4190 4201 4063e6 4200->4201 4202 406409 IIDFromString 4201->4202 4203 406402 4201->4203 4202->4195 4203->4195 4207 4063aa WideCharToMultiByte 4204->4207 4206 402a88 CoTaskMemFree 4206->4190 4207->4206 4208 401ef9 4209 402c39 17 API calls 4208->4209 4210 401eff 4209->4210 4211 402c39 17 API calls 4210->4211 4212 401f08 4211->4212 4213 402c39 17 API calls 4212->4213 4214 401f11 4213->4214 4215 402c39 17 API calls 4214->4215 4216 401f1a 4215->4216 4217 401423 24 API calls 4216->4217 4218 401f21 4217->4218 4225 405a64 ShellExecuteExA 4218->4225 4220 401f5c 4221 406809 5 API calls 4220->4221 4223 4027c8 4220->4223 4222 401f76 CloseHandle 4221->4222 4222->4223 4225->4220 3534 401f7b 3535 402c39 17 API calls 3534->3535 3536 401f81 3535->3536 3537 4054a9 24 API calls 3536->3537 3538 401f8b 3537->3538 3549 405a21 CreateProcessA 3538->3549 3541 401fb2 CloseHandle 3545 4027c8 3541->3545 3544 401fa6 3546 401fb4 3544->3546 3547 401fab 3544->3547 3546->3541 3557 4062e6 wsprintfA 3547->3557 3550 401f91 3549->3550 3551 405a54 CloseHandle 3549->3551 3550->3541 3550->3545 3552 406809 WaitForSingleObject 3550->3552 3551->3550 3553 406823 3552->3553 3554 406835 GetExitCodeProcess 3553->3554 3555 4067d0 2 API calls 3553->3555 3554->3544 3556 40682a WaitForSingleObject 3555->3556 3556->3553 3557->3541 4233 401ffb 4234 402c39 17 API calls 4233->4234 4235 402002 4234->4235 4236 406794 5 API calls 4235->4236 4237 402011 4236->4237 4238 402029 GlobalAlloc 4237->4238 4247 402099 4237->4247 4239 40203d 4238->4239 4238->4247 4240 406794 5 API calls 4239->4240 4241 402044 4240->4241 4242 406794 5 API calls 4241->4242 4243 40204e 4242->4243 4243->4247 4248 4062e6 wsprintfA 4243->4248 4245 402089 4249 4062e6 wsprintfA 4245->4249 4248->4245 4249->4247 3830 403a7c 3831 403a97 3830->3831 3832 403a8d CloseHandle 3830->3832 3833 403aa1 CloseHandle 3831->3833 3834 403aab 3831->3834 3832->3831 3833->3834 3839 403ad9 3834->3839 3837 405b4a 67 API calls 3838 403abc 3837->3838 3840 403ae7 3839->3840 3841 403ab0 3840->3841 3842 403aec FreeLibrary GlobalFree 3840->3842 3841->3837 3842->3841 3842->3842 4250 4018fd 4251 401934 4250->4251 4252 402c39 17 API calls 4251->4252 4253 401939 4252->4253 4254 405b4a 67 API calls 4253->4254 4255 401942 4254->4255 3843 40247e 3844 402c39 17 API calls 3843->3844 3845 402490 3844->3845 3846 402c39 17 API calls 3845->3846 3847 40249a 3846->3847 3860 402cc9 3847->3860 3850 4024cf 3854 4024db 3850->3854 3864 402c17 3850->3864 3851 402c39 17 API calls 3855 4024c8 lstrlenA 3851->3855 3852 402ac5 3853 4024fd RegSetValueExA 3858 402513 RegCloseKey 3853->3858 3854->3853 3857 4031fd 44 API calls 3854->3857 3855->3850 3857->3853 3858->3852 3861 402ce4 3860->3861 3867 40623c 3861->3867 3865 40641b 17 API calls 3864->3865 3866 402c2c 3865->3866 3866->3854 3868 40624b 3867->3868 3869 4024aa 3868->3869 3870 406256 RegCreateKeyExA 3868->3870 3869->3850 3869->3851 3869->3852 3870->3869 4256 401cfe 4257 402c17 17 API calls 4256->4257 4258 401d04 IsWindow 4257->4258 4259 401a0e 4258->4259 4260 401000 4261 401037 BeginPaint GetClientRect 4260->4261 4262 40100c DefWindowProcA 4260->4262 4264 4010f3 4261->4264 4265 401179 4262->4265 4266 401073 CreateBrushIndirect FillRect DeleteObject 4264->4266 4267 4010fc 4264->4267 4266->4264 4268 401102 CreateFontIndirectA 4267->4268 4269 401167 EndPaint 4267->4269 4268->4269 4270 401112 6 API calls 4268->4270 4269->4265 4270->4269 4271 401900 4272 402c39 17 API calls 4271->4272 4273 401907 4272->4273 4274 405a9e MessageBoxIndirectA 4273->4274 4275 401910 4274->4275 4276 402780 4277 402786 4276->4277 4278 40278a FindNextFileA 4277->4278 4281 40279c 4277->4281 4279 4027db 4278->4279 4278->4281 4282 406388 lstrcpynA 4279->4282 4282->4281 4283 401502 4284 40150a 4283->4284 4286 40151d 4283->4286 4285 402c17 17 API calls 4284->4285 4285->4286 4287 401b87 4288 401b94 4287->4288 4289 401bd8 4287->4289 4290 401c1c 4288->4290 4297 401bab 4288->4297 4291 401c01 GlobalAlloc 4289->4291 4292 401bdc 4289->4292 4294 40641b 17 API calls 4290->4294 4303 40238f 4290->4303 4293 40641b 17 API calls 4291->4293 4292->4303 4308 406388 lstrcpynA 4292->4308 4293->4290 4296 402389 4294->4296 4301 405a9e MessageBoxIndirectA 4296->4301 4306 406388 lstrcpynA 4297->4306 4298 401bee GlobalFree 4298->4303 4300 401bba 4307 406388 lstrcpynA 4300->4307 4301->4303 4304 401bc9 4309 406388 lstrcpynA 4304->4309 4306->4300 4307->4304 4308->4298 4309->4303 4310 406a88 4312 40690c 4310->4312 4311 407277 4312->4311 4313 406996 GlobalAlloc 4312->4313 4314 40698d GlobalFree 4312->4314 4315 406a04 GlobalFree 4312->4315 4316 406a0d GlobalAlloc 4312->4316 4313->4311 4313->4312 4314->4313 4315->4316 4316->4311 4316->4312 3530 401389 3532 401390 3530->3532 3531 4013fe 3532->3531 3533 4013cb MulDiv SendMessageA 3532->3533 3533->3532 4317 404e0a GetDlgItem GetDlgItem 4318 404e60 7 API calls 4317->4318 4324 405087 4317->4324 4319 404f08 DeleteObject 4318->4319 4320 404efc SendMessageA 4318->4320 4321 404f13 4319->4321 4320->4319 4322 404f4a 4321->4322 4325 40641b 17 API calls 4321->4325 4326 404405 18 API calls 4322->4326 4323 405169 4327 405215 4323->4327 4332 40507a 4323->4332 4337 4051c2 SendMessageA 4323->4337 4324->4323 4351 4050f6 4324->4351 4371 404d58 SendMessageA 4324->4371 4330 404f2c SendMessageA SendMessageA 4325->4330 4331 404f5e 4326->4331 4328 405227 4327->4328 4329 40521f SendMessageA 4327->4329 4339 405240 4328->4339 4340 405239 ImageList_Destroy 4328->4340 4348 405250 4328->4348 4329->4328 4330->4321 4336 404405 18 API calls 4331->4336 4334 40446c 8 API calls 4332->4334 4333 40515b SendMessageA 4333->4323 4338 405416 4334->4338 4352 404f6f 4336->4352 4337->4332 4342 4051d7 SendMessageA 4337->4342 4343 405249 GlobalFree 4339->4343 4339->4348 4340->4339 4341 4053ca 4341->4332 4346 4053dc ShowWindow GetDlgItem ShowWindow 4341->4346 4345 4051ea 4342->4345 4343->4348 4344 405049 GetWindowLongA SetWindowLongA 4347 405062 4344->4347 4357 4051fb SendMessageA 4345->4357 4346->4332 4349 405067 ShowWindow 4347->4349 4350 40507f 4347->4350 4348->4341 4364 40528b 4348->4364 4376 404dd8 4348->4376 4369 40443a SendMessageA 4349->4369 4370 40443a SendMessageA 4350->4370 4351->4323 4351->4333 4352->4344 4353 405044 4352->4353 4356 404fc1 SendMessageA 4352->4356 4358 405013 SendMessageA 4352->4358 4359 404fff SendMessageA 4352->4359 4353->4344 4353->4347 4356->4352 4357->4327 4358->4352 4359->4352 4361 405395 4362 4053a0 InvalidateRect 4361->4362 4365 4053ac 4361->4365 4362->4365 4363 4052b9 SendMessageA 4367 4052cf 4363->4367 4364->4363 4364->4367 4365->4341 4385 404d13 4365->4385 4366 405343 SendMessageA SendMessageA 4366->4367 4367->4361 4367->4366 4369->4332 4370->4324 4372 404db7 SendMessageA 4371->4372 4373 404d7b GetMessagePos ScreenToClient SendMessageA 4371->4373 4375 404daf 4372->4375 4374 404db4 4373->4374 4373->4375 4374->4372 4375->4351 4388 406388 lstrcpynA 4376->4388 4378 404deb 4389 4062e6 wsprintfA 4378->4389 4380 404df5 4381 40140b 2 API calls 4380->4381 4382 404dfe 4381->4382 4390 406388 lstrcpynA 4382->4390 4384 404e05 4384->4364 4391 404c4e 4385->4391 4387 404d28 4387->4341 4388->4378 4389->4380 4390->4384 4392 404c64 4391->4392 4393 40641b 17 API calls 4392->4393 4394 404cc8 4393->4394 4395 40641b 17 API calls 4394->4395 4396 404cd3 4395->4396 4397 40641b 17 API calls 4396->4397 4398 404ce9 lstrlenA wsprintfA SetDlgItemTextA 4397->4398 4398->4387 4399 40298a 4400 402c17 17 API calls 4399->4400 4401 402990 4400->4401 4402 4027c8 4401->4402 4403 40641b 17 API calls 4401->4403 4403->4402 4404 403f0b 4405 403f23 4404->4405 4406 404084 4404->4406 4405->4406 4407 403f2f 4405->4407 4408 4040d5 4406->4408 4409 404095 GetDlgItem GetDlgItem 4406->4409 4411 403f3a SetWindowPos 4407->4411 4412 403f4d 4407->4412 4410 40412f 4408->4410 4421 401389 2 API calls 4408->4421 4413 404405 18 API calls 4409->4413 4414 404451 SendMessageA 4410->4414 4422 40407f 4410->4422 4411->4412 4415 403f56 ShowWindow 4412->4415 4416 403f98 4412->4416 4417 4040bf SetClassLongA 4413->4417 4444 404141 4414->4444 4423 404042 4415->4423 4424 403f76 GetWindowLongA 4415->4424 4418 403fa0 DestroyWindow 4416->4418 4419 403fb7 4416->4419 4420 40140b 2 API calls 4417->4420 4425 40438e 4418->4425 4426 403fbc SetWindowLongA 4419->4426 4427 403fcd 4419->4427 4420->4408 4428 404107 4421->4428 4429 40446c 8 API calls 4423->4429 4424->4423 4430 403f8f ShowWindow 4424->4430 4425->4422 4437 4043bf ShowWindow 4425->4437 4426->4422 4427->4423 4431 403fd9 GetDlgItem 4427->4431 4428->4410 4432 40410b SendMessageA 4428->4432 4429->4422 4430->4416 4435 404007 4431->4435 4436 403fea SendMessageA IsWindowEnabled 4431->4436 4432->4422 4433 40140b 2 API calls 4433->4444 4434 404390 DestroyWindow EndDialog 4434->4425 4439 404014 4435->4439 4442 40405b SendMessageA 4435->4442 4443 404027 4435->4443 4449 40400c 4435->4449 4436->4422 4436->4435 4437->4422 4438 40641b 17 API calls 4438->4444 4439->4442 4439->4449 4440 4043de SendMessageA 4440->4423 4441 404405 18 API calls 4441->4444 4442->4423 4445 404044 4443->4445 4446 40402f 4443->4446 4444->4422 4444->4433 4444->4434 4444->4438 4444->4441 4450 404405 18 API calls 4444->4450 4466 4042d0 DestroyWindow 4444->4466 4447 40140b 2 API calls 4445->4447 4448 40140b 2 API calls 4446->4448 4447->4449 4448->4449 4449->4423 4449->4440 4451 4041bc GetDlgItem 4450->4451 4452 4041d1 4451->4452 4453 4041d9 ShowWindow EnableWindow 4451->4453 4452->4453 4475 404427 EnableWindow 4453->4475 4455 404203 EnableWindow 4460 404217 4455->4460 4456 40421c GetSystemMenu EnableMenuItem SendMessageA 4457 40424c SendMessageA 4456->4457 4456->4460 4457->4460 4459 403eec 18 API calls 4459->4460 4460->4456 4460->4459 4476 40443a SendMessageA 4460->4476 4477 406388 lstrcpynA 4460->4477 4462 40427b lstrlenA 4463 40641b 17 API calls 4462->4463 4464 40428c SetWindowTextA 4463->4464 4465 401389 2 API calls 4464->4465 4465->4444 4466->4425 4467 4042ea CreateDialogParamA 4466->4467 4467->4425 4468 40431d 4467->4468 4469 404405 18 API calls 4468->4469 4470 404328 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4469->4470 4471 401389 2 API calls 4470->4471 4472 40436e 4471->4472 4472->4422 4473 404376 ShowWindow 4472->4473 4474 404451 SendMessageA 4473->4474 4474->4425 4475->4455 4476->4460 4477->4462 4478 40260c 4479 402c39 17 API calls 4478->4479 4480 402613 4479->4480 4483 405f1b GetFileAttributesA CreateFileA 4480->4483 4482 40261f 4483->4482 4484 401490 4485 4054a9 24 API calls 4484->4485 4486 401497 4485->4486 4487 402590 4497 402c79 4487->4497 4490 402c17 17 API calls 4491 4025a3 4490->4491 4492 4025ca RegEnumValueA 4491->4492 4493 4025be RegEnumKeyA 4491->4493 4495 4027c8 4491->4495 4494 4025df RegCloseKey 4492->4494 4493->4494 4494->4495 4498 402c39 17 API calls 4497->4498 4499 402c90 4498->4499 4500 40620e RegOpenKeyExA 4499->4500 4501 40259a 4500->4501 4501->4490 4509 404897 4510 4048c3 4509->4510 4511 4048d4 4509->4511 4570 405a82 GetDlgItemTextA 4510->4570 4512 4048e0 GetDlgItem 4511->4512 4520 40493f 4511->4520 4514 4048f4 4512->4514 4518 404908 SetWindowTextA 4514->4518 4523 405db3 4 API calls 4514->4523 4515 404a23 4519 404bcd 4515->4519 4572 405a82 GetDlgItemTextA 4515->4572 4516 4048ce 4517 406666 5 API calls 4516->4517 4517->4511 4524 404405 18 API calls 4518->4524 4522 40446c 8 API calls 4519->4522 4520->4515 4520->4519 4525 40641b 17 API calls 4520->4525 4527 404be1 4522->4527 4528 4048fe 4523->4528 4529 404924 4524->4529 4530 4049b3 SHBrowseForFolderA 4525->4530 4526 404a53 4531 405e08 18 API calls 4526->4531 4528->4518 4535 405d1a 3 API calls 4528->4535 4532 404405 18 API calls 4529->4532 4530->4515 4533 4049cb CoTaskMemFree 4530->4533 4534 404a59 4531->4534 4536 404932 4532->4536 4537 405d1a 3 API calls 4533->4537 4573 406388 lstrcpynA 4534->4573 4535->4518 4571 40443a SendMessageA 4536->4571 4539 4049d8 4537->4539 4543 404a0f SetDlgItemTextA 4539->4543 4546 40641b 17 API calls 4539->4546 4541 404a70 4545 406794 5 API calls 4541->4545 4542 404938 4544 406794 5 API calls 4542->4544 4543->4515 4544->4520 4552 404a77 4545->4552 4547 4049f7 lstrcmpiA 4546->4547 4547->4543 4549 404a08 lstrcatA 4547->4549 4548 404ab3 4574 406388 lstrcpynA 4548->4574 4549->4543 4551 404aba 4553 405db3 4 API calls 4551->4553 4552->4548 4557 405d61 2 API calls 4552->4557 4558 404b0b 4552->4558 4554 404ac0 GetDiskFreeSpaceA 4553->4554 4556 404ae4 MulDiv 4554->4556 4554->4558 4556->4558 4557->4552 4559 404b7c 4558->4559 4561 404d13 20 API calls 4558->4561 4560 404b9f 4559->4560 4563 40140b 2 API calls 4559->4563 4575 404427 EnableWindow 4560->4575 4562 404b69 4561->4562 4564 404b7e SetDlgItemTextA 4562->4564 4565 404b6e 4562->4565 4563->4560 4564->4559 4567 404c4e 20 API calls 4565->4567 4567->4559 4568 404bbb 4568->4519 4569 4047f0 SendMessageA 4568->4569 4569->4519 4570->4516 4571->4542 4572->4526 4573->4541 4574->4551 4575->4568 4576 40541d 4577 405441 4576->4577 4578 40542d 4576->4578 4580 405449 IsWindowVisible 4577->4580 4586 405460 4577->4586 4579 405433 4578->4579 4588 40548a 4578->4588 4582 404451 SendMessageA 4579->4582 4583 405456 4580->4583 4580->4588 4581 40548f CallWindowProcA 4584 40543d 4581->4584 4582->4584 4585 404d58 5 API calls 4583->4585 4585->4586 4586->4581 4587 404dd8 4 API calls 4586->4587 4587->4588 4588->4581 4589 40149d 4590 4014ab PostQuitMessage 4589->4590 4591 40238f 4589->4591 4590->4591 4592 40159d 4593 402c39 17 API calls 4592->4593 4594 4015a4 SetFileAttributesA 4593->4594 4595 4015b6 4594->4595 4596 401a1e 4597 402c39 17 API calls 4596->4597 4598 401a27 ExpandEnvironmentStringsA 4597->4598 4599 401a3b 4598->4599 4601 401a4e 4598->4601 4600 401a40 lstrcmpA 4599->4600 4599->4601 4600->4601 4602 40251e 4603 402c79 17 API calls 4602->4603 4604 402528 4603->4604 4605 402c39 17 API calls 4604->4605 4606 402531 4605->4606 4607 4027c8 4606->4607 4608 40253b RegQueryValueExA 4606->4608 4609 40255b 4608->4609 4612 402561 RegCloseKey 4608->4612 4609->4612 4613 4062e6 wsprintfA 4609->4613 4612->4607 4613->4612 4619 40171f 4620 402c39 17 API calls 4619->4620 4621 401726 SearchPathA 4620->4621 4622 401741 4621->4622 4623 401d1f 4624 402c17 17 API calls 4623->4624 4625 401d26 4624->4625 4626 402c17 17 API calls 4625->4626 4627 401d32 GetDlgItem 4626->4627 4628 402628 4627->4628 4629 402aa0 SendMessageA 4630 402ac5 4629->4630 4631 402aba InvalidateRect 4629->4631 4631->4630 4632 4023a4 4633 4023b2 4632->4633 4634 4023ac 4632->4634 4636 402c39 17 API calls 4633->4636 4638 4023c2 4633->4638 4635 402c39 17 API calls 4634->4635 4635->4633 4636->4638 4637 4023d0 4640 402c39 17 API calls 4637->4640 4638->4637 4639 402c39 17 API calls 4638->4639 4639->4637 4641 4023d9 WritePrivateProfileStringA 4640->4641 3363 4020a5 3364 4020b7 3363->3364 3365 402165 3363->3365 3366 402c39 17 API calls 3364->3366 3368 401423 24 API calls 3365->3368 3367 4020be 3366->3367 3369 402c39 17 API calls 3367->3369 3374 4022ea 3368->3374 3370 4020c7 3369->3370 3371 4020dc LoadLibraryExA 3370->3371 3372 4020cf GetModuleHandleA 3370->3372 3371->3365 3373 4020ec GetProcAddress 3371->3373 3372->3371 3372->3373 3375 402138 3373->3375 3376 4020fb 3373->3376 3377 4054a9 24 API calls 3375->3377 3379 40210b 3376->3379 3381 401423 3376->3381 3377->3379 3379->3374 3380 402159 FreeLibrary 3379->3380 3380->3374 3382 4054a9 24 API calls 3381->3382 3383 401431 3382->3383 3383->3379 4642 402e25 4643 402e34 SetTimer 4642->4643 4644 402e4d 4642->4644 4643->4644 4645 402e9b 4644->4645 4646 402ea1 MulDiv 4644->4646 4647 402e5b wsprintfA SetWindowTextA SetDlgItemTextA 4646->4647 4647->4645 4656 402429 4657 402430 4656->4657 4658 40245b 4656->4658 4659 402c79 17 API calls 4657->4659 4660 402c39 17 API calls 4658->4660 4661 402437 4659->4661 4662 402462 4660->4662 4664 402c39 17 API calls 4661->4664 4665 40246f 4661->4665 4667 402cf7 4662->4667 4666 402448 RegDeleteValueA RegCloseKey 4664->4666 4666->4665 4668 402d03 4667->4668 4669 402d0a 4667->4669 4668->4665 4669->4668 4671 402d3b 4669->4671 4672 40620e RegOpenKeyExA 4671->4672 4673 402d69 4672->4673 4674 402d79 RegEnumValueA 4673->4674 4675 402d9c 4673->4675 4682 402e13 4673->4682 4674->4675 4676 402e03 RegCloseKey 4674->4676 4675->4676 4677 402dd8 RegEnumKeyA 4675->4677 4678 402de1 RegCloseKey 4675->4678 4680 402d3b 6 API calls 4675->4680 4676->4682 4677->4675 4677->4678 4679 406794 5 API calls 4678->4679 4681 402df1 4679->4681 4680->4675 4681->4682 4683 402df5 RegDeleteKeyA 4681->4683 4682->4668 4683->4682 4684 4027aa 4685 402c39 17 API calls 4684->4685 4686 4027b1 FindFirstFileA 4685->4686 4687 4027d4 4686->4687 4688 4027c4 4686->4688 4689 4027db 4687->4689 4692 4062e6 wsprintfA 4687->4692 4693 406388 lstrcpynA 4689->4693 4692->4689 4693->4688 4694 403b2c 4695 403b37 4694->4695 4696 403b3b 4695->4696 4697 403b3e GlobalAlloc 4695->4697 4697->4696 4698 401c2e 4699 402c17 17 API calls 4698->4699 4700 401c35 4699->4700 4701 402c17 17 API calls 4700->4701 4702 401c42 4701->4702 4703 402c39 17 API calls 4702->4703 4704 401c57 4702->4704 4703->4704 4705 401c67 4704->4705 4706 402c39 17 API calls 4704->4706 4707 401c72 4705->4707 4708 401cbe 4705->4708 4706->4705 4710 402c17 17 API calls 4707->4710 4709 402c39 17 API calls 4708->4709 4711 401cc3 4709->4711 4712 401c77 4710->4712 4713 402c39 17 API calls 4711->4713 4714 402c17 17 API calls 4712->4714 4715 401ccc FindWindowExA 4713->4715 4716 401c83 4714->4716 4719 401cea 4715->4719 4717 401c90 SendMessageTimeoutA 4716->4717 4718 401cae SendMessageA 4716->4718 4717->4719 4718->4719 4720 40262e 4721 402633 4720->4721 4722 402647 4720->4722 4723 402c17 17 API calls 4721->4723 4724 402c39 17 API calls 4722->4724 4726 40263c 4723->4726 4725 40264e lstrlenA 4724->4725 4725->4726 4727 402670 4726->4727 4728 405fc2 WriteFile 4726->4728 4728->4727 3175 401932 3176 401934 3175->3176 3181 402c39 3176->3181 3182 402c45 3181->3182 3224 40641b 3182->3224 3185 401939 3187 405b4a 3185->3187 3266 405e08 3187->3266 3190 405b72 DeleteFileA 3220 401942 3190->3220 3191 405b89 3192 405cb7 3191->3192 3280 406388 lstrcpynA 3191->3280 3192->3220 3309 4066ff FindFirstFileA 3192->3309 3194 405baf 3195 405bc2 3194->3195 3196 405bb5 lstrcatA 3194->3196 3281 405d61 lstrlenA 3195->3281 3198 405bc8 3196->3198 3201 405bd6 lstrcatA 3198->3201 3202 405be1 lstrlenA FindFirstFileA 3198->3202 3201->3202 3202->3192 3210 405c05 3202->3210 3205 405d45 CharNextA 3205->3210 3206 405b02 5 API calls 3207 405cf1 3206->3207 3208 405cf5 3207->3208 3209 405d0b 3207->3209 3215 4054a9 24 API calls 3208->3215 3208->3220 3213 4054a9 24 API calls 3209->3213 3210->3205 3211 405c96 FindNextFileA 3210->3211 3219 405b4a 60 API calls 3210->3219 3221 4054a9 24 API calls 3210->3221 3285 406388 lstrcpynA 3210->3285 3286 405b02 3210->3286 3294 4054a9 3210->3294 3305 406161 MoveFileExA 3210->3305 3211->3210 3214 405cae FindClose 3211->3214 3213->3220 3214->3192 3216 405d02 3215->3216 3217 406161 36 API calls 3216->3217 3217->3220 3219->3210 3221->3211 3228 406428 3224->3228 3225 40664d 3226 402c66 3225->3226 3257 406388 lstrcpynA 3225->3257 3226->3185 3241 406666 3226->3241 3228->3225 3229 406627 lstrlenA 3228->3229 3232 40641b 10 API calls 3228->3232 3234 406543 GetSystemDirectoryA 3228->3234 3235 406556 GetWindowsDirectoryA 3228->3235 3236 406666 5 API calls 3228->3236 3237 40658a SHGetSpecialFolderLocation 3228->3237 3238 40641b 10 API calls 3228->3238 3239 4065d0 lstrcatA 3228->3239 3250 40626f 3228->3250 3255 4062e6 wsprintfA 3228->3255 3256 406388 lstrcpynA 3228->3256 3229->3228 3232->3229 3234->3228 3235->3228 3236->3228 3237->3228 3240 4065a2 SHGetPathFromIDListA CoTaskMemFree 3237->3240 3238->3228 3239->3228 3240->3228 3248 406672 3241->3248 3242 4066da 3243 4066de CharPrevA 3242->3243 3246 4066f9 3242->3246 3243->3242 3244 4066cf CharNextA 3244->3242 3244->3248 3246->3185 3247 4066bd CharNextA 3247->3248 3248->3242 3248->3244 3248->3247 3249 4066ca CharNextA 3248->3249 3262 405d45 3248->3262 3249->3244 3258 40620e 3250->3258 3253 4062a3 RegQueryValueExA RegCloseKey 3254 4062d2 3253->3254 3254->3228 3255->3228 3256->3228 3257->3226 3259 40621d 3258->3259 3260 406221 3259->3260 3261 406226 RegOpenKeyExA 3259->3261 3260->3253 3260->3254 3261->3260 3263 405d4b 3262->3263 3264 405d5e 3263->3264 3265 405d51 CharNextA 3263->3265 3264->3248 3265->3263 3315 406388 lstrcpynA 3266->3315 3268 405e19 3316 405db3 CharNextA CharNextA 3268->3316 3271 405b6a 3271->3190 3271->3191 3272 406666 5 API calls 3278 405e2f 3272->3278 3273 405e5a lstrlenA 3274 405e65 3273->3274 3273->3278 3276 405d1a 3 API calls 3274->3276 3275 4066ff 2 API calls 3275->3278 3277 405e6a GetFileAttributesA 3276->3277 3277->3271 3278->3271 3278->3273 3278->3275 3279 405d61 2 API calls 3278->3279 3279->3273 3280->3194 3282 405d6e 3281->3282 3283 405d73 CharPrevA 3282->3283 3284 405d7f 3282->3284 3283->3282 3283->3284 3284->3198 3285->3210 3322 405ef6 GetFileAttributesA 3286->3322 3289 405b2f 3289->3210 3290 405b25 DeleteFileA 3292 405b2b 3290->3292 3291 405b1d RemoveDirectoryA 3291->3292 3292->3289 3293 405b3b SetFileAttributesA 3292->3293 3293->3289 3295 4054c4 3294->3295 3304 405567 3294->3304 3296 4054e1 lstrlenA 3295->3296 3297 40641b 17 API calls 3295->3297 3298 40550a 3296->3298 3299 4054ef lstrlenA 3296->3299 3297->3296 3301 405510 SetWindowTextA 3298->3301 3302 40551d 3298->3302 3300 405501 lstrcatA 3299->3300 3299->3304 3300->3298 3301->3302 3303 405523 SendMessageA SendMessageA SendMessageA 3302->3303 3302->3304 3303->3304 3304->3210 3306 406182 3305->3306 3307 406175 3305->3307 3306->3210 3325 405ff1 3307->3325 3310 405cdb 3309->3310 3311 406715 FindClose 3309->3311 3310->3220 3312 405d1a lstrlenA CharPrevA 3310->3312 3311->3310 3313 405d34 lstrcatA 3312->3313 3314 405ce5 3312->3314 3313->3314 3314->3206 3315->3268 3317 405dde 3316->3317 3318 405dce 3316->3318 3320 405d45 CharNextA 3317->3320 3321 405dfe 3317->3321 3318->3317 3319 405dd9 CharNextA 3318->3319 3319->3321 3320->3317 3321->3271 3321->3272 3323 405b0e 3322->3323 3324 405f08 SetFileAttributesA 3322->3324 3323->3289 3323->3290 3323->3291 3324->3323 3326 406017 3325->3326 3327 40603d GetShortPathNameA 3325->3327 3352 405f1b GetFileAttributesA CreateFileA 3326->3352 3329 406052 3327->3329 3330 40615c 3327->3330 3329->3330 3332 40605a wsprintfA 3329->3332 3330->3306 3331 406021 CloseHandle GetShortPathNameA 3331->3330 3333 406035 3331->3333 3334 40641b 17 API calls 3332->3334 3333->3327 3333->3330 3335 406082 3334->3335 3353 405f1b GetFileAttributesA CreateFileA 3335->3353 3337 40608f 3337->3330 3338 40609e GetFileSize GlobalAlloc 3337->3338 3339 4060c0 3338->3339 3340 406155 CloseHandle 3338->3340 3354 405f93 ReadFile 3339->3354 3340->3330 3345 4060f3 3347 405e80 4 API calls 3345->3347 3346 4060df lstrcpyA 3348 406101 3346->3348 3347->3348 3349 406138 SetFilePointer 3348->3349 3361 405fc2 WriteFile 3349->3361 3352->3331 3353->3337 3355 405fb1 3354->3355 3355->3340 3356 405e80 lstrlenA 3355->3356 3357 405ec1 lstrlenA 3356->3357 3358 405ec9 3357->3358 3359 405e9a lstrcmpiA 3357->3359 3358->3345 3358->3346 3359->3358 3360 405eb8 CharNextA 3359->3360 3360->3357 3362 405fe0 GlobalFree 3361->3362 3362->3340 4729 402733 4730 40273a 4729->4730 4733 402a47 4729->4733 4731 402c17 17 API calls 4730->4731 4732 402741 4731->4732 4734 402750 SetFilePointer 4732->4734 4734->4733 4735 402760 4734->4735 4737 4062e6 wsprintfA 4735->4737 4737->4733 4738 401e35 GetDC 4739 402c17 17 API calls 4738->4739 4740 401e47 GetDeviceCaps MulDiv ReleaseDC 4739->4740 4741 402c17 17 API calls 4740->4741 4742 401e78 4741->4742 4743 40641b 17 API calls 4742->4743 4744 401eb5 CreateFontIndirectA 4743->4744 4745 402628 4744->4745 4746 4014b7 4747 4014bd 4746->4747 4748 401389 2 API calls 4747->4748 4749 4014c5 4748->4749 3558 4015bb 3559 402c39 17 API calls 3558->3559 3560 4015c2 3559->3560 3561 405db3 4 API calls 3560->3561 3574 4015ca 3561->3574 3562 401624 3564 401652 3562->3564 3565 401629 3562->3565 3563 405d45 CharNextA 3563->3574 3567 401423 24 API calls 3564->3567 3566 401423 24 API calls 3565->3566 3568 401630 3566->3568 3575 40164a 3567->3575 3585 406388 lstrcpynA 3568->3585 3572 40163b SetCurrentDirectoryA 3572->3575 3573 40160c GetFileAttributesA 3573->3574 3574->3562 3574->3563 3574->3573 3577 405a09 3574->3577 3580 40596f CreateDirectoryA 3574->3580 3586 4059ec CreateDirectoryA 3574->3586 3589 406794 GetModuleHandleA 3577->3589 3581 4059c0 GetLastError 3580->3581 3582 4059bc 3580->3582 3581->3582 3583 4059cf SetFileSecurityA 3581->3583 3582->3574 3583->3582 3584 4059e5 GetLastError 3583->3584 3584->3582 3585->3572 3587 405a00 GetLastError 3586->3587 3588 4059fc 3586->3588 3587->3588 3588->3574 3590 4067b0 3589->3590 3591 4067ba GetProcAddress 3589->3591 3595 406726 GetSystemDirectoryA 3590->3595 3593 405a10 3591->3593 3593->3574 3594 4067b6 3594->3591 3594->3593 3596 406748 wsprintfA LoadLibraryExA 3595->3596 3596->3594 4750 40453b lstrcpynA lstrlenA 4751 4016bb 4752 402c39 17 API calls 4751->4752 4753 4016c1 GetFullPathNameA 4752->4753 4754 4016d8 4753->4754 4760 4016f9 4753->4760 4756 4066ff 2 API calls 4754->4756 4754->4760 4755 40170d GetShortPathNameA 4757 402ac5 4755->4757 4758 4016e9 4756->4758 4758->4760 4761 406388 lstrcpynA 4758->4761 4760->4755 4760->4757 4761->4760 4762 406ebd 4764 40690c 4762->4764 4763 407277 4764->4763 4764->4764 4765 406996 GlobalAlloc 4764->4765 4766 40698d GlobalFree 4764->4766 4767 406a04 GlobalFree 4764->4767 4768 406a0d GlobalAlloc 4764->4768 4765->4763 4765->4764 4766->4765 4767->4768 4768->4763 4768->4764

                                                              Executed Functions

                                                              Function 004034CC Relevance: 94.9, APIs: 34, Strings: 20, Instructions: 417stringfilecomCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 4034cc-40351c SetErrorMode GetVersionExA 1 40355d 0->1 2 40351e-403538 GetVersionExA 0->2 3 403564 1->3 2->3 4 40353a-403559 2->4 5 403566-403571 3->5 6 403588-40358f 3->6 4->1 7 403573-403582 5->7 8 403584 5->8 9 403591 6->9 10 403599-4035d9 6->10 7->6 8->6 9->10 11 4035db-4035e3 call 406794 10->11 12 4035ec 10->12 11->12 17 4035e5 11->17 14 4035f1-403605 call 406726 lstrlenA 12->14 19 403607-403623 call 406794 * 3 14->19 17->12 26 403634-403694 #17 OleInitialize SHGetFileInfoA call 406388 GetCommandLineA call 406388 19->26 27 403625-40362b 19->27 34 403696-40369a 26->34 35 40369f-4036b2 call 405d45 CharNextA 26->35 27->26 31 40362d 27->31 31->26 34->35 38 403773-403777 35->38 39 4036b7-4036ba 38->39 40 40377d 38->40 41 4036c2-4036c9 39->41 42 4036bc-4036c0 39->42 43 403791-4037ab GetTempPathA call 40349b 40->43 44 4036d0-4036d3 41->44 45 4036cb-4036cc 41->45 42->41 42->42 53 403803-40381b DeleteFileA call 402f5c 43->53 54 4037ad-4037cb GetWindowsDirectoryA lstrcatA call 40349b 43->54 47 403764-403770 call 405d45 44->47 48 4036d9-4036dd 44->48 45->44 47->38 63 403772 47->63 51 4036f5-403722 48->51 52 4036df-4036e5 48->52 59 403734-403762 51->59 60 403724-40372a 51->60 57 4036e7-4036e9 52->57 58 4036eb 52->58 68 403821-403827 53->68 69 4038ae-4038bf ExitProcess OleUninitialize 53->69 54->53 71 4037cd-4037fd GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 40349b 54->71 57->51 57->58 58->51 59->47 62 40377f-40378c call 406388 59->62 65 403730 60->65 66 40372c-40372e 60->66 62->43 63->38 65->59 66->59 66->65 73 403829-403834 call 405d45 68->73 74 40389f-4038a6 call 403b6e 68->74 75 4038c5-4038d4 call 405a9e ExitProcess 69->75 76 4039e8-4039ee 69->76 71->53 71->69 91 403836-40385f 73->91 92 40386a-403873 73->92 83 4038ab 74->83 81 4039f0-403a05 GetCurrentProcess OpenProcessToken 76->81 82 403a66-403a6e 76->82 88 403a36-403a44 call 406794 81->88 89 403a07-403a30 LookupPrivilegeValueA AdjustTokenPrivileges 81->89 85 403a70 82->85 86 403a73-403a76 ExitProcess 82->86 83->69 85->86 97 403a52-403a5d ExitWindowsEx 88->97 98 403a46-403a50 88->98 89->88 94 403861-403863 91->94 95 403875-403883 call 405e08 92->95 96 4038da-4038ee call 405a09 lstrcatA 92->96 94->92 99 403865-403868 94->99 95->69 105 403885-40389b call 406388 * 2 95->105 108 4038f0-4038f6 lstrcatA 96->108 109 4038fb-403915 lstrcatA lstrcmpiA 96->109 97->82 102 403a5f-403a61 call 40140b 97->102 98->97 98->102 99->92 99->94 102->82 105->74 108->109 109->69 111 403917-40391a 109->111 113 403923 call 4059ec 111->113 114 40391c-403921 call 40596f 111->114 120 403928-403936 SetCurrentDirectoryA 113->120 114->120 121 403943-40396e call 406388 120->121 122 403938-40393e call 406388 120->122 126 403974-403991 call 40641b DeleteFileA 121->126 122->121 129 4039d1-4039da 126->129 130 403993-4039a3 CopyFileA 126->130 129->126 132 4039dc-4039e3 call 406161 129->132 130->129 131 4039a5-4039c5 call 406161 call 40641b call 405a21 130->131 131->129 141 4039c7-4039ce CloseHandle 131->141 132->69 141->129
                                                              APIs
                                                              • SetErrorMode.KERNELBASE(00008001), ref: 004034EF
                                                              • GetVersionExA.KERNEL32(?), ref: 00403518
                                                              • GetVersionExA.KERNEL32(0000009C), ref: 0040352F
                                                              • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F8
                                                              • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403635
                                                              • OleInitialize.OLE32(00000000), ref: 0040363C
                                                              • SHGetFileInfoA.SHELL32(0041FD10,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040365A
                                                              • GetCommandLineA.KERNEL32(00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 0040366F
                                                              • CharNextA.USER32(00000000,"C:\Users\user\AppData\Local\Temp\setup.exe",00000020,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,00000007,00000009,0000000B), ref: 004036A9
                                                              • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 004037A2
                                                              • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004037B3
                                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037BF
                                                              • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037D3
                                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037DB
                                                              • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037EC
                                                              • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004037F4
                                                              • DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 00403808
                                                              • ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 004038AE
                                                              • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004038B3
                                                              • ExitProcess.KERNEL32 ref: 004038D4
                                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004038E7
                                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A1B0,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004038F6
                                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 00403901
                                                              • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp), ref: 0040390D
                                                              • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403929
                                                              • DeleteFileA.KERNEL32(0041F910,0041F910,?,00425000,?,?,00000007,00000009,0000000B), ref: 00403986
                                                              • CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,0041F910,00000001), ref: 0040399B
                                                              • CloseHandle.KERNEL32(00000000,0041F910,0041F910,?,0041F910,00000000,?,00000007,00000009,0000000B), ref: 004039C8
                                                              • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004039F6
                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 004039FD
                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A11
                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A30
                                                              • ExitWindowsEx.USER32(00000002,80040002), ref: 00403A55
                                                              • ExitProcess.KERNEL32 ref: 00403A76
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                                              • String ID: "$"C:\Users\user\AppData\Local\Temp\setup.exe"$.tmp$1033$A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\GamePall$C:\Users\user\AppData\Roaming\GamePall$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                              • API String ID: 2882342585-4217013349
                                                              • Opcode ID: 912f83a836eb1fe613a791148bb63afd1bd4364e3d9f696fa0d110b9325e2922
                                                              • Instruction ID: 1a4863036e4e50ed5e1acae1e6299f6db15da00d6e87979e5214c03ba8a99dba
                                                              • Opcode Fuzzy Hash: 912f83a836eb1fe613a791148bb63afd1bd4364e3d9f696fa0d110b9325e2922
                                                              • Instruction Fuzzy Hash: 99E1D270A04354AADB21AF659D49B6F7EB89F86306F0540BFF441B61D2CB7C4A05CB2E
                                                              Function 00405B4A Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159filestringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 351 405b4a-405b70 call 405e08 354 405b72-405b84 DeleteFileA 351->354 355 405b89-405b90 351->355 356 405d13-405d17 354->356 357 405b92-405b94 355->357 358 405ba3-405bb3 call 406388 355->358 359 405cc1-405cc6 357->359 360 405b9a-405b9d 357->360 364 405bc2-405bc3 call 405d61 358->364 365 405bb5-405bc0 lstrcatA 358->365 359->356 363 405cc8-405ccb 359->363 360->358 360->359 366 405cd5-405cdd call 4066ff 363->366 367 405ccd-405cd3 363->367 369 405bc8-405bcb 364->369 365->369 366->356 374 405cdf-405cf3 call 405d1a call 405b02 366->374 367->356 372 405bd6-405bdc lstrcatA 369->372 373 405bcd-405bd4 369->373 375 405be1-405bff lstrlenA FindFirstFileA 372->375 373->372 373->375 390 405cf5-405cf8 374->390 391 405d0b-405d0e call 4054a9 374->391 377 405c05-405c1c call 405d45 375->377 378 405cb7-405cbb 375->378 384 405c27-405c2a 377->384 385 405c1e-405c22 377->385 378->359 380 405cbd 378->380 380->359 388 405c2c-405c31 384->388 389 405c3d-405c4b call 406388 384->389 385->384 387 405c24 385->387 387->384 392 405c33-405c35 388->392 393 405c96-405ca8 FindNextFileA 388->393 401 405c62-405c6d call 405b02 389->401 402 405c4d-405c55 389->402 390->367 395 405cfa-405d09 call 4054a9 call 406161 390->395 391->356 392->389 397 405c37-405c3b 392->397 393->377 399 405cae-405cb1 FindClose 393->399 395->356 397->389 397->393 399->378 410 405c8e-405c91 call 4054a9 401->410 411 405c6f-405c72 401->411 402->393 404 405c57-405c60 call 405b4a 402->404 404->393 410->393 413 405c74-405c84 call 4054a9 call 406161 411->413 414 405c86-405c8c 411->414 413->393 414->393
                                                              APIs
                                                              • DeleteFileA.KERNELBASE(?,?,75923410,75922EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405B73
                                                              • lstrcatA.KERNEL32(00421D58,\*.*,00421D58,?,?,75923410,75922EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BBB
                                                              • lstrcatA.KERNEL32(?,0040A014,?,00421D58,?,?,75923410,75922EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BDC
                                                              • lstrlenA.KERNEL32(?,?,0040A014,?,00421D58,?,?,75923410,75922EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BE2
                                                              • FindFirstFileA.KERNELBASE(00421D58,?,?,?,0040A014,?,00421D58,?,?,75923410,75922EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BF3
                                                              • FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405CA0
                                                              • FindClose.KERNEL32(00000000), ref: 00405CB1
                                                              Strings
                                                              • \*.*, xrefs: 00405BB5
                                                              • "C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00405B53
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                              • String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$\*.*
                                                              • API String ID: 2035342205-2936579034
                                                              • Opcode ID: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
                                                              • Instruction ID: 9e5d3321e74a3647b1fb2cdcf4bec0a51507e3563529971eb59e862f6dba24c5
                                                              • Opcode Fuzzy Hash: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
                                                              • Instruction Fuzzy Hash: 2B519130908B04AAEB316B61CC49BAF7AB8DF82755F14813FF851B51D2C73C5982DE69
                                                              Function 00406A88 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 583 406a88-406a8d 584 406afe-406b1c 583->584 585 406a8f-406abe 583->585 586 4070f4-407109 584->586 587 406ac0-406ac3 585->587 588 406ac5-406ac9 585->588 589 407123-407139 586->589 590 40710b-407121 586->590 591 406ad5-406ad8 587->591 592 406ad1 588->592 593 406acb-406acf 588->593 594 40713c-407143 589->594 590->594 595 406af6-406af9 591->595 596 406ada-406ae3 591->596 592->591 593->591 600 407145-407149 594->600 601 40716a-407176 594->601 599 406ccb-406ce9 595->599 597 406ae5 596->597 598 406ae8-406af4 596->598 597->598 602 406b5e-406b8c 598->602 606 406d01-406d13 599->606 607 406ceb-406cff 599->607 603 4072f8-407302 600->603 604 40714f-407167 600->604 611 40690c-406915 601->611 609 406ba8-406bc2 602->609 610 406b8e-406ba6 602->610 608 40730e-407321 603->608 604->601 612 406d16-406d20 606->612 607->612 616 407326-40732a 608->616 615 406bc5-406bcf 609->615 610->615 613 407323 611->613 614 40691b 611->614 617 406d22 612->617 618 406cc3-406cc9 612->618 613->616 621 406922-406926 614->621 622 406a62-406a83 614->622 623 4069c7-4069cb 614->623 624 406a37-406a3b 614->624 626 406bd5 615->626 627 406b46-406b4c 615->627 619 406e33-406e40 617->619 620 406c9e-406ca2 617->620 618->599 625 406c67-406c71 618->625 619->611 630 406e8f-406e9e 619->630 635 406ca8-406cc0 620->635 636 4072aa-4072b4 620->636 621->608 637 40692c-406939 621->637 622->586 628 4069d1-4069ea 623->628 629 407277-407281 623->629 638 406a41-406a55 624->638 639 407286-407290 624->639 631 4072b6-4072c0 625->631 632 406c77-406c99 625->632 645 407292-40729c 626->645 646 406b2b-406b43 626->646 633 406b52-406b58 627->633 634 406bff-406c05 627->634 644 4069ed-4069f1 628->644 629->608 630->586 631->608 632->619 633->602 641 406c63 633->641 634->641 642 406c07-406c25 634->642 635->618 636->608 637->613 643 40693f-406985 637->643 647 406a58-406a60 638->647 639->608 641->625 648 406c27-406c3b 642->648 649 406c3d-406c4f 642->649 651 406987-40698b 643->651 652 4069ad-4069af 643->652 644->623 650 4069f3-4069f9 644->650 645->608 646->627 647->622 647->624 653 406c52-406c5c 648->653 649->653 658 406a23-406a35 650->658 659 4069fb-406a02 650->659 654 406996-4069a4 GlobalAlloc 651->654 655 40698d-406990 GlobalFree 651->655 656 4069b1-4069bb 652->656 657 4069bd-4069c5 652->657 653->634 660 406c5e 653->660 654->613 663 4069aa 654->663 655->654 656->656 656->657 657->644 658->647 661 406a04-406a07 GlobalFree 659->661 662 406a0d-406a1d GlobalAlloc 659->662 665 406be4-406bfc 660->665 666 40729e-4072a8 660->666 661->662 662->613 662->658 663->652 665->634 666->608
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
                                                              • Instruction ID: c2ee61ea0ab5e5811791f69f03c7ffba3fbd093a674906ee4b434ab4c587e2e9
                                                              • Opcode Fuzzy Hash: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
                                                              • Instruction Fuzzy Hash: 0FF18A70D04269CBDF28CF98C8946ADBBB0FF44305F24816ED856BB281D7786A86DF45
                                                              Function 004066FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileA.KERNELBASE(75923410,004225A0,C:\,00405E4B,C:\,C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0), ref: 0040670A
                                                              • FindClose.KERNEL32(00000000), ref: 00406716
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: Find$CloseFileFirst
                                                              • String ID: C:\
                                                              • API String ID: 2295610775-3404278061
                                                              • Opcode ID: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
                                                              • Instruction ID: 083b1303d1f5dd1ba3b50291930e0491dd498af142a60d7bee4daa0eb941c193
                                                              • Opcode Fuzzy Hash: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
                                                              • Instruction Fuzzy Hash: B3D01231515120BBC3405B38AE0C95B7E589F093747618A36F066F22E4DB74CC6286AC
                                                              Function 00403B6E Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 215stringregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 142 403b6e-403b86 call 406794 145 403b88-403b98 call 4062e6 142->145 146 403b9a-403bcb call 40626f 142->146 154 403bee-403c17 call 403e33 call 405e08 145->154 150 403be3-403be9 lstrcatA 146->150 151 403bcd-403bde call 40626f 146->151 150->154 151->150 160 403c1d-403c22 154->160 161 403c9e-403ca6 call 405e08 154->161 160->161 162 403c24-403c48 call 40626f 160->162 166 403cb4-403cd9 LoadImageA 161->166 167 403ca8-403caf call 40641b 161->167 162->161 172 403c4a-403c4c 162->172 170 403d5a-403d62 call 40140b 166->170 171 403cdb-403d0b RegisterClassA 166->171 167->166 185 403d64-403d67 170->185 186 403d6c-403d77 call 403e33 170->186 175 403d11-403d55 SystemParametersInfoA CreateWindowExA 171->175 176 403e29 171->176 173 403c5d-403c69 lstrlenA 172->173 174 403c4e-403c5b call 405d45 172->174 180 403c91-403c99 call 405d1a call 406388 173->180 181 403c6b-403c79 lstrcmpiA 173->181 174->173 175->170 179 403e2b-403e32 176->179 180->161 181->180 184 403c7b-403c85 GetFileAttributesA 181->184 188 403c87-403c89 184->188 189 403c8b-403c8c call 405d61 184->189 185->179 195 403e00-403e08 call 40557b 186->195 196 403d7d-403d97 ShowWindow call 406726 186->196 188->180 188->189 189->180 201 403e22-403e24 call 40140b 195->201 202 403e0a-403e10 195->202 203 403da3-403db5 GetClassInfoA 196->203 204 403d99-403d9e call 406726 196->204 201->176 202->185 209 403e16-403e1d call 40140b 202->209 207 403db7-403dc7 GetClassInfoA RegisterClassA 203->207 208 403dcd-403dfe DialogBoxParamA call 40140b call 403abe 203->208 204->203 207->208 208->179 209->185
                                                              APIs
                                                                • Part of subcall function 00406794: GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
                                                                • Part of subcall function 00406794: GetProcAddress.KERNEL32(00000000,?), ref: 004067C1
                                                              • lstrcatA.KERNEL32(1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,75923410,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403BE9
                                                              • lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,?,?,?,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00000000,C:\Users\user\AppData\Roaming\GamePall,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,75923410), ref: 00403C5E
                                                              • lstrcmpiA.KERNEL32(?,.exe), ref: 00403C71
                                                              • GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403C7C
                                                              • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\GamePall), ref: 00403CC5
                                                                • Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3
                                                              • RegisterClassA.USER32(00423EE0), ref: 00403D02
                                                              • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403D1A
                                                              • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403D4F
                                                              • ShowWindow.USER32(00000005,00000000,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403D85
                                                              • GetClassInfoA.USER32(00000000,RichEdit20A,00423EE0), ref: 00403DB1
                                                              • GetClassInfoA.USER32(00000000,RichEdit,00423EE0), ref: 00403DBE
                                                              • RegisterClassA.USER32(00423EE0), ref: 00403DC7
                                                              • DialogBoxParamA.USER32(?,00000000,00403F0B,00000000), ref: 00403DE6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                              • String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\GamePall$C:\Users\user\AppData\Roaming\GamePall\GamePall.exe$Control Panel\Desktop\ResourceLocale$PB$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$>B
                                                              • API String ID: 1975747703-1349787809
                                                              • Opcode ID: e590d0c5fa98f393744fb4f016bdb4800495c857999addaceec8a385476c3f6f
                                                              • Instruction ID: 5836c5bb6a6ef8c4ff0aed12ec42ff3eebf2d58129c507535c8ab2622d1094a3
                                                              • Opcode Fuzzy Hash: e590d0c5fa98f393744fb4f016bdb4800495c857999addaceec8a385476c3f6f
                                                              • Instruction Fuzzy Hash: 4F61D670204200AED620AF65AD45F3B3A7CEB8574AF41453FF951B62E2CB7D9D028B6D
                                                              Function 00402F5C Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 216 402f5c-402faa GetTickCount GetModuleFileNameA call 405f1b 219 402fb6-402fe4 call 406388 call 405d61 call 406388 GetFileSize 216->219 220 402fac-402fb1 216->220 228 402fea 219->228 229 4030cf-4030dd call 402ebd 219->229 221 4031f6-4031fa 220->221 231 402fef-403006 228->231 235 4030e3-4030e6 229->235 236 4031ae-4031b3 229->236 233 403008 231->233 234 40300a-403013 call 40346e 231->234 233->234 243 403019-403020 234->243 244 40316a-403172 call 402ebd 234->244 238 403112-40315e GlobalAlloc call 4068b9 call 405f4a CreateFileA 235->238 239 4030e8-403100 call 403484 call 40346e 235->239 236->221 265 403160-403165 238->265 266 403174-4031a4 call 403484 call 4031fd 238->266 239->236 267 403106-40310c 239->267 248 403022-403036 call 405ed6 243->248 249 40309c-4030a0 243->249 244->236 255 4030aa-4030b0 248->255 263 403038-40303f 248->263 254 4030a2-4030a9 call 402ebd 249->254 249->255 254->255 256 4030b2-4030bc call 40684b 255->256 257 4030bf-4030c7 255->257 256->257 257->231 264 4030cd 257->264 263->255 270 403041-403048 263->270 264->229 265->221 277 4031a9-4031ac 266->277 267->236 267->238 270->255 272 40304a-403051 270->272 272->255 274 403053-40305a 272->274 274->255 276 40305c-40307c 274->276 276->236 278 403082-403086 276->278 277->236 279 4031b5-4031c6 277->279 280 403088-40308c 278->280 281 40308e-403096 278->281 282 4031c8 279->282 283 4031ce-4031d3 279->283 280->264 280->281 281->255 285 403098-40309a 281->285 282->283 284 4031d4-4031da 283->284 284->284 286 4031dc-4031f4 call 405ed6 284->286 285->255 286->221
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 00402F70
                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\setup.exe,00000400), ref: 00402F8C
                                                                • Part of subcall function 00405F1B: GetFileAttributesA.KERNELBASE(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
                                                                • Part of subcall function 00405F1B: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                                                              • GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00402FD5
                                                              • GlobalAlloc.KERNEL32(00000040,00000009), ref: 00403117
                                                              Strings
                                                              • Error launching installer, xrefs: 00402FAC
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00402F66, 0040312F
                                                              • C:\Users\user\AppData\Local\Temp, xrefs: 00402FB7, 00402FBC, 00402FC2
                                                              • Inst, xrefs: 00403041
                                                              • C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00402F76, 00402F85, 00402F99, 00402FB6
                                                              • soft, xrefs: 0040304A
                                                              • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004031AE
                                                              • "C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00402F65
                                                              • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403160
                                                              • Null, xrefs: 00403053
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                              • String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\setup.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                              • API String ID: 2803837635-1586733961
                                                              • Opcode ID: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
                                                              • Instruction ID: 8a05da1d373fd2b3e089436e62a275652004ed3b6aa6cfe031be989f12afac8e
                                                              • Opcode Fuzzy Hash: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
                                                              • Instruction Fuzzy Hash: 0771E231A01218ABDB20EF65DD85B9E7BACEB44356F10813BF910BA2C1D77C9E458B5C
                                                              Function 0040641B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 289 40641b-406426 290 406428-406437 289->290 291 406439-40644f 289->291 290->291 292 406643-406647 291->292 293 406455-406460 291->293 294 406472-40647c 292->294 295 40664d-406657 292->295 293->292 296 406466-40646d 293->296 294->295 299 406482-406489 294->299 297 406662-406663 295->297 298 406659-40665d call 406388 295->298 296->292 298->297 301 406636 299->301 302 40648f-4064c3 299->302 303 406640-406642 301->303 304 406638-40663e 301->304 305 4065e3-4065e6 302->305 306 4064c9-4064d3 302->306 303->292 304->292 307 406616-406619 305->307 308 4065e8-4065eb 305->308 309 4064f0 306->309 310 4064d5-4064de 306->310 314 406627-406634 lstrlenA 307->314 315 40661b-406622 call 40641b 307->315 311 4065fb-406607 call 406388 308->311 312 4065ed-4065f9 call 4062e6 308->312 313 4064f7-4064fe 309->313 310->309 316 4064e0-4064e3 310->316 327 40660c-406612 311->327 312->327 319 406500-406502 313->319 320 406503-406505 313->320 314->292 315->314 316->309 317 4064e5-4064e8 316->317 317->309 323 4064ea-4064ee 317->323 319->320 325 406507-40652a call 40626f 320->325 326 40653e-406541 320->326 323->313 337 406530-406539 call 40641b 325->337 338 4065ca-4065ce 325->338 330 406551-406554 326->330 331 406543-40654f GetSystemDirectoryA 326->331 327->314 329 406614 327->329 333 4065db-4065e1 call 406666 329->333 335 4065c1-4065c3 330->335 336 406556-406564 GetWindowsDirectoryA 330->336 334 4065c5-4065c8 331->334 333->314 334->333 334->338 335->334 339 406566-406570 335->339 336->335 337->334 338->333 344 4065d0-4065d6 lstrcatA 338->344 341 406572-406575 339->341 342 40658a-4065a0 SHGetSpecialFolderLocation 339->342 341->342 346 406577-40657e 341->346 347 4065a2-4065bc SHGetPathFromIDListA CoTaskMemFree 342->347 348 4065be 342->348 344->333 350 406586-406588 346->350 347->334 347->348 348->335 350->334 350->342
                                                              APIs
                                                              • GetSystemDirectoryA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00000400), ref: 00406549
                                                              • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00000400,?,00420530,00000000,004054E1,00420530,00000000), ref: 0040655C
                                                              • SHGetSpecialFolderLocation.SHELL32(004054E1,00000000,?,00420530,00000000,004054E1,00420530,00000000), ref: 00406598
                                                              • SHGetPathFromIDListA.SHELL32(00000000,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe), ref: 004065A6
                                                              • CoTaskMemFree.OLE32(00000000), ref: 004065B2
                                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D6
                                                              • lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,?,00420530,00000000,004054E1,00420530,00000000,00000000,00000000,00000000), ref: 00406628
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                              • String ID: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                              • API String ID: 717251189-1374779285
                                                              • Opcode ID: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
                                                              • Instruction ID: f38e20b3a3e0c1a2470d5ac0c6d90f06be75126661b475aa23e0086d5b044b98
                                                              • Opcode Fuzzy Hash: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
                                                              • Instruction Fuzzy Hash: 9F612370900114AEDF205F24EC90BBA3BA4EB52314F52403FE913B62D1D37D8A62DB4E
                                                              Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,C:\Users\user\AppData\Roaming\GamePall,00000000,00000000,00000031), ref: 00401798
                                                              • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00000000,00000000,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,C:\Users\user\AppData\Roaming\GamePall,00000000,00000000,00000031), ref: 004017C2
                                                                • Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395
                                                                • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                              • String ID: C:\Users\user\AppData\Roaming\GamePall$C:\Users\user\AppData\Roaming\GamePall\GamePall.exe$C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe
                                                              • API String ID: 1941528284-3318693634
                                                              • Opcode ID: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
                                                              • Instruction ID: 0d76be79c55a0237b493b10f9ec5be6125ba7ce9be49b25e4c886387d44134cc
                                                              • Opcode Fuzzy Hash: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
                                                              • Instruction Fuzzy Hash: E141B731900615BBCB107BB5CC45DAF3668EF45329B61833BF422F10E1D67C8A529AAE
                                                              Function 0040596F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 487 40596f-4059ba CreateDirectoryA 488 4059c0-4059cd GetLastError 487->488 489 4059bc-4059be 487->489 490 4059e7-4059e9 488->490 491 4059cf-4059e3 SetFileSecurityA 488->491 489->490 491->489 492 4059e5 GetLastError 491->492 492->490
                                                              APIs
                                                              • CreateDirectoryA.KERNELBASE(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
                                                              • GetLastError.KERNEL32 ref: 004059C6
                                                              • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004059DB
                                                              • GetLastError.KERNEL32 ref: 004059E5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                              • String ID: !9@$C:\Users\user\AppData\Local\Temp\
                                                              • API String ID: 3449924974-3700438604
                                                              • Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                                                              • Instruction ID: 4cd508ff09270142ca7a6984d66ae253fefa4e1f6983b248f3af4f59f5a14231
                                                              • Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                                                              • Instruction Fuzzy Hash: 610108B1D00259DAEF109BA0CA45BEFBBB8EB04354F00403AD645B6290D7789648CF99
                                                              Function 00406726 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 493 406726-406746 GetSystemDirectoryA 494 406748 493->494 495 40674a-40674c 493->495 494->495 496 40675c-40675e 495->496 497 40674e-406756 495->497 499 40675f-406791 wsprintfA LoadLibraryExA 496->499 497->496 498 406758-40675a 497->498 498->499
                                                              APIs
                                                              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
                                                              • wsprintfA.USER32 ref: 00406776
                                                              • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040678A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: DirectoryLibraryLoadSystemwsprintf
                                                              • String ID: %s%s.dll$UXTHEME$\
                                                              • API String ID: 2200240437-4240819195
                                                              • Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                                                              • Instruction ID: 0c3db372634d2cfba6f48721b0c795b31ebca02323a8b7d7371d162bf0ec7b9a
                                                              • Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                                                              • Instruction Fuzzy Hash: FBF0FC7050021966DB15A764DD0DFEA365CAB08309F1404BEA586E20C1D6B8D5258B69
                                                              Function 004027E8 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GlobalAlloc.KERNELBASE(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402849
                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402865
                                                              • GlobalFree.KERNEL32(?), ref: 004028A4
                                                              • GlobalFree.KERNELBASE(00000000), ref: 004028B7
                                                              • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028D3
                                                              • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028E6
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: Global$AllocFree$ChangeCloseDeleteFileFindNotification
                                                              • String ID:
                                                              • API String ID: 2989416154-0
                                                              • Opcode ID: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
                                                              • Instruction ID: cd924008ac91bdcd896aacfcc8aadc4f9c7de1b4393fc14a433ce499bdbf1d56
                                                              • Opcode Fuzzy Hash: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
                                                              • Instruction Fuzzy Hash: D931AC32800128ABDF216FA5DE49D9E7A75FF08364F24423AF450B62D0CB7949419F68
                                                              Function 00405F4A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 536 405f4a-405f54 537 405f55-405f80 GetTickCount GetTempFileNameA 536->537 538 405f82-405f84 537->538 539 405f8f-405f91 537->539 538->537 540 405f86 538->540 541 405f89-405f8c 539->541 540->541
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 00405F5E
                                                              • GetTempFileNameA.KERNELBASE(0000000B,?,00000000,?,?,004034CA,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007), ref: 00405F78
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: CountFileNameTempTick
                                                              • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                              • API String ID: 1716503409-44229769
                                                              • Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                                                              • Instruction ID: 05c77450f8afc2c62a5a11a921c51d956a1ea51751b09822177720344b0c8500
                                                              • Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                                                              • Instruction Fuzzy Hash: 02F082363042087BDB109F55DD44BAB7B9CDF91750F14C03BFE48DA180D6B4D9988798
                                                              Function 004020A5 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 542 4020a5-4020b1 543 4020b7-4020cd call 402c39 * 2 542->543 544 40216c-40216e 542->544 553 4020dc-4020ea LoadLibraryExA 543->553 554 4020cf-4020da GetModuleHandleA 543->554 546 4022e5-4022ea call 401423 544->546 552 402ac5-402ad4 546->552 556 4020ec-4020f9 GetProcAddress 553->556 557 402165-402167 553->557 554->553 554->556 559 402138-40213d call 4054a9 556->559 560 4020fb-402101 556->560 557->546 564 402142-402145 559->564 562 402103-40210f call 401423 560->562 563 40211a-40212e 560->563 562->564 573 402111-402118 562->573 566 402133-402136 563->566 564->552 567 40214b-402153 call 403b0e 564->567 566->564 567->552 572 402159-402160 FreeLibrary 567->572 572->552 573->564
                                                              APIs
                                                              • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020D0
                                                                • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                              • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020E0
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 004020F0
                                                              • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040215A
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                              • String ID:
                                                              • API String ID: 2987980305-0
                                                              • Opcode ID: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
                                                              • Instruction ID: efc1da79dccaef9ffb2761d2644f5cd4432d5c2edc08e83b6cf0327c91c21bf2
                                                              • Opcode Fuzzy Hash: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
                                                              • Instruction Fuzzy Hash: 2B210832904214E7CF207FA58E4DAAE3A60AF44358F60413FF601B61E0DBBD49819A6E
                                                              Function 00403A7C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 574 403a7c-403a8b 575 403a97-403a9f 574->575 576 403a8d-403a90 CloseHandle 574->576 577 403aa1-403aa4 CloseHandle 575->577 578 403aab-403ab7 call 403ad9 call 405b4a 575->578 576->575 577->578 582 403abc-403abd 578->582
                                                              APIs
                                                              • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403A8E
                                                              • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403AA2
                                                              Strings
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00403A81
                                                              • C:\Users\user\AppData\Local\Temp\nscD224.tmp\, xrefs: 00403AB2
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nscD224.tmp\
                                                              • API String ID: 2962429428-3358115381
                                                              • Opcode ID: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
                                                              • Instruction ID: f2bf129958ed6937e4157d035670f95a6da1e01cb45a681b65e96f9405f647bf
                                                              • Opcode Fuzzy Hash: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
                                                              • Instruction Fuzzy Hash: F4E08631640B1896C130EF7CAD4D8853B189B413357204726F1B9F20F0C738A9574EE9
                                                              Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 667 4015bb-4015ce call 402c39 call 405db3 672 4015d0-4015e3 call 405d45 667->672 673 401624-401627 667->673 681 4015e5-4015e8 672->681 682 4015fb-4015fc call 4059ec 672->682 675 401652-4022ea call 401423 673->675 676 401629-401644 call 401423 call 406388 SetCurrentDirectoryA 673->676 689 402ac5-402ad4 675->689 676->689 696 40164a-40164d 676->696 681->682 686 4015ea-4015f1 call 405a09 681->686 688 401601-401603 682->688 686->682 699 4015f3-4015f4 call 40596f 686->699 692 401605-40160a 688->692 693 40161a-401622 688->693 697 401617 692->697 698 40160c-401615 GetFileAttributesA 692->698 693->672 693->673 696->689 697->693 698->693 698->697 702 4015f9 699->702 702->688
                                                              APIs
                                                                • Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
                                                                • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
                                                                • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA
                                                              • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                                • Part of subcall function 0040596F: CreateDirectoryA.KERNELBASE(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
                                                              • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\GamePall,00000000,00000000,000000F0), ref: 0040163C
                                                              Strings
                                                              • C:\Users\user\AppData\Roaming\GamePall, xrefs: 00401631
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                              • String ID: C:\Users\user\AppData\Roaming\GamePall
                                                              • API String ID: 1892508949-4021349974
                                                              • Opcode ID: 686546c29d77d16800122f5f58dad040e92f1cd5cb46c8d43cba2cc5979698c7
                                                              • Instruction ID: f3b3600b6319d637c5497ea1020ed17c5aedac6227b62b2eaa768bc98e31f113
                                                              • Opcode Fuzzy Hash: 686546c29d77d16800122f5f58dad040e92f1cd5cb46c8d43cba2cc5979698c7
                                                              • Instruction Fuzzy Hash: 09115731508140EBCF306FA54D405BF23B09E96324B28453FF8D1B22E2DA3D0C42AA3E
                                                              Function 00405E08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 703 405e08-405e23 call 406388 call 405db3 708 405e25-405e27 703->708 709 405e29-405e36 call 406666 703->709 710 405e7b-405e7d 708->710 713 405e42-405e44 709->713 714 405e38-405e3c 709->714 715 405e5a-405e63 lstrlenA 713->715 714->708 716 405e3e-405e40 714->716 717 405e65-405e79 call 405d1a GetFileAttributesA 715->717 718 405e46-405e4d call 4066ff 715->718 716->708 716->713 717->710 723 405e54-405e55 call 405d61 718->723 724 405e4f-405e52 718->724 723->715 724->708 724->723
                                                              APIs
                                                                • Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395
                                                                • Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
                                                                • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
                                                                • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA
                                                              • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405E5B
                                                              • GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0), ref: 00405E6B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                              • String ID: C:\
                                                              • API String ID: 3248276644-3404278061
                                                              • Opcode ID: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
                                                              • Instruction ID: eca821d8ca18e415d707ee210574ba5bb9731226a542ad11e9256983d04766a4
                                                              • Opcode Fuzzy Hash: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
                                                              • Instruction Fuzzy Hash: F7F02831105D5116C6223336AD09AAF1644CE9732471A453FFCE1B52D2DB3C8A539CEE
                                                              Function 00406EBD Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
                                                              • Instruction ID: 14484b0326c8a5630d33184448731c7578348ec986130544f859662fecd3ad08
                                                              • Opcode Fuzzy Hash: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
                                                              • Instruction Fuzzy Hash: 04A12471E04229CBDF28CFA8C844BADBBB1FF44305F14816AD956BB281C7786986DF45
                                                              Function 004070BE Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
                                                              • Instruction ID: 16a3963220edad981734dfbd86db7ae4535d0e52bcc7a87e0ef86c627c8cfaa4
                                                              • Opcode Fuzzy Hash: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
                                                              • Instruction Fuzzy Hash: 2D912370D04268CBDF28CF98C854BADBBB1FF44305F14816AD956BB281C7786986DF45
                                                              Function 00406DD4 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
                                                              • Instruction ID: e981be8a744509f315cfd76b32476d9c10b76e0a4aa84739a8d113cb33934a41
                                                              • Opcode Fuzzy Hash: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
                                                              • Instruction Fuzzy Hash: 37812471E04228CBDF24CFA8C844BADBBB1FF45305F24816AD856BB291C7789986DF45
                                                              Function 004068D9 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
                                                              • Instruction ID: 8182d74baebb800b0d472bca2432a1a472ea96a2662ae7b36db949844af6c4d7
                                                              • Opcode Fuzzy Hash: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
                                                              • Instruction Fuzzy Hash: DF815971E04228DBEF24CFA8C844BADBBB1FF44305F10816AD956BB281C7786986DF45
                                                              Function 00406D27 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
                                                              • Instruction ID: 516ab04208dd2bc2fd7cdea6c41d3130492ff38fa800e35acf718bd73fbf6333
                                                              • Opcode Fuzzy Hash: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
                                                              • Instruction Fuzzy Hash: A4712271E04228CBDF24CF98C844BADBBB1FF48305F14806AD856BB281C778A986DF45
                                                              Function 00406E45 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
                                                              • Instruction ID: 835baf8de871759411e2c74e4a47f0112f02d54065241c3c7dcda5dc236b3f46
                                                              • Opcode Fuzzy Hash: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
                                                              • Instruction Fuzzy Hash: 92712571E04228CBEF28CF98C844BADBBB1FF44305F15816AD856BB281C7786996DF45
                                                              Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
                                                              • Instruction ID: ccec74d0ee3a806077926e8984c2e201e8b1f3d886c73ab216be699138b2bca7
                                                              • Opcode Fuzzy Hash: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
                                                              • Instruction Fuzzy Hash: 39715771E04228CBEF28CF98C844BADBBB1FF44305F14806AD956BB281C778A946DF45
                                                              Function 00403305 Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 00403319
                                                                • Part of subcall function 00403484: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403182,?), ref: 00403492
                                                              • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 0040334C
                                                              • SetFilePointer.KERNELBASE(155A8948,00000000,00000000,004138F8,00004000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000), ref: 00403447
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: FilePointer$CountTick
                                                              • String ID:
                                                              • API String ID: 1092082344-0
                                                              • Opcode ID: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
                                                              • Instruction ID: 5f41a1ef9683aad456499e8308d87ccfcfa217f8aa92108fcff4f05b83e24891
                                                              • Opcode Fuzzy Hash: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
                                                              • Instruction Fuzzy Hash: 1F319F72A002059FC711BF2AFE849663BACE741356710C13BE814B62F0CB3859458FAD
                                                              Function 0040247E Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenA.KERNEL32(0040AC20,00000023,00000011,00000002), ref: 004024C9
                                                              • RegSetValueExA.KERNELBASE(?,?,?,?,0040AC20,00000000,00000011,00000002), ref: 00402509
                                                              • RegCloseKey.KERNELBASE(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: CloseValuelstrlen
                                                              • String ID:
                                                              • API String ID: 2655323295-0
                                                              • Opcode ID: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
                                                              • Instruction ID: e1e6ae2a7b536448810537a1ffa9a52b32d6c636ce9630cd27147c6707bb0a71
                                                              • Opcode Fuzzy Hash: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
                                                              • Instruction Fuzzy Hash: 04116371E04208AFEB10AFA5DE49AAEBA74EB84714F21443BF504F71C1DAB94D409B68
                                                              Function 00402590 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C2
                                                              • RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025D5
                                                              • RegCloseKey.KERNELBASE(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: Enum$CloseValue
                                                              • String ID:
                                                              • API String ID: 397863658-0
                                                              • Opcode ID: 039baf7d42ae34e4e7f4f0d82c42536c565db7a64b10d6b3f593835efb4c20b6
                                                              • Instruction ID: 33ff3e85e785963e302667c06a3cb1355a7acd8bf142a31c2560ef5bcfc7d759
                                                              • Opcode Fuzzy Hash: 039baf7d42ae34e4e7f4f0d82c42536c565db7a64b10d6b3f593835efb4c20b6
                                                              • Instruction Fuzzy Hash: 2C017571904104FFE7158F54DE88ABF7BACEF81358F20443EF101A61C0DAB44E449679
                                                              Function 00405B02 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00405EF6: GetFileAttributesA.KERNELBASE(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
                                                                • Part of subcall function 00405EF6: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405F0F
                                                              • RemoveDirectoryA.KERNELBASE(?,?,?,00000000,00405CF1), ref: 00405B1D
                                                              • DeleteFileA.KERNELBASE(?,?,?,00000000,00405CF1), ref: 00405B25
                                                              • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B3D
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: File$Attributes$DeleteDirectoryRemove
                                                              • String ID:
                                                              • API String ID: 1655745494-0
                                                              • Opcode ID: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
                                                              • Instruction ID: eeb49a2f717892c2e0964ab94aaac89db2a73fdd151ed94c70539e0cf44bba43
                                                              • Opcode Fuzzy Hash: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
                                                              • Instruction Fuzzy Hash: 6CE0E531109A9097C62067349908A5B7AF8EF86314F094D3AF9A1F20D0DB38B9468EBD
                                                              Function 004031FD Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(00000009,00000000,00000000,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 00403222
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: FilePointer
                                                              • String ID:
                                                              • API String ID: 973152223-0
                                                              • Opcode ID: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
                                                              • Instruction ID: 301e065564a74905a78554ad982773151ad037ba2d6e6f8d8cd401a7b941de18
                                                              • Opcode Fuzzy Hash: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
                                                              • Instruction Fuzzy Hash: E2318D30200219FFDB109F95ED45A9A3FA8EB05755B20847EB914E61D0D738DB509FA9
                                                              Function 0040251E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040254E
                                                              • RegCloseKey.KERNELBASE(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: CloseQueryValue
                                                              • String ID:
                                                              • API String ID: 3356406503-0
                                                              • Opcode ID: 6617ca3d26eaa2170afdc71dc748124b2257766e2e1ea0df1a2f7a4cdc0ba340
                                                              • Instruction ID: 7c766f3f1fb2abd04e903467a79d83897fdaad9d0bba0580308fe752c8381985
                                                              • Opcode Fuzzy Hash: 6617ca3d26eaa2170afdc71dc748124b2257766e2e1ea0df1a2f7a4cdc0ba340
                                                              • Instruction Fuzzy Hash: 1B11BF71905205EFDB25CF64DA985AE7BB4AF11355F20483FE042B72C0D6B88A85DA1D
                                                              Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                              • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
                                                              • Instruction ID: c6e23866af321c238b4b59365f681da1ab702c54c00e726fca3ee5b0521d1f72
                                                              • Opcode Fuzzy Hash: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
                                                              • Instruction Fuzzy Hash: 5201D131B242109BE7194B38AE04B2A36A8E754315F51813AF851F61F1DB78CC129B4D
                                                              Function 00405A21 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
                                                              • CloseHandle.KERNEL32(?), ref: 00405A57
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateHandleProcess
                                                              • String ID:
                                                              • API String ID: 3712363035-0
                                                              • Opcode ID: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
                                                              • Instruction ID: 70dcd79ab4e1e9e84cc9ba673cd08f466e07e48f17d85ed3475224309c024e1a
                                                              • Opcode Fuzzy Hash: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
                                                              • Instruction Fuzzy Hash: A5E04FB4600209BFEB009B64ED09F7B77ACFB04244F808421BE40F2150D67899658A78
                                                              Function 00406794 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 004067C1
                                                                • Part of subcall function 00406726: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
                                                                • Part of subcall function 00406726: wsprintfA.USER32 ref: 00406776
                                                                • Part of subcall function 00406726: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040678A
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                              • String ID:
                                                              • API String ID: 2547128583-0
                                                              • Opcode ID: 6cfaa89c8510a3ae83a05a93334a7968bfc88d7e7cb527baf598ad9b980e56cb
                                                              • Instruction ID: 2a593beb9babc16b4b5ae8275dbdfb46ef4ebf17ea7291b62b5d373670c31446
                                                              • Opcode Fuzzy Hash: 6cfaa89c8510a3ae83a05a93334a7968bfc88d7e7cb527baf598ad9b980e56cb
                                                              • Instruction Fuzzy Hash: B6E0863260421157D21067705E4897773ACAF94B54302043EF546F3144D7389C76966D
                                                              Function 00405F1B Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesA.KERNELBASE(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
                                                              • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: File$AttributesCreate
                                                              • String ID:
                                                              • API String ID: 415043291-0
                                                              • Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                                                              • Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
                                                              • Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                                                              • Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19
                                                              Function 00405EF6 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesA.KERNELBASE(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
                                                              • SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405F0F
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                              • Instruction ID: 2a9487917742c73a52daa6fa2dda6e447083e2efb983b62a69771bacbdb33add
                                                              • Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                              • Instruction Fuzzy Hash: E3D0C972504422ABD2102728AE0889BBB55DB94271702CA35FDA5A26F1DB304C569A9C
                                                              Function 004059EC Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateDirectoryA.KERNELBASE(?,00000000,004034BF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004059F2
                                                              • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405A00
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectoryErrorLast
                                                              • String ID:
                                                              • API String ID: 1375471231-0
                                                              • Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                                                              • Instruction ID: 42ce2bd36b25b14d2ed8d631edf33fc643f4c4eb5ed9af5e51ab4a49ffb09bba
                                                              • Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                                                              • Instruction Fuzzy Hash: 9BC04C303145419AD6505B309F4DB177A54AB50741F51553A638AE01A0DA348465DD2D
                                                              Function 0040623C Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CEA,00000000,?,?), ref: 00406265
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                              • Instruction ID: 57b18be241489d6c3509c0f1b2cb500900bdd64e2c84313365475615acd8ae2e
                                                              • Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                              • Instruction Fuzzy Hash: 16E0E672010109BEDF196F50DD0AD7B371DEB04341F01492EF916D4091E6B5A9309734
                                                              Function 00405FC2 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteFile.KERNELBASE(00000009,00000000,00000000,00000000,00000000,0040D99A,0040B8F8,00403405,0040B8F8,0040D99A,004138F8,00004000,?,00000000,0040322F,00000004), ref: 00405FD6
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: FileWrite
                                                              • String ID:
                                                              • API String ID: 3934441357-0
                                                              • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                              • Instruction ID: d5187e51ab0d96a1766449b5dbb93cac2cdd9e80b7d20ab2fc0b5d8c8d5322e8
                                                              • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                              • Instruction Fuzzy Hash: 4AE0EC3221065BABDF109E659C04EEB7B6CEB05360F004437FA55E3150D675E8219BA4
                                                              Function 00405F93 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadFile.KERNELBASE(00000009,00000000,00000000,00000000,00000000,004138F8,0040B8F8,00403481,00000009,00000009,00403385,004138F8,00004000,?,00000000,0040322F), ref: 00405FA7
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID:
                                                              • API String ID: 2738559852-0
                                                              • Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                                                              • Instruction ID: 61a6516da629700e98a59d605e8380186fb5f41ecf47873683bd74a9a2ef61d4
                                                              • Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                                                              • Instruction Fuzzy Hash: 8BE08C3220161EEBEF119E508C00AEBBB6CEB00360F004433FD25E3140E234E9218BA8
                                                              Function 00403484 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403182,?), ref: 00403492
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: FilePointer
                                                              • String ID:
                                                              • API String ID: 973152223-0
                                                              • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                              • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                                                              • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                              • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D
                                                              Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                                • Part of subcall function 00405A21: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
                                                                • Part of subcall function 00405A21: CloseHandle.KERNEL32(?), ref: 00405A57
                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0
                                                                • Part of subcall function 00406809: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
                                                                • Part of subcall function 00406809: GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C
                                                                • Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                              • String ID:
                                                              • API String ID: 2972824698-0
                                                              • Opcode ID: b93a315dc59908fe351c40803e733eeda605d55301c746aa3fa59235fa4bc662
                                                              • Instruction ID: dce1314ccbc215d7d9c334b017be086f7c4cc40ba0f87dfe0d8145fd67a5eb82
                                                              • Opcode Fuzzy Hash: b93a315dc59908fe351c40803e733eeda605d55301c746aa3fa59235fa4bc662
                                                              • Instruction Fuzzy Hash: 2DF0B432A05121DBDB20BFA59EC49EEB2A4DF41318B25463FF502B21D1CB7C4D418A6E

                                                              Non-executed Functions

                                                              Function 004055E7 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,00000403), ref: 00405646
                                                              • GetDlgItem.USER32(?,000003EE), ref: 00405655
                                                              • GetClientRect.USER32(?,?), ref: 00405692
                                                              • GetSystemMetrics.USER32(00000002), ref: 00405699
                                                              • SendMessageA.USER32(?,0000101B,00000000,?), ref: 004056BA
                                                              • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004056CB
                                                              • SendMessageA.USER32(?,00001001,00000000,?), ref: 004056DE
                                                              • SendMessageA.USER32(?,00001026,00000000,?), ref: 004056EC
                                                              • SendMessageA.USER32(?,00001024,00000000,?), ref: 004056FF
                                                              • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405721
                                                              • ShowWindow.USER32(?,00000008), ref: 00405735
                                                              • GetDlgItem.USER32(?,000003EC), ref: 00405756
                                                              • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405766
                                                              • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040577F
                                                              • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040578B
                                                              • GetDlgItem.USER32(?,000003F8), ref: 00405664
                                                                • Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448
                                                              • GetDlgItem.USER32(?,000003EC), ref: 004057A7
                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0000557B,00000000), ref: 004057B5
                                                              • CloseHandle.KERNEL32(00000000), ref: 004057BC
                                                              • ShowWindow.USER32(00000000), ref: 004057DF
                                                              • ShowWindow.USER32(?,00000008), ref: 004057E6
                                                              • ShowWindow.USER32(00000008), ref: 0040582C
                                                              • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405860
                                                              • CreatePopupMenu.USER32 ref: 00405871
                                                              • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405886
                                                              • GetWindowRect.USER32(?,000000FF), ref: 004058A6
                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004058BF
                                                              • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004058FB
                                                              • OpenClipboard.USER32(00000000), ref: 0040590B
                                                              • EmptyClipboard.USER32 ref: 00405911
                                                              • GlobalAlloc.KERNEL32(00000042,?), ref: 0040591A
                                                              • GlobalLock.KERNEL32(00000000), ref: 00405924
                                                              • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405938
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00405951
                                                              • SetClipboardData.USER32(00000001,00000000), ref: 0040595C
                                                              • CloseClipboard.USER32 ref: 00405962
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                              • String ID: PB
                                                              • API String ID: 590372296-3196168531
                                                              • Opcode ID: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
                                                              • Instruction ID: 44a2cb424ceca129f1c721a27905a8e57bc1109532c064cce4e419f7e60c3497
                                                              • Opcode Fuzzy Hash: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
                                                              • Instruction Fuzzy Hash: 18A13971900608FFDB11AF64DE85AAE7BB9FB48355F00403AFA41BA1A0CB754E51DF58
                                                              Function 00404E0A Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003F9), ref: 00404E21
                                                              • GetDlgItem.USER32(?,00000408), ref: 00404E2E
                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00404E7D
                                                              • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E94
                                                              • SetWindowLongA.USER32(?,000000FC,0040541D), ref: 00404EAE
                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404EC0
                                                              • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404ED4
                                                              • SendMessageA.USER32(?,00001109,00000002), ref: 00404EEA
                                                              • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404EF6
                                                              • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404F06
                                                              • DeleteObject.GDI32(00000110), ref: 00404F0B
                                                              • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404F36
                                                              • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404F42
                                                              • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404FDC
                                                              • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 0040500C
                                                                • Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448
                                                              • SendMessageA.USER32(?,00001100,00000000,?), ref: 00405020
                                                              • GetWindowLongA.USER32(?,000000F0), ref: 0040504E
                                                              • SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040505C
                                                              • ShowWindow.USER32(?,00000005), ref: 0040506C
                                                              • SendMessageA.USER32(?,00000419,00000000,?), ref: 00405167
                                                              • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004051CC
                                                              • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 004051E1
                                                              • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00405205
                                                              • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00405225
                                                              • ImageList_Destroy.COMCTL32(?), ref: 0040523A
                                                              • GlobalFree.KERNEL32(?), ref: 0040524A
                                                              • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004052C3
                                                              • SendMessageA.USER32(?,00001102,?,?), ref: 0040536C
                                                              • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040537B
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 004053A6
                                                              • ShowWindow.USER32(?,00000000), ref: 004053F4
                                                              • GetDlgItem.USER32(?,000003FE), ref: 004053FF
                                                              • ShowWindow.USER32(00000000), ref: 00405406
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                              • String ID: $M$N
                                                              • API String ID: 2564846305-813528018
                                                              • Opcode ID: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
                                                              • Instruction ID: c306c4130ea67d8582adb4b0d0e706bf782d7aff15223233fd0d43401108afdf
                                                              • Opcode Fuzzy Hash: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
                                                              • Instruction Fuzzy Hash: 6C025CB0A00609AFDB209F94DD45AAE7BB5FB84354F10817AF610BA2E1D7789D42CF58
                                                              Function 00403F0B Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403F47
                                                              • ShowWindow.USER32(?), ref: 00403F67
                                                              • GetWindowLongA.USER32(?,000000F0), ref: 00403F79
                                                              • ShowWindow.USER32(?,00000004), ref: 00403F92
                                                              • DestroyWindow.USER32 ref: 00403FA6
                                                              • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403FBF
                                                              • GetDlgItem.USER32(?,?), ref: 00403FDE
                                                              • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403FF2
                                                              • IsWindowEnabled.USER32(00000000), ref: 00403FF9
                                                              • GetDlgItem.USER32(?,00000001), ref: 004040A4
                                                              • GetDlgItem.USER32(?,00000002), ref: 004040AE
                                                              • SetClassLongA.USER32(?,000000F2,?), ref: 004040C8
                                                              • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00404119
                                                              • GetDlgItem.USER32(?,00000003), ref: 004041BF
                                                              • ShowWindow.USER32(00000000,?), ref: 004041E0
                                                              • EnableWindow.USER32(?,?), ref: 004041F2
                                                              • EnableWindow.USER32(?,?), ref: 0040420D
                                                              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404223
                                                              • EnableMenuItem.USER32(00000000), ref: 0040422A
                                                              • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00404242
                                                              • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00404255
                                                              • lstrlenA.KERNEL32(00420D50,?,00420D50,00000000), ref: 0040427F
                                                              • SetWindowTextA.USER32(?,00420D50), ref: 0040428E
                                                              • ShowWindow.USER32(?,0000000A), ref: 004043C2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                                              • String ID: PB
                                                              • API String ID: 1860320154-3196168531
                                                              • Opcode ID: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
                                                              • Instruction ID: 6b3c419a8b2de2434844e8cd53afab52d63163afb5b1bd925d395a768d9dd0e6
                                                              • Opcode Fuzzy Hash: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
                                                              • Instruction Fuzzy Hash: ECC1D2B1A00204BBCB206F61EE45E2B3A78EB85745F41053EF781B61F1CB3998929B5D
                                                              Function 00404570 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004045FB
                                                              • GetDlgItem.USER32(00000000,000003E8), ref: 0040460F
                                                              • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040462D
                                                              • GetSysColor.USER32(?), ref: 0040463E
                                                              • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040464D
                                                              • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040465C
                                                              • lstrlenA.KERNEL32(?), ref: 0040465F
                                                              • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040466E
                                                              • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404683
                                                              • GetDlgItem.USER32(?,0000040A), ref: 004046E5
                                                              • SendMessageA.USER32(00000000), ref: 004046E8
                                                              • GetDlgItem.USER32(?,000003E8), ref: 00404713
                                                              • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404753
                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 00404762
                                                              • SetCursor.USER32(00000000), ref: 0040476B
                                                              • LoadCursorA.USER32(00000000,00007F00), ref: 00404781
                                                              • SetCursor.USER32(00000000), ref: 00404784
                                                              • SendMessageA.USER32(00000111,00000001,00000000), ref: 004047B0
                                                              • SendMessageA.USER32(00000010,00000000,00000000), ref: 004047C4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                              • String ID: N$6B
                                                              • API String ID: 3103080414-649610290
                                                              • Opcode ID: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
                                                              • Instruction ID: 424ea1d81b5f8fd67bb79b8421ee67f108f717641e3cc5fc4ea293435da972af
                                                              • Opcode Fuzzy Hash: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
                                                              • Instruction Fuzzy Hash: CE6190B1A40208BFDB109F61DD45B6A7B69FB84715F10843AFB01BB2D1C7B8A951CF98
                                                              Function 00405FF1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 129memorystringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406182,?,?), ref: 00406022
                                                              • GetShortPathNameA.KERNEL32(?,00422AE0,00000400), ref: 0040602B
                                                                • Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
                                                                • Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2
                                                              • GetShortPathNameA.KERNEL32(?,00422EE0,00000400), ref: 00406048
                                                              • wsprintfA.USER32 ref: 00406066
                                                              • GetFileSize.KERNEL32(00000000,00000000,00422EE0,C0000000,00000004,00422EE0,?,?,?,?,?), ref: 004060A1
                                                              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060B0
                                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E8
                                                              • SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,004226E0,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 0040613E
                                                              • GlobalFree.KERNEL32(00000000), ref: 0040614F
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406156
                                                                • Part of subcall function 00405F1B: GetFileAttributesA.KERNELBASE(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
                                                                • Part of subcall function 00405F1B: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                              • String ID: %s=%s$[Rename]$*B$.B$.B
                                                              • API String ID: 2171350718-3836630945
                                                              • Opcode ID: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
                                                              • Instruction ID: 7566a5a9e9d08134d14435fb5d3e1561ad96112206bac95af022f508aac3f812
                                                              • Opcode Fuzzy Hash: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
                                                              • Instruction Fuzzy Hash: 68310531200715BBC2207B659D49F6B3A5DDF85754F15003EFE42BA2C3EA7CD8228AAD
                                                              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                              • DeleteObject.GDI32(?), ref: 004010ED
                                                              • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                                              • DrawTextA.USER32(00000000,00423F40,000000FF,00000010,00000820), ref: 00401156
                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                              • DeleteObject.GDI32(?), ref: 00401165
                                                              • EndPaint.USER32(?,?), ref: 0040116E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                              • String ID: F
                                                              • API String ID: 941294808-1304234792
                                                              • Opcode ID: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
                                                              • Instruction ID: bc851ab26da2bb863bf3a2ee07eb2f950de800ada4cbee7b2d64f78586a04119
                                                              • Opcode Fuzzy Hash: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
                                                              • Instruction Fuzzy Hash: 2C419D71800249AFCF058FA5DE459AF7FB9FF45314F00802AF991AA1A0C734DA55DFA4
                                                              Function 00404897 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003FB), ref: 004048E6
                                                              • SetWindowTextA.USER32(00000000,?), ref: 00404910
                                                              • SHBrowseForFolderA.SHELL32(?,00420128,?), ref: 004049C1
                                                              • CoTaskMemFree.OLE32(00000000), ref: 004049CC
                                                              • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00420D50), ref: 004049FE
                                                              • lstrcatA.KERNEL32(?,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe), ref: 00404A0A
                                                              • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404A1C
                                                                • Part of subcall function 00405A82: GetDlgItemTextA.USER32(?,?,00000400,00404A53), ref: 00405A95
                                                                • Part of subcall function 00406666: CharNextA.USER32(0000000B,*?|<>/":,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
                                                                • Part of subcall function 00406666: CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
                                                                • Part of subcall function 00406666: CharNextA.USER32(0000000B,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
                                                                • Part of subcall function 00406666: CharPrevA.USER32(0000000B,0000000B,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0
                                                              • GetDiskFreeSpaceA.KERNEL32(0041FD20,?,?,0000040F,?,0041FD20,0041FD20,?,00000001,0041FD20,?,?,000003FB,?), ref: 00404ADA
                                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AF5
                                                                • Part of subcall function 00404C4E: lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
                                                                • Part of subcall function 00404C4E: wsprintfA.USER32 ref: 00404CF4
                                                                • Part of subcall function 00404C4E: SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                              • String ID: A$C:\Users\user\AppData\Roaming\GamePall$C:\Users\user\AppData\Roaming\GamePall\GamePall.exe$PB
                                                              • API String ID: 2624150263-4118966266
                                                              • Opcode ID: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
                                                              • Instruction ID: 03633cdec68ae3b48ba4c7d33c4768738bfb21d85bfcf2e4b9185cba9ee35c0f
                                                              • Opcode Fuzzy Hash: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
                                                              • Instruction Fuzzy Hash: 7DA150B1A00208AADB11EFA5DD45BAFB6B8EF84315F10803BF601B62D1D77C99418F6D
                                                              Function 004054A9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                              • lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                              • lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                              • SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                              • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                              • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                              • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                              • String ID: 4/@
                                                              • API String ID: 2531174081-3101945251
                                                              • Opcode ID: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
                                                              • Instruction ID: 7ab3267fb946cf8e7efc5916356ec1270af3577e2396c2c3629ce5ef3fcb69de
                                                              • Opcode Fuzzy Hash: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
                                                              • Instruction Fuzzy Hash: 0F217A71E00118BBCF119FA5DD8099EBFB9EF09354F04807AF944A6291C7788A90CFA8
                                                              Function 00406666 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharNextA.USER32(0000000B,*?|<>/":,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
                                                              • CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
                                                              • CharNextA.USER32(0000000B,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
                                                              • CharPrevA.USER32(0000000B,0000000B,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0
                                                              Strings
                                                              • *?|<>/":, xrefs: 004066AE
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00406667
                                                              • "C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00406666
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: Char$Next$Prev
                                                              • String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                              • API String ID: 589700163-3087229427
                                                              • Opcode ID: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
                                                              • Instruction ID: 80d428334b402c3338f843ea799862c1973996ffb1638880579f4ae0c72fc655
                                                              • Opcode Fuzzy Hash: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
                                                              • Instruction Fuzzy Hash: 7E1108518047902DEB3206340C04B7B7F894F977A0F2A087FD8C6722C2D67E5C62967D
                                                              Function 00402EBD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DestroyWindow.USER32(00000000,00000000), ref: 00402ED5
                                                              • GetTickCount.KERNEL32 ref: 00402EF3
                                                              • wsprintfA.USER32 ref: 00402F21
                                                                • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                              • CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402F45
                                                              • ShowWindow.USER32(00000000,00000005), ref: 00402F53
                                                                • Part of subcall function 00402EA1: MulDiv.KERNEL32(00000000,00000064,00001562), ref: 00402EB6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                              • String ID: ... %d%%$#Vh%.@
                                                              • API String ID: 722711167-1706192003
                                                              • Opcode ID: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
                                                              • Instruction ID: ac0ca11ee9366edb0cc6a28cc5aeb329eacd7d00ab00b3c3670f6d564c8935e4
                                                              • Opcode Fuzzy Hash: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
                                                              • Instruction Fuzzy Hash: 3F01A170542225EBCB21BB50EF0CBAB3778EB40744B04443BF505B21D0C7F894469AEE
                                                              Function 0040446C Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowLongA.USER32(?,000000EB), ref: 00404489
                                                              • GetSysColor.USER32(00000000), ref: 004044C7
                                                              • SetTextColor.GDI32(?,00000000), ref: 004044D3
                                                              • SetBkMode.GDI32(?,?), ref: 004044DF
                                                              • GetSysColor.USER32(?), ref: 004044F2
                                                              • SetBkColor.GDI32(?,?), ref: 00404502
                                                              • DeleteObject.GDI32(?), ref: 0040451C
                                                              • CreateBrushIndirect.GDI32(?), ref: 00404526
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                              • String ID:
                                                              • API String ID: 2320649405-0
                                                              • Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                                                              • Instruction ID: 76b6fc4927f6120469f5ffa52701fcd3ddd76896e52d32ad6f55637f73cee333
                                                              • Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                                                              • Instruction Fuzzy Hash: 9E2147B1501704AFCB31DF68ED08B5BBBF8AF41715B04892EEA96A26E0D734E904CB54
                                                              Function 00404D58 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404D73
                                                              • GetMessagePos.USER32 ref: 00404D7B
                                                              • ScreenToClient.USER32(?,?), ref: 00404D95
                                                              • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404DA7
                                                              • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404DCD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: Message$Send$ClientScreen
                                                              • String ID: f
                                                              • API String ID: 41195575-1993550816
                                                              • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                              • Instruction ID: de178be9688f757f82ef56a4cbeb6693d0582b60b2ea90e1a00f6814b48fd044
                                                              • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                              • Instruction Fuzzy Hash: BB014871900219BADB01DBA4DD85BFEBBF8AF95B11F10016ABA40B61C0C6B499058BA4
                                                              Function 00402E25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E40
                                                              • wsprintfA.USER32 ref: 00402E74
                                                              • SetWindowTextA.USER32(?,?), ref: 00402E84
                                                              • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E96
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: Text$ItemTimerWindowwsprintf
                                                              • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                              • API String ID: 1451636040-1158693248
                                                              • Opcode ID: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
                                                              • Instruction ID: 7ad4584a5e884be7344c254f70e0401137e7e46ce86c3cf658bb2ab9d23be74a
                                                              • Opcode Fuzzy Hash: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
                                                              • Instruction Fuzzy Hash: 1DF01D7054020DBAEF219F60DE0ABAE3769EB44344F00803AFA16B91D0DBB899558F99
                                                              Function 00404C4E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
                                                              • wsprintfA.USER32 ref: 00404CF4
                                                              • SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: ItemTextlstrlenwsprintf
                                                              • String ID: %u.%u%s%s$PB
                                                              • API String ID: 3540041739-838025833
                                                              • Opcode ID: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
                                                              • Instruction ID: 635705270cf82d3fa6c033b13715314544988666452c3f341a93ad76d23c3d90
                                                              • Opcode Fuzzy Hash: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
                                                              • Instruction Fuzzy Hash: 5F11E77360512837EB00656D9D45EAE3298DB85374F26423BFE26F71D1E978CC1286E8
                                                              Function 00402D3B Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D8F
                                                              • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DDB
                                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE4
                                                              • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402DFB
                                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402E06
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: CloseEnum$DeleteValue
                                                              • String ID:
                                                              • API String ID: 1354259210-0
                                                              • Opcode ID: e74c2f698c9890700b4790f2c47d05d8785518f345c631b22f69380fd2d26fe8
                                                              • Instruction ID: 1f7d8097ab2fb743d310579a2b4365e3e31c1a4ec17ce584dda370d325fd3950
                                                              • Opcode Fuzzy Hash: e74c2f698c9890700b4790f2c47d05d8785518f345c631b22f69380fd2d26fe8
                                                              • Instruction Fuzzy Hash: 1D214B7150010CBBDF129F90CE89EEB7B7DEF44344F11007AF955B11A0D7B49EA49AA8
                                                              Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,?), ref: 00401D7E
                                                              • GetClientRect.USER32(?,?), ref: 00401DCC
                                                              • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
                                                              • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
                                                              • DeleteObject.GDI32(00000000), ref: 00401E20
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                              • String ID:
                                                              • API String ID: 1849352358-0
                                                              • Opcode ID: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
                                                              • Instruction ID: cb7cd4706ec086029cb46641885d9617bace417a5341e65c45b3777010ef1041
                                                              • Opcode Fuzzy Hash: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
                                                              • Instruction Fuzzy Hash: 35212A72E00109AFDF15DFA4DD85AAEBBB5EB88300F24417EF911F62A0DB389941DB14
                                                              Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(?), ref: 00401E38
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
                                                              • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
                                                              • ReleaseDC.USER32(?,00000000), ref: 00401E6B
                                                              • CreateFontIndirectA.GDI32(0040B820), ref: 00401EBA
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: CapsCreateDeviceFontIndirectRelease
                                                              • String ID:
                                                              • API String ID: 3808545654-0
                                                              • Opcode ID: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
                                                              • Instruction ID: bfe7ce59390996d5b2ac71ca67757b7c78ff13e1b53bdd881068f9c0e557254e
                                                              • Opcode Fuzzy Hash: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
                                                              • Instruction Fuzzy Hash: 66018072504340AEE7007BB0AF8AA9A7FE8E755701F109439F241B61E2CB790449CB6C
                                                              Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                                                              • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Timeout
                                                              • String ID: !
                                                              • API String ID: 1777923405-2657877971
                                                              • Opcode ID: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
                                                              • Instruction ID: a12cfbdd51ff26f17676da16b1bc06906883597644a76ef85f46b7bf1251d8d3
                                                              • Opcode Fuzzy Hash: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
                                                              • Instruction Fuzzy Hash: 2A218271948208BEEB059FF5DA8AAAD7FB4EF84304F20447EF101B61D1D7B989819B18
                                                              Function 00405D1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D20
                                                              • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D29
                                                              • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405D3A
                                                              Strings
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405D1A
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: CharPrevlstrcatlstrlen
                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                              • API String ID: 2659869361-823278215
                                                              • Opcode ID: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                                                              • Instruction ID: 6a6775ee8fa4d5d8d60a890cb1840bbff54d6a4bc9e312217f61a2b57c53a4e0
                                                              • Opcode Fuzzy Hash: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                                                              • Instruction Fuzzy Hash: 82D0A7625015307AD20167154C09DDF29488F523017094027F501B7191C67C5C1187FD
                                                              Function 00405DB3 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
                                                              • CharNextA.USER32(00000000), ref: 00405DC6
                                                              • CharNextA.USER32(00000000), ref: 00405DDA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: CharNext
                                                              • String ID: C:\
                                                              • API String ID: 3213498283-3404278061
                                                              • Opcode ID: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
                                                              • Instruction ID: a81d310af092f64b8c374c4571b8fed5a60269d48026fa3bbeeaae68e06855d2
                                                              • Opcode Fuzzy Hash: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
                                                              • Instruction Fuzzy Hash: 71F09661904F542BFB3293648C4CB776B8DCF55351F28947BE6807A6C1C27C59808FEA
                                                              Function 00402173 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8
                                                              • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AA
                                                              Strings
                                                              • C:\Users\user\AppData\Roaming\GamePall, xrefs: 00402238
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: ByteCharCreateInstanceMultiWide
                                                              • String ID: C:\Users\user\AppData\Roaming\GamePall
                                                              • API String ID: 123533781-4021349974
                                                              • Opcode ID: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
                                                              • Instruction ID: 4a55140eb955682c0845ac661669d1effe53c60cfc8a987c49de3bb9103baba8
                                                              • Opcode Fuzzy Hash: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
                                                              • Instruction Fuzzy Hash: B2513575A00208AFDF10DFE4CA88A9D7BB5EF48314F2045BAF505EB2D1DA799981CB54
                                                              Function 0040541D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindowVisible.USER32(?), ref: 0040544C
                                                              • CallWindowProcA.USER32(?,?,?,?), ref: 0040549D
                                                                • Part of subcall function 00404451: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00404463
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: Window$CallMessageProcSendVisible
                                                              • String ID:
                                                              • API String ID: 3748168415-3916222277
                                                              • Opcode ID: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
                                                              • Instruction ID: ce4d6245f7a5538c18ae28323cba1b5bdda0ccdff68052f186ad3da5f1ae13b7
                                                              • Opcode Fuzzy Hash: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
                                                              • Instruction Fuzzy Hash: 2A015E31200608AFDF216F51DD80BAF3A66EB84716F104537FA05761D2C7799CD29F6A
                                                              Function 0040626F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00420530,?,?,?,00000002,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,?,00406527,80000002), ref: 004062B5
                                                              • RegCloseKey.ADVAPI32(?,?,00406527,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,?,00420530), ref: 004062C0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: CloseQueryValue
                                                              • String ID: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              • API String ID: 3356406503-1702744724
                                                              • Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                              • Instruction ID: 5c8aa4f59809ec7c4ed175be077f356401e74c3ba082423fbe1b6bbc42bea5f4
                                                              • Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                              • Instruction Fuzzy Hash: 8101BC72100209ABDF229F60CC09FDB3FA8EF45364F01407AFD56A6190D638C974CBA8
                                                              Function 00405D61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405D67
                                                              • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405D75
                                                              Strings
                                                              • C:\Users\user\AppData\Local\Temp, xrefs: 00405D61
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: CharPrevlstrlen
                                                              • String ID: C:\Users\user\AppData\Local\Temp
                                                              • API String ID: 2709904686-1943935188
                                                              • Opcode ID: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                                                              • Instruction ID: 27c40c0738421aba4af956c8f0f705930dfe744a77a65273bf6dbb66402e0641
                                                              • Opcode Fuzzy Hash: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                                                              • Instruction Fuzzy Hash: CBD0A772409D706EE31353208C04B8F6A48CF13300F0D4063E481A6190C2785C424BFD
                                                              Function 00405E80 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
                                                              • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405EA8
                                                              • CharNextA.USER32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EB9
                                                              • lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3218922168.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3218905027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218941478.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3218960678.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000431000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.000000000043E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3219022983.0000000000441000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_setup.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                              • String ID:
                                                              • API String ID: 190613189-0
                                                              • Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                                                              • Instruction ID: 98ea32bb50e75ca8be10b873c57fc005eda9f523d07111d413316ed06cfa332a
                                                              • Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                                                              • Instruction Fuzzy Hash: 5FF06235104918AFCB129BA5DD4099EBFA8EF55350B2540B9E880F7211D674DF019BA9

                                                              Executed Functions

                                                              Function 00C54F58 Relevance: 11.9, Strings: 9, Instructions: 604COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nq$(nq$(nq$(nq$(nq$(nq$(nq$(nq$(nq
                                                              • API String ID: 0-1776058622
                                                              • Opcode ID: 2706257c9d9151b08f372cd29a6667f57b05b420ff144a35614d7f47b2d9d483
                                                              • Instruction ID: fcad1cdf6dfb4b8d4313e14b1dde24d566de21c72d1854d57369781f1a7f9615
                                                              • Opcode Fuzzy Hash: 2706257c9d9151b08f372cd29a6667f57b05b420ff144a35614d7f47b2d9d483
                                                              • Instruction Fuzzy Hash: F4329334B006148FCB04DF69D4546AEBBF2EF89311F24816AD805EB3A5DF349D4ACB95
                                                              Function 00C5C060 Relevance: 8.9, Strings: 7, Instructions: 186COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: +Vq^$;Vq^$KVq^$[Vq^$kVq^${Vq^$Uq^
                                                              • API String ID: 0-2719195581
                                                              • Opcode ID: 14c81527228cc91d8f2e8e387e9005a813e3e3a9f018df7b9390fbfdfc456731
                                                              • Instruction ID: f1fcb925d244f73d09daff7edfb078860fed1c650663a82c5f26419b9306f240
                                                              • Opcode Fuzzy Hash: 14c81527228cc91d8f2e8e387e9005a813e3e3a9f018df7b9390fbfdfc456731
                                                              • Instruction Fuzzy Hash: 5D714A711407049BC355EB64DA5099BBBE6FF80304314CA7E844A9BB69EF76F90ACBC0
                                                              Function 00C5C070 Relevance: 8.9, Strings: 7, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: +Vq^$;Vq^$KVq^$[Vq^$kVq^${Vq^$Uq^
                                                              • API String ID: 0-2719195581
                                                              • Opcode ID: 80c1cf2c6c80c722b7a32924a412c96b43fedd9b71387b01f6885f7757c54c92
                                                              • Instruction ID: 3b43646ff133be6f8731fe3c1dfa39e122595c81c5a0aa2efd7e1b7cb3c26f57
                                                              • Opcode Fuzzy Hash: 80c1cf2c6c80c722b7a32924a412c96b43fedd9b71387b01f6885f7757c54c92
                                                              • Instruction Fuzzy Hash: B57129716407049BC355EB65DA5099BBBE6FF80304314CA7EC44A5BA69EF72F90ACBC0
                                                              Function 00C53750 Relevance: 3.8, Strings: 3, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nq$(nq$(nq
                                                              • API String ID: 0-1280547490
                                                              • Opcode ID: e17eda2b7dbdbd07f2bb1a9a9daa79094eb3c8c23a11aa165e2fbf9a2b2ae8c8
                                                              • Instruction ID: 7498eb8128248547ce019a4cacac081b80fa961228200ca0ec5d25af4e92f9c4
                                                              • Opcode Fuzzy Hash: e17eda2b7dbdbd07f2bb1a9a9daa79094eb3c8c23a11aa165e2fbf9a2b2ae8c8
                                                              • Instruction Fuzzy Hash: 67212D25B081A44FC719AB79541457F3FE79FCA25032945AFED06C73D1DD248E0B8396
                                                              Function 00C53BE0 Relevance: 3.0, Strings: 2, Instructions: 465COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nq$(nq
                                                              • API String ID: 0-2974481825
                                                              • Opcode ID: fdc11085735a15d378a309b72a164e4cb6f58a4ad41571476f00a4a412ae9202
                                                              • Instruction ID: 7d8714789f2662fc606ca1f9d3d7fc08041127d625bf9d9a3ae50e500387115e
                                                              • Opcode Fuzzy Hash: fdc11085735a15d378a309b72a164e4cb6f58a4ad41571476f00a4a412ae9202
                                                              • Instruction Fuzzy Hash: 6FF19034B002149FDB05EB79D85066E7BBBEFC8340F24845AE906AB3A9DE349D46CB54
                                                              Function 00C5B0B0 Relevance: 1.9, Strings: 1, Instructions: 680COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: eq^
                                                              • API String ID: 0-2643049799
                                                              • Opcode ID: cca32183c9a5d31c2531039706aa770d0817edc7e174690aabac8ddcd85351b6
                                                              • Instruction ID: cc12e0d65e6fc50d40d1c47890234beeb0d0cebabe011e31fc668125b5d7a8cb
                                                              • Opcode Fuzzy Hash: cca32183c9a5d31c2531039706aa770d0817edc7e174690aabac8ddcd85351b6
                                                              • Instruction Fuzzy Hash: 73525E38A01200CFCB19EF74D558A6D7BB6FF88302B15846AD8169B2A9DF75DD86CF40
                                                              Function 00C5387C Relevance: 1.5, Strings: 1, Instructions: 244COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nq
                                                              • API String ID: 0-2756854522
                                                              • Opcode ID: 8979f3b709d0c923c2148c04391bf0d5f6378a98b48410dcf369c8a44fca60b5
                                                              • Instruction ID: be916b3d0b997ead635880a2cf966d08a90f1ffbe6be4a775d721b6741aa7b17
                                                              • Opcode Fuzzy Hash: 8979f3b709d0c923c2148c04391bf0d5f6378a98b48410dcf369c8a44fca60b5
                                                              • Instruction Fuzzy Hash: EEA17F78B002189FDB05DFA9D954AAEBBF6FF88340F208029E805A7365DF359D45CB94
                                                              Function 00C5C798 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: s@q^
                                                              • API String ID: 0-3044107695
                                                              • Opcode ID: 1244cf484ca74a936d4e3e93361e20a219ff047e527be68cf609718ab241b626
                                                              • Instruction ID: 485a77ab7cfb7ce51a74f4a918b96944017eab04aaaf2c366be6736ade3c60e6
                                                              • Opcode Fuzzy Hash: 1244cf484ca74a936d4e3e93361e20a219ff047e527be68cf609718ab241b626
                                                              • Instruction Fuzzy Hash: 315126715407049FC315EB74DA8195ABBE6EF853043148A6EC44AABA65EF36F90ACFC0
                                                              Function 00C5C7A8 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: s@q^
                                                              • API String ID: 0-3044107695
                                                              • Opcode ID: 03fd6425e71191dfe5709fcc45001d0e0480fbbcfdb428dc39bdec1ece209e4e
                                                              • Instruction ID: 023669a10cba90ccb823575a088349da655b7c62ee6a92242556dc5def857575
                                                              • Opcode Fuzzy Hash: 03fd6425e71191dfe5709fcc45001d0e0480fbbcfdb428dc39bdec1ece209e4e
                                                              • Instruction Fuzzy Hash: 615118715407049FC315EB74DA8095ABBE6EF85300354CA6EC54AABA65EF36F90ACFC0
                                                              Function 00C5BEAF Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Tejq
                                                              • API String ID: 0-2468842661
                                                              • Opcode ID: 1c9111d15af877433a852677cc289e8598faa6cc40d42b8a7c8b1edb6a788f4a
                                                              • Instruction ID: 894f21977165a3176cf30b2c9cfa4566583dab9070b560fe20eeab3ed585e3e9
                                                              • Opcode Fuzzy Hash: 1c9111d15af877433a852677cc289e8598faa6cc40d42b8a7c8b1edb6a788f4a
                                                              • Instruction Fuzzy Hash: 03418A747005049FC744EF29C899A6EBBE6FF89710F2580A9E50ADB3B6CE71DD058B90
                                                              Function 00C5BEC0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Tejq
                                                              • API String ID: 0-2468842661
                                                              • Opcode ID: 1f1b07624a11d42f9cf77278dd7969087bc61f6afad50befcfccfd1dbf0f6169
                                                              • Instruction ID: 7142a23cd3c675dc3aac442c6d84633939ab7582992d25bd0cb543f3d1e10437
                                                              • Opcode Fuzzy Hash: 1f1b07624a11d42f9cf77278dd7969087bc61f6afad50befcfccfd1dbf0f6169
                                                              • Instruction Fuzzy Hash: 97419E347001048FC744EF2DC499A2EBBE6FF88710B2580A9E506DB3B6CE70DC058B90
                                                              Function 00C52B10 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LRjq
                                                              • API String ID: 0-665714880
                                                              • Opcode ID: cf290ad245a59b5ee0fcb35660d196e113a4545fc667563e0c59105be25c7f56
                                                              • Instruction ID: c4acc5f7521c2a5cf6b490f8d4edbfb3e46d3e44cbecd0c32c84177c6649f775
                                                              • Opcode Fuzzy Hash: cf290ad245a59b5ee0fcb35660d196e113a4545fc667563e0c59105be25c7f56
                                                              • Instruction Fuzzy Hash: 1B311B307042159FD74AAB79D56092F37B2EB89A14B2485ADD00ACB3A9DE36DC47CB84
                                                              Function 00C54237 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nq
                                                              • API String ID: 0-2756854522
                                                              • Opcode ID: 10d1e6d66b2842f6445d4b1643e00d485e7e042df40669a73f0bdee5f945538c
                                                              • Instruction ID: 0360ac2597d88c574a4bf4a8f2177ad92fe81769609c378f4c16174f456e5a50
                                                              • Opcode Fuzzy Hash: 10d1e6d66b2842f6445d4b1643e00d485e7e042df40669a73f0bdee5f945538c
                                                              • Instruction Fuzzy Hash: C91102217082A00FC30A977968646BE3FA6DEC2610B4841EFD885CB696CE69994FC3C4
                                                              Function 00C51049 Relevance: .8, Instructions: 841COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4764bdc01bd5760584e14ea3e6b9cb95efe8d70ebf1fd0c8eb17974a1530af4b
                                                              • Instruction ID: d25a2c6aa945a26148803f07f89ae5691cc4992babfcd5bae76a604881ddf04e
                                                              • Opcode Fuzzy Hash: 4764bdc01bd5760584e14ea3e6b9cb95efe8d70ebf1fd0c8eb17974a1530af4b
                                                              • Instruction Fuzzy Hash: 5F82D2B8640209EFDB06EBA5E654B6F7B7AEF88300F104415A801333ADCF396D56DB65
                                                              Function 00C51058 Relevance: .8, Instructions: 835COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ce582069ef27c1410b87ae8b82ff1462e3b6d1673f7c71982e067a4acb327ae8
                                                              • Instruction ID: 6b26e60c42a763a2fa582a96c683b3aa3a09d3673075c7383074fa8ca3039291
                                                              • Opcode Fuzzy Hash: ce582069ef27c1410b87ae8b82ff1462e3b6d1673f7c71982e067a4acb327ae8
                                                              • Instruction Fuzzy Hash: AE82D2B8640209EFDB06EBA5E654B6F7B7AEF88300F104415A801333ADCF396D56DB65
                                                              Function 00C5383C Relevance: .2, Instructions: 208COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c3e96c333cc2d2708b77dee09c2932223697793cddc93804c5b87531978693cd
                                                              • Instruction ID: 8b76c27fe1cb87caed052bc15ffaa75f07c766b530d25e43cb166d02b509f9b2
                                                              • Opcode Fuzzy Hash: c3e96c333cc2d2708b77dee09c2932223697793cddc93804c5b87531978693cd
                                                              • Instruction Fuzzy Hash: 05819238B00258AFCB05DBA5E954AAEBFB7EF88310F204459F901A73A5CF359D46CB54
                                                              Function 00C5AF90 Relevance: .2, Instructions: 197COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 00f7dcbd41c27e933814b46e484b49aad3f0fcb2ea3fb1a211c4beda9b2013ce
                                                              • Instruction ID: ae4083f59311a0182225de2c885f23ee8c4c18b7304724ea4ceeb0e594274260
                                                              • Opcode Fuzzy Hash: 00f7dcbd41c27e933814b46e484b49aad3f0fcb2ea3fb1a211c4beda9b2013ce
                                                              • Instruction Fuzzy Hash: 9F61FF719093944FD706973898705AE7FB4EF83214B0A41EBC081DB1B7EA288D0EC7A5
                                                              Function 00C5BB99 Relevance: .2, Instructions: 173COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 54f1a960c463cdd52c7d92ac70405b037bf1f141a350959bc67c9e4fcf8e640a
                                                              • Instruction ID: 71a5b2f5d9b357caf11192143c40a958ccf8593c8eb305182998636adffb3cb4
                                                              • Opcode Fuzzy Hash: 54f1a960c463cdd52c7d92ac70405b037bf1f141a350959bc67c9e4fcf8e640a
                                                              • Instruction Fuzzy Hash: 6E81283C602105CFCB16EF14EA89E5A7BBAFB48301B15C16AD5149B2ADCB74ED4ACF40
                                                              Function 00C55A91 Relevance: .1, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 09826c35ab4b4585946d9a528ca37955ab39727fd1678ea6305da62b2bdebb1e
                                                              • Instruction ID: b9985e6a548cc93d2b495ce4110f47d4e960b72ac708152c9a551aa2fab03772
                                                              • Opcode Fuzzy Hash: 09826c35ab4b4585946d9a528ca37955ab39727fd1678ea6305da62b2bdebb1e
                                                              • Instruction Fuzzy Hash: 35515D78B006058FCB04DF68D99896EBBF5EF8D301B1140A9E905DB365DB30ED45CBA0
                                                              Function 00C55240 Relevance: .1, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6464611b5ab08c6b41b58a039b372c840e6c432148c4605ab7b78b81f6fd6d88
                                                              • Instruction ID: 97cf27243445a3f4212916f5a2553ef222456cdf2d874fb6f590f006c75a2967
                                                              • Opcode Fuzzy Hash: 6464611b5ab08c6b41b58a039b372c840e6c432148c4605ab7b78b81f6fd6d88
                                                              • Instruction Fuzzy Hash: 27512E38A00618DFCB14DFA5D594AAEB7F2FF88312F248469E805A7364DB349D85CF94
                                                              Function 00C52850 Relevance: .1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 13d12527469bd3b320e5f0690617a9c3d3de71ffa97c0d51b3df636f45fbf20e
                                                              • Instruction ID: 35f14da65bdb4fd3bfde62e4339253ce744aae7cf8b2aa5eaf27565299d77565
                                                              • Opcode Fuzzy Hash: 13d12527469bd3b320e5f0690617a9c3d3de71ffa97c0d51b3df636f45fbf20e
                                                              • Instruction Fuzzy Hash: 00412634E10208CFEB04EFA5D9849ADBBF6FF89301F20452AD901A7268DB359985CF64
                                                              Function 00C5B0A0 Relevance: .1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c2cc0c38fe24ebf87f0c660680b0a713c24b1db9fe13cfc10c039a8c659f675e
                                                              • Instruction ID: 3bf63c6539ae859c5e9bd58a471dbf8e1276484f2060340404b5847d706143ca
                                                              • Opcode Fuzzy Hash: c2cc0c38fe24ebf87f0c660680b0a713c24b1db9fe13cfc10c039a8c659f675e
                                                              • Instruction Fuzzy Hash: 0331D6346002049FCB05DB79E9547AEBBBAFF85300F04452AD419EB2B5DF759D0ACB80
                                                              Function 00C55308 Relevance: .1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 00dbe5075fa03dbfd40234c0cbf8cef53bd54382fb909449521f32c29432b040
                                                              • Instruction ID: f4cb174fc0dda2b58138f3f0db09b9e4a2c31c83666fa69558a787668c8d8449
                                                              • Opcode Fuzzy Hash: 00dbe5075fa03dbfd40234c0cbf8cef53bd54382fb909449521f32c29432b040
                                                              • Instruction Fuzzy Hash: 36411F38A00514DFCB04EFA5E5949ADBBB3FF88312F208469E805A7364EB349D86CF54
                                                              Function 00C52842 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 443c6433ec2621bd7318716ab7d142e7f4eb4248c66909bb4592272279e599e0
                                                              • Instruction ID: 0b9a2598c16b16bb7b0916c18f4653c05b631e50a6f02232892fb740b95dbf69
                                                              • Opcode Fuzzy Hash: 443c6433ec2621bd7318716ab7d142e7f4eb4248c66909bb4592272279e599e0
                                                              • Instruction Fuzzy Hash: E4417F34E50208CFEB04DFA4D9849EDBBF6FF89301F204529D901A7268DF359949CB64
                                                              Function 00C52C48 Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d4209eaf2d86584cdc260e89f0971f84343c1e7cdf26df52c7b201fc7962bdf7
                                                              • Instruction ID: 8a16278e0c2efa77a08753c1c4e41dddef7d1b8065e90daef8cbf913b089d9a4
                                                              • Opcode Fuzzy Hash: d4209eaf2d86584cdc260e89f0971f84343c1e7cdf26df52c7b201fc7962bdf7
                                                              • Instruction Fuzzy Hash: BC414934A00209CFDB05EF68D984AEE7BB1FF49300F10456AD911BB369DB359A46CFA0
                                                              Function 00C54B50 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9ed2fe248e7a77787c70241a3144c86ea974eddd9db199a1d568116b674283a4
                                                              • Instruction ID: beef3860090022aed5543624bd2b2bb3cef8200ab0a9c0267fd04ab9b4a4f6cf
                                                              • Opcode Fuzzy Hash: 9ed2fe248e7a77787c70241a3144c86ea974eddd9db199a1d568116b674283a4
                                                              • Instruction Fuzzy Hash: D721D7302443455FC706EB78EC90EAE7BEAEF81350B04496AD4458F26ADF64AD0EC794
                                                              Function 00C52C58 Relevance: .1, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 63009dcc2b82bb7f0760c7f8a10ae2ce01064f24cd04666dd3b8eb888b77b6c3
                                                              • Instruction ID: 1a8b426796c2bb510c85d18662754218ff0f123499448f119df87f5484717035
                                                              • Opcode Fuzzy Hash: 63009dcc2b82bb7f0760c7f8a10ae2ce01064f24cd04666dd3b8eb888b77b6c3
                                                              • Instruction Fuzzy Hash: 9D312C34A10209DFDB05EFA4D584AAE7BB5FF48310F10452AD915B7368DB35AE86CFA0
                                                              Function 00C5CEC0 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a2d01ed0cad9d36a5bb188ec58a6f14298eecddfb15a5c44853eb47a5395f62a
                                                              • Instruction ID: a5ee0d2b06dc72926c5ff7ba4644edf22210bd0a9a87abb331dd9e58e923fa67
                                                              • Opcode Fuzzy Hash: a2d01ed0cad9d36a5bb188ec58a6f14298eecddfb15a5c44853eb47a5395f62a
                                                              • Instruction Fuzzy Hash: D3214874C00348AFDB10CFA9D589B9DBFF6EB88314F24812AE805A7350CB799945CF94
                                                              Function 00C54B80 Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 64f61508fe6e2b70e40eddeece32923a6d617b4258cc55126f3d667bd2ee9b44
                                                              • Instruction ID: ddc7af565e6fa982605189046bbfff52ddb13416ac0b3771849891b1cc3993b0
                                                              • Opcode Fuzzy Hash: 64f61508fe6e2b70e40eddeece32923a6d617b4258cc55126f3d667bd2ee9b44
                                                              • Instruction Fuzzy Hash: 40216F302443055FC709EB79E980E6E77EEEFC0350B448A2AE5059B269DF75AD0D8B94
                                                              Function 00C5CED0 Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8eba2078aaba48780fe523176156a56f937ffb3f50d4ed931cc64430e52f8b3e
                                                              • Instruction ID: 6a9ee1f7f022be6deac24ad75b8a2b8860e39c6da7ee4e7ab7e65b56f6c4f8a6
                                                              • Opcode Fuzzy Hash: 8eba2078aaba48780fe523176156a56f937ffb3f50d4ed931cc64430e52f8b3e
                                                              • Instruction Fuzzy Hash: F0213774D00308EFCB10CFA9D588B9EBBF6EB88314F24811AE805A7350CB799945CF94
                                                              Function 00C55C43 Relevance: .1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 18d8374cde8ea24f772d0fa21997283d24d3604a7021b1a3aa4035a35429b472
                                                              • Instruction ID: 99b720da1e37b985e229f20974458a62762c406075375019ba5d6583a57fcb09
                                                              • Opcode Fuzzy Hash: 18d8374cde8ea24f772d0fa21997283d24d3604a7021b1a3aa4035a35429b472
                                                              • Instruction Fuzzy Hash: 65217435A042988FCB15CBA9C9A8BDD7FF1AF4D310F2400A9D441FB2A2D7755D89CB64
                                                              Function 00C55C68 Relevance: .1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 64b83b6c174827a74e7f6b1cd0496ba94f50c2908409fb1693cfae19f9377495
                                                              • Instruction ID: 24c407377092616116b0c2680f19a833b800c737fa51acc183e08e8962766a1b
                                                              • Opcode Fuzzy Hash: 64b83b6c174827a74e7f6b1cd0496ba94f50c2908409fb1693cfae19f9377495
                                                              • Instruction Fuzzy Hash: 27210B35A002188FDB14DBA9D594BDDBBF5AF4C311F2040A5D505BB360DB75AE84CBA4
                                                              Function 00C56888 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 83b4e84f346af79fc9dd04ece60235bed4ceb71ed7c206301f51a8f20afc5e7a
                                                              • Instruction ID: 179c97ed76e0ecfc80b7824fdb8de4a8a07e61ea2ba507a892043f2349941a90
                                                              • Opcode Fuzzy Hash: 83b4e84f346af79fc9dd04ece60235bed4ceb71ed7c206301f51a8f20afc5e7a
                                                              • Instruction Fuzzy Hash: 1B21B135E00205CFDB00DBA0CA087EEFBF1BF45302F54806AD815AB262DB768E89DB55
                                                              Function 00C541A2 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 93ae31a0b28aa247a306418e8f8b6398ac2296d65423533086af1478b019547f
                                                              • Instruction ID: 2cbac8f4a160c8409ceb21ed419ad3d97e933a73413e87bdf6219c4543f9e642
                                                              • Opcode Fuzzy Hash: 93ae31a0b28aa247a306418e8f8b6398ac2296d65423533086af1478b019547f
                                                              • Instruction Fuzzy Hash: 5701D23130D3951FC306A7745C645BF3FAAEFC6210759009BD845DB287CE214D0AC3A5
                                                              Function 00C532E0 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f5142b384d26e8bc6e3b3638331511f238ea895e344971f19a70abd1b2fbe50f
                                                              • Instruction ID: fe0883aaa54bc2b94de235674791050393466f67d6b6a5feba2b8a14e332f075
                                                              • Opcode Fuzzy Hash: f5142b384d26e8bc6e3b3638331511f238ea895e344971f19a70abd1b2fbe50f
                                                              • Instruction Fuzzy Hash: A0114F34F442649FDB45DB78E8687BE7BB2EF89301F04482DD842D7281DB35485ADB90
                                                              Function 00C5C000 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7eacbd9d843ed4f3f2c9b86f398d638cd3c7d1e14fbb53547ce0780c449af2ba
                                                              • Instruction ID: 056935866d6035aa7a852465e03b22e2d01f530800a9814bd219c26c7a380579
                                                              • Opcode Fuzzy Hash: 7eacbd9d843ed4f3f2c9b86f398d638cd3c7d1e14fbb53547ce0780c449af2ba
                                                              • Instruction Fuzzy Hash: 9D1187343502058FCB04EF28F884E9ABBB9FF85704B0141AAE501DB275CF71EE098B80
                                                              Function 00C55940 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e12c18c0288e84c3188368db60b250ff4f3f2c0beafecba28d8eef3c0a94652f
                                                              • Instruction ID: 68155a01a5f74d940f74432c99bb11a93040cc368a0ffeb51c8b6ea14a37794c
                                                              • Opcode Fuzzy Hash: e12c18c0288e84c3188368db60b250ff4f3f2c0beafecba28d8eef3c0a94652f
                                                              • Instruction Fuzzy Hash: B20144763002249F8704EB79E49496EB7E6EBC9665324857FEA05C7310DE31DC46C7B0
                                                              Function 00C52A80 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1bf9d0f9a39a8f10330dcc509ff9645208170338b7337216dd4ba2e2e7ea16e9
                                                              • Instruction ID: bf9f47647468a3effcc9dd1c0b56e862a117df6b95619b0eb78be1aa9f53366e
                                                              • Opcode Fuzzy Hash: 1bf9d0f9a39a8f10330dcc509ff9645208170338b7337216dd4ba2e2e7ea16e9
                                                              • Instruction Fuzzy Hash: 4C018C352143448FC711DB3C85558AA7BE1EF8561031489AAD186DF366DB71EC098FC0
                                                              Function 00C532F0 Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 033ed42861778d688f70d747295110129520423efb6da8b90fe86f84b5350874
                                                              • Instruction ID: 939b896d62a11d522be29ebca3b3df6e527a7ff680d59766f87e37cef53e4371
                                                              • Opcode Fuzzy Hash: 033ed42861778d688f70d747295110129520423efb6da8b90fe86f84b5350874
                                                              • Instruction Fuzzy Hash: A501ED38F443549BDB44EBB4E4586BE7BF2EB89301F004829E902A7245DF395855DB51
                                                              Function 00C56388 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ddfe275d0bf2c3d9a66af0fef56f7e51e85ee5b12d0ec1662f21677cededec87
                                                              • Instruction ID: ced136dddada32fd1f2920030161a5d1f839a80276cb5e7d390650e01b6038e6
                                                              • Opcode Fuzzy Hash: ddfe275d0bf2c3d9a66af0fef56f7e51e85ee5b12d0ec1662f21677cededec87
                                                              • Instruction Fuzzy Hash: 4EF0C830E04348AFCB40EFB8B4559AD7FF1DF86200B1441EAD844E7212DA310E49DB11
                                                              Function 00C5593E Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ead16484a426d2560d61467f1d6b7821e7c2e44dd8aad0c198d94644ced01c2f
                                                              • Instruction ID: 3edd2d245e12451dbd911aed2bfafa3bf29a8d8a0e931dd5938d7034ccb3b3b6
                                                              • Opcode Fuzzy Hash: ead16484a426d2560d61467f1d6b7821e7c2e44dd8aad0c198d94644ced01c2f
                                                              • Instruction Fuzzy Hash: 83F03A753002209F87159B69E8D89AEBBA6EBCA665324856EE909C7311CE319C07CB60
                                                              Function 00C541E0 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 576716d74fa919aabe9061a559376f71c30fead38d60e4c1b9f309c2228b4844
                                                              • Instruction ID: 7c34c103d323233a3debe89e300d3c9ffd60367c8853e16e4ba72db2984e5795
                                                              • Opcode Fuzzy Hash: 576716d74fa919aabe9061a559376f71c30fead38d60e4c1b9f309c2228b4844
                                                              • Instruction Fuzzy Hash: 36E0E5317043186B9708A6B67C51E7F66DEEBC86A0758042BF609D7344CF312D0483A8
                                                              Function 00C52D92 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7690e82ab81fb94fc0a7a83aa327db0504f5bce99a6d51d8961c053a6a31e730
                                                              • Instruction ID: 4cacf7cf9f1b75c59a6510de5fef457e3b62d4055d4d0bb0ff2cf93b7ee140aa
                                                              • Opcode Fuzzy Hash: 7690e82ab81fb94fc0a7a83aa327db0504f5bce99a6d51d8961c053a6a31e730
                                                              • Instruction Fuzzy Hash: CFF03431E141698FCB45EFACC4156DE7BF0AF89314B2140AAD949EB222E6308A428B91
                                                              Function 00C56398 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1b3b3829b585c3b5ae693fcd315dc91799c50d883fdea2209df10d0c3c36e24c
                                                              • Instruction ID: a0ee98300906efca07e9db57649841b86e1a82c43e2e196dfc76f43d7de25501
                                                              • Opcode Fuzzy Hash: 1b3b3829b585c3b5ae693fcd315dc91799c50d883fdea2209df10d0c3c36e24c
                                                              • Instruction Fuzzy Hash: 8BF08234E0030CAFCB04EFB8E54596D7BF6DF84200F1041E9A905A7244DE305F48DB55
                                                              Function 00C51FF8 Relevance: .0, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f48b77972806dde52b0e60d06f9e557c990e839249056e2319f57657b9821734
                                                              • Instruction ID: 69537d1494872541ab2535179dfe1baa0a2446cbd6e9c597c711e2e26ce6fd42
                                                              • Opcode Fuzzy Hash: f48b77972806dde52b0e60d06f9e557c990e839249056e2319f57657b9821734
                                                              • Instruction Fuzzy Hash: 08E092357892A18FCB169778D46889B3FE5DF8A51530504E7E085CB3B2DA70CC12C791
                                                              Function 00C52DA0 Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2fb3b54d22084e657585f24ee617ff05be295c5cdb7b40877423be22ad832638
                                                              • Instruction ID: 528a0efc5bbd3ceedf0830c342c45a393662dfbe72aeef6f5848f084f5ce1229
                                                              • Opcode Fuzzy Hash: 2fb3b54d22084e657585f24ee617ff05be295c5cdb7b40877423be22ad832638
                                                              • Instruction Fuzzy Hash: E8E03971E101188F8B84EFACC4056DE7BF4EB48310B2040AAD609E3300EA309E008B91
                                                              Function 00C5374E Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 931f9d295f01eeaeb9cda5aae6cf4d0386b35690cf7cd84bec6ddad300fb3ac8
                                                              • Instruction ID: eaba94737de703ed73d930a91c21b69ffd0727191991e25df7e216c6c904ffab
                                                              • Opcode Fuzzy Hash: 931f9d295f01eeaeb9cda5aae6cf4d0386b35690cf7cd84bec6ddad300fb3ac8
                                                              • Instruction Fuzzy Hash: 70E0CD76B00154078725573569546FE67A7EBCD2A1328403ADD0AC3325EE70CE4B9694
                                                              Function 00C5CFF0 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7988fb8bf7bd5ff505a698baf2a7050455c4af69aae07a494f92de80edf515f7
                                                              • Instruction ID: eedf75dff662bf17c00db5760b7936eb0b4a04dd73bcd43951ea2dfc0f430ee1
                                                              • Opcode Fuzzy Hash: 7988fb8bf7bd5ff505a698baf2a7050455c4af69aae07a494f92de80edf515f7
                                                              • Instruction Fuzzy Hash: EEE0C23C40930956EB3402D2B1083713A89CBC031EF59806A9C0F066E0C6FE8DCEEB59
                                                              Function 00C566C8 Relevance: .0, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2ba09c3f2529cd8cedd18402544aee2f2b47bcd9e38be8bd9ea011ca7dc76f5b
                                                              • Instruction ID: 092e8fc79fc8665e72fdbeb1511ec1ace5b065391e12e58040886351ca290f19
                                                              • Opcode Fuzzy Hash: 2ba09c3f2529cd8cedd18402544aee2f2b47bcd9e38be8bd9ea011ca7dc76f5b
                                                              • Instruction Fuzzy Hash: A2D0A92230A2F00B8B0662BC74240AD6FD2CECB05130C05F7F280EB303CC210E0BA791
                                                              Function 00C56469 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 59cec28b4d2600cff6d1ecf7c884752c487c75b43c1ebdc3631d76c62cb65494
                                                              • Instruction ID: 5bd040a32f4f148af7e18bbc83d9abf0581938fca64b5c5c373de79835ec7bec
                                                              • Opcode Fuzzy Hash: 59cec28b4d2600cff6d1ecf7c884752c487c75b43c1ebdc3631d76c62cb65494
                                                              • Instruction Fuzzy Hash: F2E0C2357442400FC305CB34D0958A83F76EF99250B1000F9D448CB376C921CC4BCB04
                                                              Function 00C56478 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 919a58e0fd07b976e62e24f066f0065323250152a9ea2dd2011fccfc9c434874
                                                              • Instruction ID: cabb21ccd05f9aa43ba9ae9727a220d673ccd4a6e22c584beca224416b8739b9
                                                              • Opcode Fuzzy Hash: 919a58e0fd07b976e62e24f066f0065323250152a9ea2dd2011fccfc9c434874
                                                              • Instruction Fuzzy Hash: 1FC0C9347502044F8208DB58E04081573EAEB8C61071000A5E9098B339CD21EC828658
                                                              Function 00C55640 Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 758e5791534bae394d1dff293dc0861a011dfc1339f883c2d8032729e362c80c
                                                              • Instruction ID: 45d7634295ea980fce8662e08fb722e284d682e4d0158a7779790d2d18134d62
                                                              • Opcode Fuzzy Hash: 758e5791534bae394d1dff293dc0861a011dfc1339f883c2d8032729e362c80c
                                                              • Instruction Fuzzy Hash: C0B02B346543095786000525AC084213B1DEF411153800294BC0800201AD23DC640188
                                                              Function 00C5CAA0 Relevance: .0, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.3478801005.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2289eac9ad6d7784695743438cf059f12a3499ab0ddf3cd9409c5fa7167103d7
                                                              • Instruction ID: 5daef66151904f529d8f79ca39ae4edb984d051360c133e44cbcf8edb3264841
                                                              • Opcode Fuzzy Hash: 2289eac9ad6d7784695743438cf059f12a3499ab0ddf3cd9409c5fa7167103d7
                                                              • Instruction Fuzzy Hash: 06B012D39D524337FF814950DDCF7803720D390306F041101F009A86A0D44AD30B430B

                                                              Execution Graph

                                                              Execution Coverage:12%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:9
                                                              Total number of Limit Nodes:0
                                                              execution_graph 15852 15dd6b4 15853 15dd6cc 15852->15853 15854 15dd726 15853->15854 15857 166e598 15853->15857 15860 166e5a8 15853->15860 15858 166e5a8 15857->15858 15859 166e5f6 KiUserExceptionDispatcher 15858->15859 15859->15854 15861 166e5bc 15860->15861 15862 166e5f6 KiUserExceptionDispatcher 15861->15862 15862->15854

                                                              Executed Functions

                                                              Function 0166E598 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 788 166e598-166e609 call 166e0c8 KiUserExceptionDispatcher
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL(00000000,00000000), ref: 0166E602
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3259334661.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_1660000_GamePall.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 9803a91c661e8daa5a69e37192e378c680f5363705fb9e3b4d66838bff452947
                                                              • Instruction ID: 9e5210a8b0014421c1c9f55e6d9e6d6474887991d102ca8c647fffa747d59f4a
                                                              • Opcode Fuzzy Hash: 9803a91c661e8daa5a69e37192e378c680f5363705fb9e3b4d66838bff452947
                                                              • Instruction Fuzzy Hash: D901AD313101089FC304AA99E895EAF7BBEFBC9250750052AFA05C3354DE35AC0987A5
                                                              Function 0166E5A8 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 797 166e5a8-166e609 call 166e0c8 KiUserExceptionDispatcher
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL(00000000,00000000), ref: 0166E602
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3259334661.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_1660000_GamePall.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: b0b984e097e7648cd3ee87ca7bef9ee08b85bbbe29bceeceb8e89c8c36340782
                                                              • Instruction ID: feef13df8c1acc703ee694ad19c8bde809684d81f5773d1407f6acff828cfa07
                                                              • Opcode Fuzzy Hash: b0b984e097e7648cd3ee87ca7bef9ee08b85bbbe29bceeceb8e89c8c36340782
                                                              • Instruction Fuzzy Hash: F3F0F9313041189FC704DBADE8949AF7BFEFFC9250750452AE619D7364DE35AC098BA4
                                                              Function 015DDA58 Relevance: .1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3258938125.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_15dd000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: df98238fb929d23c494ef30d7b532404b4f8507cb6a726849fccf9f30ee26191
                                                              • Instruction ID: f713baade28ae167747cf67e804b203a1cd6accae6a7052a1bc8b0faeb82a771
                                                              • Opcode Fuzzy Hash: df98238fb929d23c494ef30d7b532404b4f8507cb6a726849fccf9f30ee26191
                                                              • Instruction Fuzzy Hash: BE210671644244DFDB15DFA8D9C0F16BBB5FB84314F20C96DD9094E292C37AD406CB62
                                                              Function 015DD6B4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3258938125.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_15dd000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9648527d75b68a57dde07cc9233c817c259ad80ac54777c801464a5179c7b03f
                                                              • Instruction ID: 10a439783c35ab7403cbf9b99e679904d0183677d49d38e7a4029b01a8e4f215
                                                              • Opcode Fuzzy Hash: 9648527d75b68a57dde07cc9233c817c259ad80ac54777c801464a5179c7b03f
                                                              • Instruction Fuzzy Hash: 4821D3755042449FDB15DF98C5C0B26BBB5FB84314F20C9A9D9094F292C33AD446CBA2
                                                              Function 015DE1DC Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3258938125.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_15dd000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e5fb0bd3b396378ec6b249c8329975716c5165445bb37268b2f4dd652ed189b9
                                                              • Instruction ID: 9bb9efda08e77a33b132619989c1553bd58b67cb6779a933eee082076e3170f5
                                                              • Opcode Fuzzy Hash: e5fb0bd3b396378ec6b249c8329975716c5165445bb37268b2f4dd652ed189b9
                                                              • Instruction Fuzzy Hash: 7B21F3B16442409FDB25EF2CD9C5B2ABBA5FB84314F20CA6DD9494F292C33A9446C762
                                                              Function 015DD0EC Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3258938125.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_15dd000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7a55dcdbc6ed4c82fa57816c544f6eedfb2f17703399c9234ee69226f3736620
                                                              • Instruction ID: 3b045db8e04ce202dcd0f68bc15068ce5051b428888770adf80d39af7934aee0
                                                              • Opcode Fuzzy Hash: 7a55dcdbc6ed4c82fa57816c544f6eedfb2f17703399c9234ee69226f3736620
                                                              • Instruction Fuzzy Hash: 6421C6B16443449FD725DFACD984B26BBB5FB84314F20CA6DD9094F392C33A9446C762
                                                              Function 015DDA53 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3258938125.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_15dd000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: db46f736a5866ba9c7ba67d80a3dc2bfd20b1a216abf44fb940905ee0eae38f6
                                                              • Instruction ID: eea33068d077a56164b9f20bb91cd35203a7208e8ef836530e5de7a082c5c5c0
                                                              • Opcode Fuzzy Hash: db46f736a5866ba9c7ba67d80a3dc2bfd20b1a216abf44fb940905ee0eae38f6
                                                              • Instruction Fuzzy Hash: 4E11AC76504280CFDB16CF58D9C4B19BF71FB84318F24C6A9D9094F2A6C33AD45ACB62
                                                              Function 015DD6AF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3258938125.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_15dd000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                              • Instruction ID: 53d31b3304744f4f36dd7366838d45d961452262c3a8d90753d84be5ef35d36e
                                                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                              • Instruction Fuzzy Hash: 7E11DD79504280CFDB12CF58C5C4B19BFB1FB84314F24C6A9D8494F292C33AE40ACBA2
                                                              Function 015DE1D7 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3258938125.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_15dd000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 561e0040fa13a4c8f15330505c2ec777d2b9bad7fdc99719fcd56c8bdcde1cea
                                                              • Instruction ID: d83ec33ee62b925e736c0c1319c246a403e3b4e1a283a4ab07e3a04a5b9cb7a3
                                                              • Opcode Fuzzy Hash: 561e0040fa13a4c8f15330505c2ec777d2b9bad7fdc99719fcd56c8bdcde1cea
                                                              • Instruction Fuzzy Hash: CA11E0B5504280CFDB26DF28D5C4B29BFA1FB44314F24C6ADC8494F692C33AD44ACB52
                                                              Function 015DD0E7 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.3258938125.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_15dd000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 561e0040fa13a4c8f15330505c2ec777d2b9bad7fdc99719fcd56c8bdcde1cea
                                                              • Instruction ID: 0cd4cf1d305c2fb352b5e01d88e3aecb566827ba9b5a289809ecc91c4f736f6f
                                                              • Opcode Fuzzy Hash: 561e0040fa13a4c8f15330505c2ec777d2b9bad7fdc99719fcd56c8bdcde1cea
                                                              • Instruction Fuzzy Hash: 1D11CEB5504380DFDB26DF68D5C4B19BFB1FB84214F24C6ADD8494B692C33A944BCB52

                                                              Execution Graph

                                                              Execution Coverage:10.4%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:9
                                                              Total number of Limit Nodes:0
                                                              execution_graph 15227 a8d6b4 15228 a8d6cc 15227->15228 15229 a8d726 15228->15229 15232 aee5a8 15228->15232 15235 aee598 15228->15235 15233 aee5bc 15232->15233 15234 aee5f6 KiUserExceptionDispatcher 15233->15234 15234->15229 15236 aee5a8 15235->15236 15237 aee5f6 KiUserExceptionDispatcher 15236->15237 15237->15229

                                                              Executed Functions

                                                              Function 00AEE598 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 658 aee598-aee609 call aee0c8 KiUserExceptionDispatcher
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL(00000000,00000000), ref: 00AEE602
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.3236603904.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_ae0000_GamePall.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: a932a196c60a420547fa39e469acb520804c6658f6b1ea4231fc75e537969295
                                                              • Instruction ID: c4d133492b88856c5ec60baddab77cf271b3bf841762f9e76caab49e38abb23d
                                                              • Opcode Fuzzy Hash: a932a196c60a420547fa39e469acb520804c6658f6b1ea4231fc75e537969295
                                                              • Instruction Fuzzy Hash: EE01D6713042085FE308DBADD8909AF7BFAFFC9254310852AF505D73A1DA35AC06C7A0
                                                              Function 00AEE5A8 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 667 aee5a8-aee609 call aee0c8 KiUserExceptionDispatcher
                                                              APIs
                                                              • KiUserExceptionDispatcher.NTDLL(00000000,00000000), ref: 00AEE602
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.3236603904.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_ae0000_GamePall.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionUser
                                                              • String ID:
                                                              • API String ID: 6842923-0
                                                              • Opcode ID: 5041fa25297e1931c32881d8d45a928103b18c0c52ea6416c495c2686d7d04f8
                                                              • Instruction ID: 77c4fceca4c99697d2cb682ab7ba57d08c75eb0b8f8e5ab5d53bdd88117485cb
                                                              • Opcode Fuzzy Hash: 5041fa25297e1931c32881d8d45a928103b18c0c52ea6416c495c2686d7d04f8
                                                              • Instruction Fuzzy Hash: 1BF06D713001189F9708DFADE8949AF7BBEFFC9254310822AE609D73A0DA75AC05C7A0
                                                              Function 07F101C2 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 769 7f101c2-7f10217 774 7f10219-7f1021d 769->774 775 7f1024f-7f1027c 769->775 774->775 776 7f1021f 774->776 778 7f10286-7f1029b 775->778 779 7f1027e-7f10284 775->779 796 7f10221 call 7f101c2 776->796 797 7f10221 call 7f10208 776->797 789 7f102b3-7f102bc 778->789 790 7f1029d-7f102a3 778->790 781 7f102cf-7f102d5 779->781 780 7f10227-7f1022b 782 7f10249 780->782 783 7f1022d-7f10247 780->783 798 7f102d8 call 7f102f0 781->798 799 7f102d8 call 7f102e8 781->799 785 7f1024b-7f1024e 782->785 783->785 786 7f102da-7f102de 789->781 794 7f102be-7f102c9 789->794 792 7f102a5 790->792 793 7f102a7-7f102a9 790->793 792->789 793->789 794->781 796->780 797->780 798->786 799->786
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.3454731819.0000000007F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_7f10000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nq
                                                              • API String ID: 0-2756854522
                                                              • Opcode ID: f2a823b294cf389b1f6bd749d295af3150778b5422f7544f07707e9ad0f8143b
                                                              • Instruction ID: 30f794f88adc8d8c9d0f34f7d05084ee2b88efa28818830fad858e10311f5a53
                                                              • Opcode Fuzzy Hash: f2a823b294cf389b1f6bd749d295af3150778b5422f7544f07707e9ad0f8143b
                                                              • Instruction Fuzzy Hash: BF014C357082854FC31AABB98818A6E7BA3EBD5300F19847ED589DF382DD34EC02C781
                                                              Function 07F10208 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.3454731819.0000000007F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_7f10000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 45ac183dd37d43a846c2dcdc23bf956fb6830cac6c77db2f394023df12e514c8
                                                              • Instruction ID: e6fbb9d4856bc3cc6f8b5009d9651b4eb046cee5ea3da3510e971d34d9b5959e
                                                              • Opcode Fuzzy Hash: 45ac183dd37d43a846c2dcdc23bf956fb6830cac6c77db2f394023df12e514c8
                                                              • Instruction Fuzzy Hash: 6A216B75B042555FC729966D9C50E2B7BEFDBC9250B1981BAD409CB301EE20DC42C390
                                                              Function 00A8DA58 Relevance: .1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.3236470632.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_a8d000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8949116e45039a37ffa4bd6910685c2c855eb36cc9fbedeedccd79a58703168e
                                                              • Instruction ID: 5c7900235d874e7e7e8926d4484a6719494ea2d06f7ee0430074644840a9f6a7
                                                              • Opcode Fuzzy Hash: 8949116e45039a37ffa4bd6910685c2c855eb36cc9fbedeedccd79a58703168e
                                                              • Instruction Fuzzy Hash: DC21D375644244DFCB09EF24D9C4B26BBA5FB84314F30C66DD9094A296C33AD806DB61
                                                              Function 00A8D6B4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.3236470632.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_a8d000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 59952d180b540880a56d099a3535fa8a8201f2fffa4b31a2bb8011f1bac126ac
                                                              • Instruction ID: d23b145b327a9c8237ed5f0568fa7eff0845f405858ab238f98a30cb9a6b9180
                                                              • Opcode Fuzzy Hash: 59952d180b540880a56d099a3535fa8a8201f2fffa4b31a2bb8011f1bac126ac
                                                              • Instruction Fuzzy Hash: C7210475504204EFCB05EF24D9C0F26BB65FB84314F20C96DE9094B292C33AD806CB61
                                                              Function 00A8D0EC Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.3236470632.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_a8d000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b55a5edf5554bce5282ca06045f8aa0dc2fd53db5173e9d478f1da92217153f3
                                                              • Instruction ID: 761090dbd6d00100480c6e7bc2bd479e5986155c2706ecb4fab4729219ef46cf
                                                              • Opcode Fuzzy Hash: b55a5edf5554bce5282ca06045f8aa0dc2fd53db5173e9d478f1da92217153f3
                                                              • Instruction Fuzzy Hash: 2421F0B16442409FDB04FF24D9C8B26BBA5FF94314F20CA6DD90A4B391C33A9806C762
                                                              Function 00A8E1DC Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.3236470632.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_a8d000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7190e2aac1488170f92fa0c05af1fe336ad5df9dbb93448422849a7218ad6564
                                                              • Instruction ID: 0494ae66faa4811bc96ced54933c446fe1ebc7f4a56fad8fb32537eea6cd65f6
                                                              • Opcode Fuzzy Hash: 7190e2aac1488170f92fa0c05af1fe336ad5df9dbb93448422849a7218ad6564
                                                              • Instruction Fuzzy Hash: 8A21C0B1604244DFDF14EF24D9C4F26BBA9FB94714F20CA6DD9094B291E33AD846C7A2
                                                              Function 00A8DA53 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.3236470632.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_a8d000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: db46f736a5866ba9c7ba67d80a3dc2bfd20b1a216abf44fb940905ee0eae38f6
                                                              • Instruction ID: 2f42d385e61291911fe022414b3c7ae79c0d09ab90a938f00511036e9e69d32f
                                                              • Opcode Fuzzy Hash: db46f736a5866ba9c7ba67d80a3dc2bfd20b1a216abf44fb940905ee0eae38f6
                                                              • Instruction Fuzzy Hash: 7111BE76544280CFCB06DF14D5C4B15BFA1FB84314F24C6A9D9494B2A6C33AD81ACB61
                                                              Function 00A8D6AF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.3236470632.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_a8d000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                              • Instruction ID: 1aed4265ed825a923e8e3ffcbb105a2851c31bb51dd37d84bbb8f371f83d3e09
                                                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                              • Instruction Fuzzy Hash: 6211DD79504280CFCB02DF10D5C4B15BFB1FB84314F24C6A9D8494B692C33AD81ACBA2
                                                              Function 07F102E8 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.3454731819.0000000007F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_7f10000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: deee3509a02b86de319a050ac16a6e07bdcc8c9ff036fcf593cac6efd696fc49
                                                              • Instruction ID: 5751ca56b126e318a9b661281b1bfe2b53724703d3c244a2ce877f085d404924
                                                              • Opcode Fuzzy Hash: deee3509a02b86de319a050ac16a6e07bdcc8c9ff036fcf593cac6efd696fc49
                                                              • Instruction Fuzzy Hash: 0F1146B1C002088FCB20DFAAC4447EEFFF5EB88320F14841AD059A7210CB39A584CBA0
                                                              Function 00A8D0E7 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.3236470632.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_a8d000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 561e0040fa13a4c8f15330505c2ec777d2b9bad7fdc99719fcd56c8bdcde1cea
                                                              • Instruction ID: 80044542761ec2ffac8549d3a2bf37c17d551985f8a4ec4520f5016ff368264d
                                                              • Opcode Fuzzy Hash: 561e0040fa13a4c8f15330505c2ec777d2b9bad7fdc99719fcd56c8bdcde1cea
                                                              • Instruction Fuzzy Hash: 97119AB55042808FDB15EF24D9C8B25FBB1FF94314F24C6ADD8494B696C33A984ACB52
                                                              Function 00A8E1D7 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.3236470632.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_a8d000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 561e0040fa13a4c8f15330505c2ec777d2b9bad7fdc99719fcd56c8bdcde1cea
                                                              • Instruction ID: 168d1b636466f29e4ea6832dfaa306e32999a831acfba7addeabf797b52eeec4
                                                              • Opcode Fuzzy Hash: 561e0040fa13a4c8f15330505c2ec777d2b9bad7fdc99719fcd56c8bdcde1cea
                                                              • Instruction Fuzzy Hash: 8011A0B5504280CFDB15EF24D5C4B65BFA1FB54314F24C6ADC8494B692D33AD84ACB52
                                                              Function 07F102F0 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.3454731819.0000000007F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_7f10000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8c3eee350acf2be8cf06bc67551ad6faba1a4b3edf1080d5aa6fb06ba451376d
                                                              • Instruction ID: ff611d849fd617849e44e84873dfbc0d366f2e6d73c5111feeb4fa912631aed4
                                                              • Opcode Fuzzy Hash: 8c3eee350acf2be8cf06bc67551ad6faba1a4b3edf1080d5aa6fb06ba451376d
                                                              • Instruction Fuzzy Hash: E11125B1D002098FDB10DFAAC944BEEFBF5EF88320F148419D559A7250CB79A984CFA0

                                                              Executed Functions

                                                              Function 03054F58 Relevance: 11.9, Strings: 9, Instructions: 627COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nq$(nq$(nq$(nq$(nq$(nq$(nq$(nq$(nq
                                                              • API String ID: 0-1776058622
                                                              • Opcode ID: eecece96e0cb61694c34c29f4806db184caf5d39143bd4f20b5f337342404107
                                                              • Instruction ID: 65b9a557d3a1ffff0748862b923f7b1bccd2201ccd68aa81afb18d32a69d6aaa
                                                              • Opcode Fuzzy Hash: eecece96e0cb61694c34c29f4806db184caf5d39143bd4f20b5f337342404107
                                                              • Instruction Fuzzy Hash: 65329134B012158FCB44DF69D858AAEBBF2EF89310F148469E906EB365DF349D42CB91
                                                              Function 03051049 Relevance: .8, Instructions: 844COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cdcd005b9b8eeaa755f937e510654223bb9dc2a0d91e47bc0958d54d6c3eb8d2
                                                              • Instruction ID: 72ff7678c44b0a88f6749125458790f3bd59038404d6e57e35608adf3d66c4b7
                                                              • Opcode Fuzzy Hash: cdcd005b9b8eeaa755f937e510654223bb9dc2a0d91e47bc0958d54d6c3eb8d2
                                                              • Instruction Fuzzy Hash: C88203B4740209DFDB05DB69F658B5E7BBAEF88300F104455E801233AACA3D6D95DB3A
                                                              Function 03053BE0 Relevance: 3.0, Strings: 2, Instructions: 467COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nq$(nq
                                                              • API String ID: 0-2974481825
                                                              • Opcode ID: 9665b31e61a1a22a100b8d4a3f741281944e4c102a289021298675e53c41a033
                                                              • Instruction ID: 43b3d57fac69556e7d9a945276f451472aa634f67fa0ce83cfeb983fd2aafffe
                                                              • Opcode Fuzzy Hash: 9665b31e61a1a22a100b8d4a3f741281944e4c102a289021298675e53c41a033
                                                              • Instruction Fuzzy Hash: A6F18274B002048FCB45DB69E85466EBBFBEFC8340F148469E906D73A6DE389C41CB65
                                                              Function 0305C060 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: K.$K/
                                                              • API String ID: 0-4103799487
                                                              • Opcode ID: e9c06949a07ff5e705870a306067a592b8c7ce4892d80afe0f1b797ec46ae8a3
                                                              • Instruction ID: 900163b5f91d4201dbc93d0e77e8d763a3fad109a11ceed6f610f533a2a6598b
                                                              • Opcode Fuzzy Hash: e9c06949a07ff5e705870a306067a592b8c7ce4892d80afe0f1b797ec46ae8a3
                                                              • Instruction Fuzzy Hash: 70711B316417049BC355DB64DA5094BBBF6EF80304354CA6E854A9BA64EF76F90ACFC0
                                                              Function 0305C070 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: K.$K/
                                                              • API String ID: 0-4103799487
                                                              • Opcode ID: eaef314a300ff127ca4451988c9596d5c0569699acfb64c631a420387824370c
                                                              • Instruction ID: 9fc34bece330b4686f9c582bbadb13b7e8e9becb1bb90e2c96439cec7f52c1c9
                                                              • Opcode Fuzzy Hash: eaef314a300ff127ca4451988c9596d5c0569699acfb64c631a420387824370c
                                                              • Instruction Fuzzy Hash: BE711A316017049BC395DB64DA5094BBBF6FF80304350CA6E854A8BA64EF76F90ACFC0
                                                              Function 03053750 Relevance: 2.6, Strings: 2, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nq$(nq
                                                              • API String ID: 0-2974481825
                                                              • Opcode ID: bac69037407d6f0471af2d0206989a5b9de3be6d27c5a11faa50fe03c855f267
                                                              • Instruction ID: b297ea28c92490423e62c615b760d54fed07e049871636c6200c142d657b1600
                                                              • Opcode Fuzzy Hash: bac69037407d6f0471af2d0206989a5b9de3be6d27c5a11faa50fe03c855f267
                                                              • Instruction Fuzzy Hash: C3012B25B095140FC7997639541823F35E7DFDA7A0B6942A9DD06D33C4DD288D0747C6
                                                              Function 0305385B Relevance: 1.6, Strings: 1, Instructions: 304COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nq
                                                              • API String ID: 0-2756854522
                                                              • Opcode ID: ccd77ce1ffb6db5bab74acfccd36b82a945abeed4f161c94a5e43149bb998bd7
                                                              • Instruction ID: 618fe37349d170986c469e1f4c1f25f6f779398ce69f425fa2973e53514ac2c9
                                                              • Opcode Fuzzy Hash: ccd77ce1ffb6db5bab74acfccd36b82a945abeed4f161c94a5e43149bb998bd7
                                                              • Instruction Fuzzy Hash: 86C16378B012189FDB05DFA9E954AAEBBFBEF88340F144065FD05A7365DA349C41CB90
                                                              Function 030535E1 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nq
                                                              • API String ID: 0-2756854522
                                                              • Opcode ID: 629a0e254a523ca84caa04ce48cc1b096e444ca34c4460867138ef1660052168
                                                              • Instruction ID: 6fc3fff58208b8c3507659c708ccb42194d573e8133126077f8266b959891113
                                                              • Opcode Fuzzy Hash: 629a0e254a523ca84caa04ce48cc1b096e444ca34c4460867138ef1660052168
                                                              • Instruction Fuzzy Hash: 964138357052001FC759EB39AC50A3F6BEBEFC569076885B9E906CB3A8DE34DD068790
                                                              Function 0305BEAF Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Tejq
                                                              • API String ID: 0-2468842661
                                                              • Opcode ID: c59ef233c52dde085585a0ca1f46461822cdde2cf32110afaab6bdfcd7704789
                                                              • Instruction ID: 2ba4d5cfb322e8ef8713e0584daccbdb22bb7bb7860e19e9a903c2ea823f82a6
                                                              • Opcode Fuzzy Hash: c59ef233c52dde085585a0ca1f46461822cdde2cf32110afaab6bdfcd7704789
                                                              • Instruction Fuzzy Hash: EA417F747402119FC744DF2DC898A6EBBE6FF89750B2580A9E506DB3B5DA70DC058B90
                                                              Function 0305BEC0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Tejq
                                                              • API String ID: 0-2468842661
                                                              • Opcode ID: d60b14ed926501451edd468b514fcf0d9c7fe9222c47d57116454b9cc59ef5e8
                                                              • Instruction ID: e9d5d78fbc3ff05b09813d5d4aaf434e720a1a6687aaee6852207622907fb9d7
                                                              • Opcode Fuzzy Hash: d60b14ed926501451edd468b514fcf0d9c7fe9222c47d57116454b9cc59ef5e8
                                                              • Instruction Fuzzy Hash: B7417E747001158FC744DF6DC898A6EBBE6FF88750B2580A9E506DB3B5CA71DC018B90
                                                              Function 03052B10 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LRjq
                                                              • API String ID: 0-665714880
                                                              • Opcode ID: 1e014ad94183518dd54e407adacabdb2dca5d5ebacb84206750e1a3d56917802
                                                              • Instruction ID: 5a1283f6e241c056d08c4be9ae473e69f5f7b792d23c13c540ed5cca2c941bf6
                                                              • Opcode Fuzzy Hash: 1e014ad94183518dd54e407adacabdb2dca5d5ebacb84206750e1a3d56917802
                                                              • Instruction Fuzzy Hash: 66314D707042018FD74ADB39D59491E3BF2EF89A40B2485A8D10ACB3BADE35DC83CB84
                                                              Function 03054237 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nq
                                                              • API String ID: 0-2756854522
                                                              • Opcode ID: 4638c3a88d122de90438be7cf5f353e361d22970e834db99695729987a61f2e0
                                                              • Instruction ID: 4a56eacfef93d8b0f263e147831df0a2d4e19120fda364ac4b67acb0df3ecde8
                                                              • Opcode Fuzzy Hash: 4638c3a88d122de90438be7cf5f353e361d22970e834db99695729987a61f2e0
                                                              • Instruction Fuzzy Hash: F921CD317082900FC74AA7BA6C5097F3FABEFC559078844AFE946CB355CE245C0A8795
                                                              Function 0305CEC0 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: O.3a
                                                              • API String ID: 0-507431011
                                                              • Opcode ID: b51903e6e03291fa223399db951d6bd88a75b304177034ebc3b1c50f0f2bdad3
                                                              • Instruction ID: a9d1095c9e8dd1597c7a245a66aa76b815b2f659e4bac9ad5d6b20e0b673a09a
                                                              • Opcode Fuzzy Hash: b51903e6e03291fa223399db951d6bd88a75b304177034ebc3b1c50f0f2bdad3
                                                              • Instruction Fuzzy Hash: F5216470D053189FDB20CFA8C989B9EBFF6EB48714F14806AE809A7380CB759844CF90
                                                              Function 0305CED0 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: O.3a
                                                              • API String ID: 0-507431011
                                                              • Opcode ID: 10a034d689731c34751c00ef9da1ae500aef2f1fa94986fc04e01d91598981a7
                                                              • Instruction ID: 716cb2c5d45d756e8df7830c638f6c8ea22bbf6c0e2db118d8dc0f29087dc67f
                                                              • Opcode Fuzzy Hash: 10a034d689731c34751c00ef9da1ae500aef2f1fa94986fc04e01d91598981a7
                                                              • Instruction Fuzzy Hash: 3C212274D05348DFDB24DFA8C549B9EBFF6AB48314F24846AE80AA7344CB759845CF90
                                                              Function 030537F0 Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nq
                                                              • API String ID: 0-2756854522
                                                              • Opcode ID: b82d4f2cef838427a025c01fe2d1cad2095281be2589e2c0ba67e3f473f12b2d
                                                              • Instruction ID: 7a8ac8ea701f67b53d84fa03ddd486ab67b46e3cca3aad4110d6c1fc7f05c2f5
                                                              • Opcode Fuzzy Hash: b82d4f2cef838427a025c01fe2d1cad2095281be2589e2c0ba67e3f473f12b2d
                                                              • Instruction Fuzzy Hash: 30F0E9327082505FD7099B79581493F3AEFDFC667071882AAEA06C76D1DD558C068391
                                                              Function 03051058 Relevance: .8, Instructions: 835COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d6259f348ce2739e294fcaec6e66f41d6721266bdaa7d8fb0e18672e6f74a5bf
                                                              • Instruction ID: 5ffb3bf916ff6b127370dcb085bf50d00f3185ac647d0d1a575d82e77aef607c
                                                              • Opcode Fuzzy Hash: d6259f348ce2739e294fcaec6e66f41d6721266bdaa7d8fb0e18672e6f74a5bf
                                                              • Instruction Fuzzy Hash: CE8203B4740209DFDB05DBA9F658B5E7BBAEF88300F1044559801233AACA3D6D95DB3A
                                                              Function 0305B0B0 Relevance: .7, Instructions: 680COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aab3e614e2d393ea4e8ad28af348b9dd3389470abd307a20435dc1c925826c45
                                                              • Instruction ID: 16f1127b0df3b0f4808b68815ee0bc104067b1d7360f360e4db52bf7d36c709f
                                                              • Opcode Fuzzy Hash: aab3e614e2d393ea4e8ad28af348b9dd3389470abd307a20435dc1c925826c45
                                                              • Instruction Fuzzy Hash: D2523934B02204CFC758EF28E54896A7BF6FF89345B548469E8169B366DB39EC85CF40
                                                              Function 0305BB99 Relevance: .2, Instructions: 174COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5ac05dc2c1bd65fdb2c21685e2805ea8f43fb6fcb3e80bf1ef90361cd89e3017
                                                              • Instruction ID: 45c4b6aecc0f7ed1fa9f4ff928b02995f1cc8953d6ca61672da20dc8c06a881d
                                                              • Opcode Fuzzy Hash: 5ac05dc2c1bd65fdb2c21685e2805ea8f43fb6fcb3e80bf1ef90361cd89e3017
                                                              • Instruction Fuzzy Hash: C181E470602205DFC714DF28FA89A5A7BF6FB49344B18C569D9158B23AC778EC89CF80
                                                              Function 03055A91 Relevance: .1, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 08e071b3a451691756ff2611d2f5423879af8acda21c372e61da43b6e586e16a
                                                              • Instruction ID: 9153b38f0c87324e9de81e25f383444217035ec065f842b12209abe2e59711b2
                                                              • Opcode Fuzzy Hash: 08e071b3a451691756ff2611d2f5423879af8acda21c372e61da43b6e586e16a
                                                              • Instruction Fuzzy Hash: 79513C75B002058FCB44DF69D998D6EBBF6EF89310B1140A9E906DB366DB30EC05CB50
                                                              Function 03055240 Relevance: .1, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3dc02faf7e2e5880e318d773c5412322cb44235dffa85759e4f939f60afee312
                                                              • Instruction ID: 54a02509e1f0792ff0c4ff3d6219ee910ba24af8e5945311dc35f044fdc58ebb
                                                              • Opcode Fuzzy Hash: 3dc02faf7e2e5880e318d773c5412322cb44235dffa85759e4f939f60afee312
                                                              • Instruction Fuzzy Hash: 70516034A01218DFCB14DF69D994AAEB7F2FF89311F148469E806AB364DB349C41CF90
                                                              Function 0305C798 Relevance: .1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f7dcf8ef89ab313c1252ee4889da0ee159b2950902c99820543e488215efbd78
                                                              • Instruction ID: 065cf0499c1fca37633368b34edfb8ae6ecc0040a71c572de5bec7b54116a8a1
                                                              • Opcode Fuzzy Hash: f7dcf8ef89ab313c1252ee4889da0ee159b2950902c99820543e488215efbd78
                                                              • Instruction Fuzzy Hash: 455107316407049BC359DF64DA4099BBBE6EF85304354CA6EC54A9BA64EF36F90ACFC0
                                                              Function 0305C7A8 Relevance: .1, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5ba26c9a0ec908d50563b0be508a0e0cbf30484ea470d97511ca9e8c9903d5fa
                                                              • Instruction ID: 6dc9c6e48019f1ed0e399920d2a5be6b63518e1113e8d654b118ddf0e2b48d68
                                                              • Opcode Fuzzy Hash: 5ba26c9a0ec908d50563b0be508a0e0cbf30484ea470d97511ca9e8c9903d5fa
                                                              • Instruction Fuzzy Hash: 2C5107316407049BC359DF64D94089BBBE6EF85314354CA6EC54A9BA64EF36F90ACFC0
                                                              Function 03052850 Relevance: .1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f9bcaaf2331d5a41f1d66bd582f7d788721be624da63054ddf5b0d4243ffaeb7
                                                              • Instruction ID: 1e6fededa07219309d885fe43c7bf945089a5b186e1615113ad348578780ca85
                                                              • Opcode Fuzzy Hash: f9bcaaf2331d5a41f1d66bd582f7d788721be624da63054ddf5b0d4243ffaeb7
                                                              • Instruction Fuzzy Hash: C541E574A10208DFDB14DFA9E9849ADBBFAFF88340F148529E901A7365DB34AC85DF50
                                                              Function 0305B0A0 Relevance: .1, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c91dc3d431ebacadac635ad3e2c0576d1a020e09e78ddfb50bf283060077c781
                                                              • Instruction ID: b54187923aaa7ef2d6099f43797a8ff9cbe6248483f78144ef45e2f2b8f5e3a9
                                                              • Opcode Fuzzy Hash: c91dc3d431ebacadac635ad3e2c0576d1a020e09e78ddfb50bf283060077c781
                                                              • Instruction Fuzzy Hash: 4631E8706002048FC748DB79E99469DBBFAFF85300F44456AD509DB3A6EF78AD09CB80
                                                              Function 03052C48 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 340b4e1d434d7052989cdd506e9a8f246bb4a50989693712b9cd480ce001e239
                                                              • Instruction ID: 22b68b8a9211a277f0877381de38f68910e1e700c4d07de4a7ae5168affcb8f6
                                                              • Opcode Fuzzy Hash: 340b4e1d434d7052989cdd506e9a8f246bb4a50989693712b9cd480ce001e239
                                                              • Instruction Fuzzy Hash: 21411C74A002098FCB05DFA8E9989AE7FF5EF84310F104565E905A7366DB39AD85CFA0
                                                              Function 03052843 Relevance: .1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e8b131d906cb263a7d23b1ab60781ee6ec017003b69ed5ecd4bfc58fad86d025
                                                              • Instruction ID: 7a2d5a87e8baedb980e414da051c664bd6ee182fd313fdec4e4a50c7ea9f82af
                                                              • Opcode Fuzzy Hash: e8b131d906cb263a7d23b1ab60781ee6ec017003b69ed5ecd4bfc58fad86d025
                                                              • Instruction Fuzzy Hash: 29313F70E50208DFDB14DFA5E9849EDBBFAFF88340F144525E901A7264EF749845DB50
                                                              Function 03055308 Relevance: .1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d66377abd68a96eba83753211b0c71ec1e6b993546a5b08f2ec65525c64be200
                                                              • Instruction ID: 7486942d40cf7a2883bc9375e8f68f01717b5e356f5816dc724670f004194392
                                                              • Opcode Fuzzy Hash: d66377abd68a96eba83753211b0c71ec1e6b993546a5b08f2ec65525c64be200
                                                              • Instruction Fuzzy Hash: 5841FB74B11214DFCB44DF69E9989AEBBF2FF88211B148465F806A7365DB349C81CF50
                                                              Function 03054B50 Relevance: .1, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d1aa44e27156cb286106e02d70b5454a6520f8fbdc87acf0e4df8c3f3f71fda
                                                              • Instruction ID: 6a24bb601fb590dd42f04e49f3633385b7cca307f62355b325781f46519d573c
                                                              • Opcode Fuzzy Hash: 0d1aa44e27156cb286106e02d70b5454a6520f8fbdc87acf0e4df8c3f3f71fda
                                                              • Instruction Fuzzy Hash: B32101302043415FC70AEB38FC84E6EBBAAEFC0250B44896AD5458B669DF74AD4CCB90
                                                              Function 03052C58 Relevance: .1, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5d86fe5f64226e1b29a735cd255a0c0e21d992202eaeef68cf688bee1b6a24a8
                                                              • Instruction ID: 8eb4d20210975076e91e00edb3a30004434c03323924cb627adcbaca967220c4
                                                              • Opcode Fuzzy Hash: 5d86fe5f64226e1b29a735cd255a0c0e21d992202eaeef68cf688bee1b6a24a8
                                                              • Instruction Fuzzy Hash: 2C31ED74A00209CFCB44DF68E598AAE7BF6FF88310F104525E915A7366DB38AD84CF91
                                                              Function 0305288D Relevance: .1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c27c717a6feefdd99ab6c2531ef628465fa3bac730f8963ddcb49197e8512f0
                                                              • Instruction ID: 2a6995fdfa9060b7f6c36a901d4dcbf12074c767f5070f4c2d4a470b6c24f0fa
                                                              • Opcode Fuzzy Hash: 6c27c717a6feefdd99ab6c2531ef628465fa3bac730f8963ddcb49197e8512f0
                                                              • Instruction Fuzzy Hash: A0313C34E11208CFDB14DFA5E9849ADBBFAFF88340F144529E901A7264DF749885CB20
                                                              Function 0300E1DC Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261397575.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_300d000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5f10ce0256386dcb091678a91a62cc9c3740792750a58ac8447c09c6c014c370
                                                              • Instruction ID: ff9dfe97bd9abe4cde1e94f576fbea49716e4fd278a4fedc387f870a452f5650
                                                              • Opcode Fuzzy Hash: 5f10ce0256386dcb091678a91a62cc9c3740792750a58ac8447c09c6c014c370
                                                              • Instruction Fuzzy Hash: A92138B16056409FEB14DF24D5C0F2ABBA9EB84314F24CD6DD5095B3D2C33AD406C662
                                                              Function 0300D0EC Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261397575.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_300d000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d94ce2d4c431a4f3ff4080021f20ebd822e3f0658c33f5e112f9f87fa4660489
                                                              • Instruction ID: 3c4277fa3e6f91ab3bfd33374b34e2a84f46dfdafa637b49a9b0bda18d4cfe03
                                                              • Opcode Fuzzy Hash: d94ce2d4c431a4f3ff4080021f20ebd822e3f0658c33f5e112f9f87fa4660489
                                                              • Instruction Fuzzy Hash: 862108B1605240AFE704DF58D5C4B2ABBA9EB84314F24C9ADD5094B391CB3AD446C672
                                                              Function 03054B80 Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e468a9a31f3aa0169bbe9595de1ca22ddf7874a0da61989803306528bb2956af
                                                              • Instruction ID: db7194f8817efc50cda1fcb49e4f76559803d7f07314ee402c4221a15ba7f067
                                                              • Opcode Fuzzy Hash: e468a9a31f3aa0169bbe9595de1ca22ddf7874a0da61989803306528bb2956af
                                                              • Instruction Fuzzy Hash: 4E2158302002015FC709EB79F980E6EBBAFEFC0354B448A39D5068B668DF74AD498B94
                                                              Function 03055C42 Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 01e3869c1b8144aecdb31881bafd1f7cea95caf2f5493113c37b2c9f6c65c674
                                                              • Instruction ID: e0614091eefb6fd22e04bb5f775e9cc1d1fb16587289f0e25adae6568a6cc655
                                                              • Opcode Fuzzy Hash: 01e3869c1b8144aecdb31881bafd1f7cea95caf2f5493113c37b2c9f6c65c674
                                                              • Instruction Fuzzy Hash: 36216035A052588FCB15DFA9C998EDDBFF1AF4D310F180099E406EB262DB359D45CB60
                                                              Function 03052A80 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e0cc7241372446e8261f87ef6db06392167e78944a9a952b6a6c795b7c8dd30e
                                                              • Instruction ID: ffd14ee1991edfbf20402999d8dd850f353592317fad0535e8e30bf5b1a898da
                                                              • Opcode Fuzzy Hash: e0cc7241372446e8261f87ef6db06392167e78944a9a952b6a6c795b7c8dd30e
                                                              • Instruction Fuzzy Hash: 1111D0316053409FC311EF29C44489BBBF9EF4529071089AAD985CB726EB31E804CFA1
                                                              Function 03052908 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5a12d394b6fa98296dcd0005ae724f192ecedf94d1cc0bed5340eb8f55fc7a09
                                                              • Instruction ID: dc1beb3a6b88e9391f9d4c518684f1da308f2715ac4722f2fd9ff5858939f725
                                                              • Opcode Fuzzy Hash: 5a12d394b6fa98296dcd0005ae724f192ecedf94d1cc0bed5340eb8f55fc7a09
                                                              • Instruction Fuzzy Hash: BB211974E00209CFDF14DFA9E9849ADFBBAFF88340F048529E915A7269DB749845CF60
                                                              Function 03056888 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a712419f0b2a4ef4d52fbb05b8cdc7b74a8d3295d7472082cc34c653a7ab98a8
                                                              • Instruction ID: 78f016f28a46fabc45e25539a97f391e959cb820bfc5409ab79e010d68de989f
                                                              • Opcode Fuzzy Hash: a712419f0b2a4ef4d52fbb05b8cdc7b74a8d3295d7472082cc34c653a7ab98a8
                                                              • Instruction Fuzzy Hash: C121A531A01209DFDB50DFA4CA187EFFBF5AF44300F548469E841AB252DF764A45CB51
                                                              Function 03055C68 Relevance: .1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a74b76f25671dede0a09014bb448a62179b3956266f0c1ddceca49dbe7647434
                                                              • Instruction ID: 79d9708326e3e06c5dff3a817363b88411cc553afb2325c5b4c32fa7d35395f3
                                                              • Opcode Fuzzy Hash: a74b76f25671dede0a09014bb448a62179b3956266f0c1ddceca49dbe7647434
                                                              • Instruction Fuzzy Hash: EC214D35A002188FDB54DBA9D998ADEBBF5AF4C310F2400A5E506FB360DB759D44CBA0
                                                              Function 0305296A Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4ed21b7e1b8070153cf440ff6cff38909c6b28332431996648ba84e06e7ac86f
                                                              • Instruction ID: 8c76a2349e50e118dc723739e3fe420d7673f5c9b5b4d3d376c790671fa8f35c
                                                              • Opcode Fuzzy Hash: 4ed21b7e1b8070153cf440ff6cff38909c6b28332431996648ba84e06e7ac86f
                                                              • Instruction Fuzzy Hash: 7E21B374A41208DFCB14DFA8E98499DBBFAFF88300F104529E905A7365DB74AD85CF50
                                                              Function 030541A2 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 440c1482b99bf7baa4d22f29f7d4cfe567dfa19a9db3dd928bd75c39d1438fdf
                                                              • Instruction ID: c8c648e70037637a4c82f4d1a601a3f7f81f344a64ac48a3d5793974f3b3d5ac
                                                              • Opcode Fuzzy Hash: 440c1482b99bf7baa4d22f29f7d4cfe567dfa19a9db3dd928bd75c39d1438fdf
                                                              • Instruction Fuzzy Hash: F801683170D2801FC346677A5C604AF3F7EEF8615075800ABE901EB242CE210D0687A6
                                                              Function 030532E0 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: da99c43a723fe2b072f52d5f6c09b8f0d6d21598428de21642d75628ababfaf6
                                                              • Instruction ID: a49f684232d8453ee649219ddf9983e9d658828ff65f58115d7f5e81731e8505
                                                              • Opcode Fuzzy Hash: da99c43a723fe2b072f52d5f6c09b8f0d6d21598428de21642d75628ababfaf6
                                                              • Instruction Fuzzy Hash: E111C439A153448FCB05DFB8E81A79E7FF6AB89200F048469ED029B392DF351808DB51
                                                              Function 0300E1D7 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261397575.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_300d000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 561e0040fa13a4c8f15330505c2ec777d2b9bad7fdc99719fcd56c8bdcde1cea
                                                              • Instruction ID: fa8248a9486696ccf0ca80b9bdae2950c364a7ee2490a22a5e15af5f6e6a6151
                                                              • Opcode Fuzzy Hash: 561e0040fa13a4c8f15330505c2ec777d2b9bad7fdc99719fcd56c8bdcde1cea
                                                              • Instruction Fuzzy Hash: 5811A0B5509680CFEB15DF24D5C4B25FFA1FB44314F28CAADC8495B692C33AD44ACB52
                                                              Function 0300D0E7 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261397575.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_300d000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 561e0040fa13a4c8f15330505c2ec777d2b9bad7fdc99719fcd56c8bdcde1cea
                                                              • Instruction ID: 9528ac866e91b49146b3759d5022745a08bf410d637739873ccc08a5e90c5340
                                                              • Opcode Fuzzy Hash: 561e0040fa13a4c8f15330505c2ec777d2b9bad7fdc99719fcd56c8bdcde1cea
                                                              • Instruction Fuzzy Hash: 6411CAB55052809FEB15DF28D9C4B25BBB1FB84214F28C6ADD8494B692C33A944ACB62
                                                              Function 0305C000 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c393493dab2d49ce8d9cfe4161d2e75278d2e400d4a68605a946c2c6130edbd8
                                                              • Instruction ID: 789cbb4222174d0c77898f280a95ffde98a3af97f7ecc00af803f1877a18f4e0
                                                              • Opcode Fuzzy Hash: c393493dab2d49ce8d9cfe4161d2e75278d2e400d4a68605a946c2c6130edbd8
                                                              • Instruction Fuzzy Hash: 911157303506158FCB45DF2CF888D8ABBF9FF84A14B0481A9E546CB276DB71ED098B90
                                                              Function 03055940 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7072bcc05416589a84b65571b34f9f3a13b95f50ba5eb0c47851bc80c5c662ff
                                                              • Instruction ID: fa019839f85c4301b837366a0e51a8b60bb4c3ceab9edca6e72348073d276e0d
                                                              • Opcode Fuzzy Hash: 7072bcc05416589a84b65571b34f9f3a13b95f50ba5eb0c47851bc80c5c662ff
                                                              • Instruction Fuzzy Hash: 4001A9763102108F8714EA6EF89481DB7BAEFC96A5314857FEA06C7310CE31DC0197A1
                                                              Function 030532F0 Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9a94eccbadfca31256b303a977cacc38a776f93ec8d00fa338b084e97924b3a7
                                                              • Instruction ID: 41babebf213b649257577ef8d2dd97d98ddf320550b1c80a4d0ed3b2f6f3cacf
                                                              • Opcode Fuzzy Hash: 9a94eccbadfca31256b303a977cacc38a776f93ec8d00fa338b084e97924b3a7
                                                              • Instruction Fuzzy Hash: 6A01E939A20344DBDB04DFB8E4597AE7FF6AB88301F008428E9029B281DF395845EB61
                                                              Function 030566C8 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f2455f896950a26da4e21b414a7bfdcf23f2bf79e2bc1f8207fec95eec4a7672
                                                              • Instruction ID: 54e1f665606cbf100cc4b536931a64a524d20cf2b1317d9c39dc7295f548a928
                                                              • Opcode Fuzzy Hash: f2455f896950a26da4e21b414a7bfdcf23f2bf79e2bc1f8207fec95eec4a7672
                                                              • Instruction Fuzzy Hash: EBE0E5373111245FC3006B1DF8458963BA8EE8566134901B7F908CB321CE1189025764
                                                              Function 03056388 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0854cb35f5689b5d5277430636dc010fe0ab99db787dd455d843d04e6b7f1da0
                                                              • Instruction ID: 51c158d9a9da839cd956a0b4e351eb43147952e8b7cb6a32b7dabe90cfe84855
                                                              • Opcode Fuzzy Hash: 0854cb35f5689b5d5277430636dc010fe0ab99db787dd455d843d04e6b7f1da0
                                                              • Instruction Fuzzy Hash: 53F02B30A152859FCB00EBA8ED4589D7FF2DF96310B1486D9D944AB2A3CE316E41EF42
                                                              Function 0305593F Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 66d772a4d40a3a356a1ba701d275fcc20f8363f9ce21b4d7080cd6cfd43fe82d
                                                              • Instruction ID: e61fb012c42fb3419ce63df9d20c203109cae7295a6981e64437896db2c58dc3
                                                              • Opcode Fuzzy Hash: 66d772a4d40a3a356a1ba701d275fcc20f8363f9ce21b4d7080cd6cfd43fe82d
                                                              • Instruction Fuzzy Hash: ECF082B63102108F8705DF6DE488929B7BAEFC9655314806AEA0AC7315CE35DC028BA0
                                                              Function 03051FF8 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 907270390840d024d6fd3a4282a0c51769059496d9eebf67658fff72d627935c
                                                              • Instruction ID: 6f6dc46d054803a6bf25c85fd7f30965039a6207220691b7fda69179024c48ab
                                                              • Opcode Fuzzy Hash: 907270390840d024d6fd3a4282a0c51769059496d9eebf67658fff72d627935c
                                                              • Instruction Fuzzy Hash: 10E06D367063404FCB06977998588AABFE9DF9661234608EAF506C7363DD728C05DB52
                                                              Function 03056398 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eb4ae90b0e8bbedcf4c3716c131d21e279c85e422c202070d0aa985d0473d260
                                                              • Instruction ID: 8b943a24af72e276d08ca555a97ba97821bfdb935ed2f5397bdb3fa284381aeb
                                                              • Opcode Fuzzy Hash: eb4ae90b0e8bbedcf4c3716c131d21e279c85e422c202070d0aa985d0473d260
                                                              • Instruction Fuzzy Hash: 60F08230F10208AF8B40EFA8E94499DBBF6DF98200F5041A99904E7254DE305E44DB51
                                                              Function 03052D93 Relevance: .0, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ea7f91b8d579696f9d124f129b4108708d8016709f88422ac5d376f17a4d596a
                                                              • Instruction ID: b44e6f3b0fb8d2a54911b6406f3869d124aa071dec00baf75c9f36204d134682
                                                              • Opcode Fuzzy Hash: ea7f91b8d579696f9d124f129b4108708d8016709f88422ac5d376f17a4d596a
                                                              • Instruction Fuzzy Hash: 08F08C35E100188FC784EFBCC5096EDBBF5EF48210B2184B9DA19E3301DA308D018B92
                                                              Function 03052DA0 Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e8e8e94b7b1dc50bbb5bd566eaae29137c628f4e23d7dd8d5cd04bb544a4ecda
                                                              • Instruction ID: 695fabd6b0cb8512bd2a0cee9fec2d048087427ff816f00426baf2e87edd604e
                                                              • Opcode Fuzzy Hash: e8e8e94b7b1dc50bbb5bd566eaae29137c628f4e23d7dd8d5cd04bb544a4ecda
                                                              • Instruction Fuzzy Hash: 8FE0ED71E101188F8B84EFBCD5056DE7BF5EF48310B6144BAD619E7310EB709E018B91
                                                              Function 0305CFF0 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 06c68aa2094458b2d8419771e1c84171f5620729308adeee81018d6bbe3960c2
                                                              • Instruction ID: 0119b4c3d3a22ffb4e2103ec58e0574263004f37e38dfcdff38cd6f9bcda7721
                                                              • Opcode Fuzzy Hash: 06c68aa2094458b2d8419771e1c84171f5620729308adeee81018d6bbe3960c2
                                                              • Instruction Fuzzy Hash: 70E0C23641F30847FFA08291A10A3767ECD5B80319F4C90ABB80D06691DBFA808AEF51
                                                              Function 030537EF Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 67496605a623f396901c785ef0769f1cc5304d340805f09684c04b1eb5c67977
                                                              • Instruction ID: 221362201cf7403ae5e2f36f81139dca66598d858c2b040414f1da87587b21f8
                                                              • Opcode Fuzzy Hash: 67496605a623f396901c785ef0769f1cc5304d340805f09684c04b1eb5c67977
                                                              • Instruction Fuzzy Hash: FED05B7771021057DB1486A97905A7B23DFABC822170C4466FA05D3255EE618C415750
                                                              Function 0305DD40 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7fe7dc758a314c8d3753bb86d7d04b2a3f850aa347d5a1b2aaae374a772f099d
                                                              • Instruction ID: c75751e767df4395476073cb7e6d03ae5fb5588f5adcf15cf91487aed0fe4df6
                                                              • Opcode Fuzzy Hash: 7fe7dc758a314c8d3753bb86d7d04b2a3f850aa347d5a1b2aaae374a772f099d
                                                              • Instruction Fuzzy Hash: 45D01736255A248F8761EBA8F54489AB7E8EB4966130441A6FA0AC7B20DA61FC008AD0
                                                              Function 03056469 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d5b1c62176ecc905e4b6389bf97c6ff7e356eb9c4e40c94976f5cb6cbfdf9a86
                                                              • Instruction ID: a06b0a0db8c027b34c09a6225a90e27feba6fc241738ba09922a73b2eac6ead4
                                                              • Opcode Fuzzy Hash: d5b1c62176ecc905e4b6389bf97c6ff7e356eb9c4e40c94976f5cb6cbfdf9a86
                                                              • Instruction Fuzzy Hash: B6D02EB07062004FC304EB28E580C2437FAEB88300B0501B4F448CB336CE28FC82CB15
                                                              Function 03056478 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 05114d398417013a3f955da572a3e677bff21f064752366b9cb4ab77fd8a810f
                                                              • Instruction ID: e3c85a6d4c4509bcb98d0477841826c5aad1a8e02113274c12d84093bb0cc927
                                                              • Opcode Fuzzy Hash: 05114d398417013a3f955da572a3e677bff21f064752366b9cb4ab77fd8a810f
                                                              • Instruction Fuzzy Hash: DBC012747802048F8208DB6CE084C2573EAEBCC710B1000B8EA09CB33ACE20FC82CA19
                                                              Function 0305CAA0 Relevance: .0, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.3261648813.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_3050000_GamePall.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 59430fbf31d6144122ee54b962cc8d8d5525b82a43bb13276c3d963e9d7610c1
                                                              • Instruction ID: bdfd80c372198b56f1ac5797f3fd2e29394e8509a74c8c7761fe83676ea869aa
                                                              • Opcode Fuzzy Hash: 59430fbf31d6144122ee54b962cc8d8d5525b82a43bb13276c3d963e9d7610c1
                                                              • Instruction Fuzzy Hash: 6BB092B3AA8A960BEA8A99588DCA38427A0D710706F060022E04C8E281F55080034286

                                                              Execution Graph

                                                              Execution Coverage:10.3%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:14
                                                              Total number of Limit Nodes:0
                                                              execution_graph 15090 123d3f0 15091 123d436 15090->15091 15095 123d5c0 15091->15095 15099 123d5d0 15091->15099 15092 123d523 15096 123d5d0 15095->15096 15102 123d130 15096->15102 15100 123d130 DuplicateHandle 15099->15100 15101 123d5fe 15100->15101 15101->15092 15103 123d638 DuplicateHandle 15102->15103 15104 123d5fe 15103->15104 15104->15092 15105 123e028 15106 123e06b SystemParametersInfoA 15105->15106 15107 123e09f 15106->15107

                                                              Executed Functions

                                                              Function 0123D130 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 429 123d130-123d6cc DuplicateHandle 431 123d6d5-123d6f2 429->431 432 123d6ce-123d6d4 429->432 432->431
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0123D5FE,?,?,?,?,?), ref: 0123D6BF
                                                              Memory Dump Source
                                                              • Source File: 0000001A.00000002.3447653657.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_26_2_1230000_GamePall.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 735442872523e2dd6f94c509f2b6e6b48f10404af7a70a1b2302483e5bcc3165
                                                              • Instruction ID: 6952891d8ebdacd910d901ce1fe85b5b3af8f911d0eb1a66b149ea388f69500e
                                                              • Opcode Fuzzy Hash: 735442872523e2dd6f94c509f2b6e6b48f10404af7a70a1b2302483e5bcc3165
                                                              • Instruction Fuzzy Hash: EC21E4B59102489FDB10CF9AD584AEEFFF8FB48320F14845AE918A3350D378A954CFA5
                                                              Function 0123D630 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 435 123d630-123d633 436 123d638-123d6cc DuplicateHandle 435->436 437 123d6d5-123d6f2 436->437 438 123d6ce-123d6d4 436->438 438->437
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0123D5FE,?,?,?,?,?), ref: 0123D6BF
                                                              Memory Dump Source
                                                              • Source File: 0000001A.00000002.3447653657.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_26_2_1230000_GamePall.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: b8219ce566399050be25eccfd618e441252342250d958c276415c372a189b1cf
                                                              • Instruction ID: 255e3b1a45ddc778e5188f029d4ab3c613dab240ee098a1fc540ffc28316b72b
                                                              • Opcode Fuzzy Hash: b8219ce566399050be25eccfd618e441252342250d958c276415c372a189b1cf
                                                              • Instruction Fuzzy Hash: B621E4B59002099FDB10CF9AD984ADEFFF8FB48324F14841AE918A3350D378A954CFA5
                                                              Function 0123E020 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 441 123e020-123e063 443 123e06b-123e09d SystemParametersInfoA 441->443 444 123e0a6-123e0c7 443->444 445 123e09f-123e0a5 443->445 445->444
                                                              APIs
                                                              • SystemParametersInfoA.USER32(?,?,?,?), ref: 0123E090
                                                              Memory Dump Source
                                                              • Source File: 0000001A.00000002.3447653657.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_26_2_1230000_GamePall.jbxd
                                                              Similarity
                                                              • API ID: InfoParametersSystem
                                                              • String ID:
                                                              • API String ID: 3098949447-0
                                                              • Opcode ID: 3025121d2e2938232e51ca785827c1dd1640a8904a3e7a94662b10455b9c1d48
                                                              • Instruction ID: 9c11e6e81b92b54569494bb6b80d17d83c45c07baaf55d35dcca7117ed4df6a3
                                                              • Opcode Fuzzy Hash: 3025121d2e2938232e51ca785827c1dd1640a8904a3e7a94662b10455b9c1d48
                                                              • Instruction Fuzzy Hash: 8D1104B58002499FDB20DF9AC845BDEFFF8FB48320F248469E558A3250D379A544CFA5
                                                              Function 0123E028 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 447 123e028-123e09d SystemParametersInfoA 449 123e0a6-123e0c7 447->449 450 123e09f-123e0a5 447->450 450->449
                                                              APIs
                                                              • SystemParametersInfoA.USER32(?,?,?,?), ref: 0123E090
                                                              Memory Dump Source
                                                              • Source File: 0000001A.00000002.3447653657.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_26_2_1230000_GamePall.jbxd
                                                              Similarity
                                                              • API ID: InfoParametersSystem
                                                              • String ID:
                                                              • API String ID: 3098949447-0
                                                              • Opcode ID: a2989a1cd4503242f590cff7c86d6499761fa4df9f64ba7703468f197a7b8f61
                                                              • Instruction ID: 9d69ff0efe038605b11b7a997fda86ee80b97e1ac547aa82d2bd9ed3fba7b590
                                                              • Opcode Fuzzy Hash: a2989a1cd4503242f590cff7c86d6499761fa4df9f64ba7703468f197a7b8f61
                                                              • Instruction Fuzzy Hash: 1E1102B18002499FDB20DF9AC845BDEFFF8EB48320F208469E558A3250D379A944CFA5

                                                              Executed Functions

                                                              Function 0126D130 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 517 126d130-126d6cc DuplicateHandle 519 126d6d5-126d6f2 517->519 520 126d6ce-126d6d4 517->520 520->519
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0126D5FE,?,?,?,?,?), ref: 0126D6BF
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.3439968594.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_1260000_GamePall.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 26d385e605a55a0457e3018d6d59e1f82aaeea905842a4109e12cd97571158f5
                                                              • Instruction ID: 410398e8af1bcb24e59056cea954ae20edec612e412c62d4fc61f8052eb9bcc9
                                                              • Opcode Fuzzy Hash: 26d385e605a55a0457e3018d6d59e1f82aaeea905842a4109e12cd97571158f5
                                                              • Instruction Fuzzy Hash: 5821E4B591120D9FDB10CF9AD584AEEBFF9FB48310F14841AE958A3350D378A950CFA4
                                                              Function 0126D630 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 523 126d630-126d633 524 126d638-126d6cc DuplicateHandle 523->524 525 126d6d5-126d6f2 524->525 526 126d6ce-126d6d4 524->526 526->525
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0126D5FE,?,?,?,?,?), ref: 0126D6BF
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.3439968594.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_1260000_GamePall.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: d2841e40110876eba1bb55a38a72ce261ad61b377dcd5435a37c404219f81ab0
                                                              • Instruction ID: db23185d9200504a3a53a7b3205b7f8e59a93d444cbba2c44164f9bf6d3793b1
                                                              • Opcode Fuzzy Hash: d2841e40110876eba1bb55a38a72ce261ad61b377dcd5435a37c404219f81ab0
                                                              • Instruction Fuzzy Hash: 7C21C6B59002499FDB10CF9AD984AEEFFF9FB48310F14841AE958A3350D378A954CFA5
                                                              Function 0126E020 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 535 126e020-126e063 537 126e06b-126e09d SystemParametersInfoA 535->537 538 126e0a6-126e0c7 537->538 539 126e09f-126e0a5 537->539 539->538
                                                              APIs
                                                              • SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 0126E090
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.3439968594.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_1260000_GamePall.jbxd
                                                              Similarity
                                                              • API ID: InfoParametersSystem
                                                              • String ID:
                                                              • API String ID: 3098949447-0
                                                              • Opcode ID: f0f184c31c56fa910900acfac370d30682db6973a1ec933626fc8d6b42a83e5e
                                                              • Instruction ID: 2bb165db930b1ddfc3575132c3fdc52fb45ad3edeb86708670cd7c5411ebe53a
                                                              • Opcode Fuzzy Hash: f0f184c31c56fa910900acfac370d30682db6973a1ec933626fc8d6b42a83e5e
                                                              • Instruction Fuzzy Hash: 261104B59002499FDB20DF9AC845BDEFFF8EB58320F108429E558A3251D379A584CFA5
                                                              Function 0126D1E4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 529 126d1e4-126e09d SystemParametersInfoA 532 126e0a6-126e0c7 529->532 533 126e09f-126e0a5 529->533 533->532
                                                              APIs
                                                              • SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 0126E090
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.3439968594.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_1260000_GamePall.jbxd
                                                              Similarity
                                                              • API ID: InfoParametersSystem
                                                              • String ID:
                                                              • API String ID: 3098949447-0
                                                              • Opcode ID: 4b86c2f9dda41450b19def816db965eb089ddf0a3f8eda73661bc44b21e06478
                                                              • Instruction ID: 50fe66a43dd2ef1c0611c57a371964cd91a67f71018d063aed6177e5d96a5836
                                                              • Opcode Fuzzy Hash: 4b86c2f9dda41450b19def816db965eb089ddf0a3f8eda73661bc44b21e06478
                                                              • Instruction Fuzzy Hash: BC1149B59006499FDB20DF9AC845BEEBFF8FF48310F108429E558A3251D379A984CFA4

                                                              Executed Functions

                                                              Function 0119D1D7 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 270 119d1d7-119d1dc 271 119d23c-119d242 270->271 272 119d1de-119d1eb 270->272 274 119d22d-119d233 271->274 275 119d244-119d247 271->275 273 119e028-119e063 272->273 278 119e06b-119e09d SystemParametersInfoA 273->278 274->271 276 119d249-119d253 275->276 277 119d201-119d203 275->277 276->273 277->274 279 119e09f-119e0a5 278->279 280 119e0a6-119e0c7 278->280 279->280
                                                              APIs
                                                              • SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 0119E090
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.3609367682.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_1190000_GamePall.jbxd
                                                              Similarity
                                                              • API ID: InfoParametersSystem
                                                              • String ID:
                                                              • API String ID: 3098949447-0
                                                              • Opcode ID: 0ea5ae26c5e59fc2889fa0a445ed1fecfaa447f13f458615a12ad2ee6677b51e
                                                              • Instruction ID: 12915d3b7dd6fbdf717ef4f7595757592c9e67da371d11c18fbd7a51e3e8bd64
                                                              • Opcode Fuzzy Hash: 0ea5ae26c5e59fc2889fa0a445ed1fecfaa447f13f458615a12ad2ee6677b51e
                                                              • Instruction Fuzzy Hash: A1217CB18042499FCB25DF99D844BEEFFF8EF09320F1484A9D568A7252D3389545CBA1
                                                              Function 0119D130 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 283 119d130-119d6cc DuplicateHandle 285 119d6ce-119d6d4 283->285 286 119d6d5-119d6f2 283->286 285->286
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0119D5FE,?,?,?,?,?), ref: 0119D6BF
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.3609367682.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_1190000_GamePall.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 1f4dd7ea4e7d67eae992cb9639b445096716e864f85ba78c3a5899da42199e2a
                                                              • Instruction ID: 10b5796f7f9c42aa15a60d31fdb14c0bc67502299d690c76534af329cbf9e162
                                                              • Opcode Fuzzy Hash: 1f4dd7ea4e7d67eae992cb9639b445096716e864f85ba78c3a5899da42199e2a
                                                              • Instruction Fuzzy Hash: A921D4B59002099FDB10CF9AD984ADEBFF9EB48310F14841AE918A3250D378A950CFA5
                                                              Function 0119D1E4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 289 119d1e4-119e09d SystemParametersInfoA 292 119e09f-119e0a5 289->292 293 119e0a6-119e0c7 289->293 292->293
                                                              APIs
                                                              • SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 0119E090
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.3609367682.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_1190000_GamePall.jbxd
                                                              Similarity
                                                              • API ID: InfoParametersSystem
                                                              • String ID:
                                                              • API String ID: 3098949447-0
                                                              • Opcode ID: d8d75c835c99b5ebc7a82b80968acefaf289b3bca61a235f3704ed6dafeb9d6a
                                                              • Instruction ID: fc01b78ec9a722339ea3a2e89c13067ab2ef6569e7b659bdfecbc5fb7677410e
                                                              • Opcode Fuzzy Hash: d8d75c835c99b5ebc7a82b80968acefaf289b3bca61a235f3704ed6dafeb9d6a
                                                              • Instruction Fuzzy Hash: F31137B19006499FDB24DF9AC844BEEBFF4FB48320F148429E558A3251D379A944CFA1