Windows Analysis Report
SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe
Analysis ID: 1466391
MD5: 88a28b818f9782600d08f075abf2a632
SHA1: 60083f901ac4c0b5e8dd0b78b739df6cd9cf84c3
SHA256: 92d74f895798a56cdd1e0b416730e995eaa193ef2ed3fb7855936326019dd93d
Tags: exe
Infos:

Detection

LummaC, Poverty Stealer, SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected LummaC Stealer
Yara detected Poverty Stealer
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
SmokeLoader The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
 https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Temp\A817.exe Avira: detection malicious, Label: HEUR/AGEN.1313486
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Avira: detection malicious, Label: HEUR/AGEN.1352426
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat Avira: detection malicious, Label: HEUR/AGEN.1359405
Found malware configuration
Source: 00000005.00000002.2656272737.00000000028D0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}
Source: 8.2.898.exe.c8f7a0.1.raw.unpack Malware Configuration Extractor: Poverty Stealer {"C2 url": "146.70.169.164:2227"}
Source: 6.2.A817.exe.260000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "foodypannyjsud.shop"], "Build id": "bOKHNM--"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\A817.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\D91B.exe ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Roaming\ihuhfti ReversingLabs: Detection: 47%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.8% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\898.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GamePall\Del.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\A817.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 6.2.A817.exe.260000.0.unpack String decryptor: pedestriankodwu.xyz
Source: 6.2.A817.exe.260000.0.unpack String decryptor: towerxxuytwi.xyz
Source: 6.2.A817.exe.260000.0.unpack String decryptor: ellaboratepwsz.xyz
Source: 6.2.A817.exe.260000.0.unpack String decryptor: penetratedpoopp.xyz
Source: 6.2.A817.exe.260000.0.unpack String decryptor: swellfrrgwwos.xyz
Source: 6.2.A817.exe.260000.0.unpack String decryptor: contintnetksows.shop
Source: 6.2.A817.exe.260000.0.unpack String decryptor: foodypannyjsud.shop
Source: 6.2.A817.exe.260000.0.unpack String decryptor: potterryisiw.shop
Source: 6.2.A817.exe.260000.0.unpack String decryptor: foodypannyjsud.shop
Source: 6.2.A817.exe.260000.0.unpack String decryptor: lid=%s&j=%s&ver=4.0
Source: 6.2.A817.exe.260000.0.unpack String decryptor: TeslaBrowser/5.5
Source: 6.2.A817.exe.260000.0.unpack String decryptor: - Screen Resoluton:
Source: 6.2.A817.exe.260000.0.unpack String decryptor: - Physical Installed Memory:
Source: 6.2.A817.exe.260000.0.unpack String decryptor: Workgroup: -
Source: 6.2.A817.exe.260000.0.unpack String decryptor: bOKHNM--
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_03521C94 CryptUnprotectData,CryptProtectData, 8_2_03521C94
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\setup.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exeePallll source: setup.exe, 00000009.00000002.4324246511.000000000040A000.00000004.00000001.01000000.0000000D.sdmp
Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdb source: widevinecdmadapter.dll.9.dr
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbU^1 source: 898.exe, 00000008.00000002.4009806264.000000000A808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbZ`0 source: 898.exe, 00000008.00000002.4009806264.000000000A808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: 898.exe, 00000008.00000002.4009806264.000000000A808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: libEGL.dll.pdb source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbx source: 898.exe, 00000008.00000002.4009806264.000000000A808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000A.00000000.4014951511.0000000000442000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 0000000D.00000002.4104356642.0000000005EF2000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 0000000D.00000002.4131714578.0000000060519000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\** source: 898.exe, 00000008.00000002.3806811525.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 0000000D.00000002.4104356642.0000000005EF2000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 0000000D.00000002.4103312012.00000000053E2000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 0000000D.00000002.4131714578.0000000060519000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdbGCTL source: widevinecdmadapter.dll.9.dr
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 0000000D.00000002.4103312012.00000000053E2000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: \Desktop\projects\Release\BigProject.pdb source: 898.exe, 00000008.00000000.2854208305.00000000001C9000.00000002.00000001.01000000.0000000B.sdmp, 898.exe, 00000008.00000002.3799984274.00000000001C9000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 00000009.00000002.4325458416.000000000050A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 00000009.00000002.4325458416.000000000050A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: libGLESv2.dll.pdb source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp, libGLESv2.dll0.9.dr
Source: Binary string: \Desktop\projects\Release\BigProject.pdb. source: 898.exe, 00000008.00000000.2854208305.00000000001C9000.00000002.00000001.01000000.0000000B.sdmp, 898.exe, 00000008.00000002.3799984274.00000000001C9000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2*t source: 898.exe, 00000008.00000002.3806811525.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Directory queried: number of queries: 1265
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Code function: 7_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 7_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Code function: 7_2_004066FF FindFirstFileA,FindClose, 7_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Code function: 7_2_004027AA FindFirstFileA, 7_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_001C24BD FindFirstFileExW, 8_2_001C24BD
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_03521000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection, 8_2_03521000
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_03524E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW, 8_2_03524E27
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_03521D3C FindFirstFileW,FindNextFileW, 8_2_03521D3C
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_035240BA FindFirstFileW,FindNextFileW, 8_2_035240BA
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_03523EFC FindFirstFileW,FindNextFileW, 8_2_03523EFC
Source: C:\Users\user\AppData\Local\Temp\898.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe File opened: C:\Users\user\AppData\Local\Adobe\ Jump to behavior

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 186.233.231.45 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 141.8.192.126 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.68.16.7 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 127.0.0.127 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 123.212.43.225 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 188.114.97.3 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: pedestriankodwu.xyz
Source: Malware configuration extractor URLs: towerxxuytwi.xyz
Source: Malware configuration extractor URLs: ellaboratepwsz.xyz
Source: Malware configuration extractor URLs: penetratedpoopp.xyz
Source: Malware configuration extractor URLs: swellfrrgwwos.xyz
Source: Malware configuration extractor URLs: contintnetksows.shop
Source: Malware configuration extractor URLs: foodypannyjsud.shop
Source: Malware configuration extractor URLs: potterryisiw.shop
Source: Malware configuration extractor URLs: foodypannyjsud.shop
Source: Malware configuration extractor URLs: http://evilos.cc/tmp/index.php
Source: Malware configuration extractor URLs: http://gebeus.ru/tmp/index.php
Source: Malware configuration extractor URLs: http://office-techs.biz/tmp/index.php
Source: Malware configuration extractor URLs: http://cx5519.com/tmp/index.php
Source: Malware configuration extractor URLs: 146.70.169.164:2227
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.192.141.1 104.192.141.1
Source: Joe Sandbox View IP Address: 104.192.141.1 104.192.141.1
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_00155B80 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,task,InternetReadFile,FreeLibrary,task, 8_2_00155B80
Source: GamePall.exe, 00000012.00000002.4585209725.0000000002791000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000021.00000002.5009845498.0000000002E51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.install-stat.debug.world/clients/activity
Source: GamePall.exe, 00000025.00000002.5009775721.0000000002A98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.install-stat.debug.world/clients/activity=4
Source: GamePall.exe, 00000017.00000002.4954348095.00000000031B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.install-stat.debug.world/clients/activity=4p
Source: GamePall.exe, 00000012.00000002.4585209725.0000000002791000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000017.00000002.4954348095.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000021.00000002.5009845498.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000025.00000002.5009775721.0000000002A98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.install-stat.debug.world/clients/installs
Source: GamePall.exe, 00000025.00000002.5009775721.0000000002AC7000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000025.00000002.5009775721.0000000002A98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bageyou.xyz
Source: A817.exe, 00000006.00000003.2743892183.00000000035F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: A817.exe, 00000006.00000003.2743892183.00000000035F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: explorer.exe, 00000003.00000000.2318454001.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2318454001.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: A817.exe, 00000006.00000003.2743892183.00000000035F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: explorer.exe, 00000003.00000000.2313119165.0000000000F13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: A817.exe, 00000006.00000003.2743892183.00000000035F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: A817.exe, 00000006.00000003.2743892183.00000000035F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000003.00000000.2318454001.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2318454001.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: A817.exe, 00000006.00000003.2743892183.00000000035F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: explorer.exe, 00000003.00000000.2318454001.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2318454001.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: A817.exe, 00000006.00000003.2743892183.00000000035F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: GamePall.exe, 0000000F.00000002.4115210954.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.mic
Source: GamePall.exe, 0000000D.00000002.4103312012.00000000053E2000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
Source: D91B.exe, D91B.exe, 00000007.00000002.4350368175.000000000040A000.00000004.00000001.01000000.00000007.sdmp, D91B.exe, 00000007.00000000.2783632646.000000000040A000.00000008.00000001.01000000.00000007.sdmp, setup.exe, 00000009.00000000.3646833229.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, setup.exe, 00000009.00000002.4324246511.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, setup.exe, 00000009.00000003.4015052556.000000000056C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: D91B.exe, 00000007.00000002.4350368175.000000000040A000.00000004.00000001.01000000.00000007.sdmp, D91B.exe, 00000007.00000000.2783632646.000000000040A000.00000008.00000001.01000000.00000007.sdmp, setup.exe, 00000009.00000000.3646833229.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, setup.exe, 00000009.00000002.4324246511.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, setup.exe, 00000009.00000003.4015052556.000000000056C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000003.00000000.2318454001.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2318454001.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2743892183.00000000035F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000000.2318454001.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: A817.exe, 00000006.00000003.2743892183.00000000035F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: explorer.exe, 00000003.00000000.2316570256.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2317481969.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2317545568.0000000008890000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: GamePall.exe, 0000000D.00000002.4103312012.00000000053E2000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: http://www.apache.org/).
Source: GamePall.exe, 0000000D.00000002.4103312012.00000000053E2000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: http://www.apache.org/licenses/
Source: GamePall.exe, 0000000D.00000002.4103312012.00000000053E2000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: GamePall.exe, 0000000D.00000002.4104615489.0000000006597000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: http://www.unicode.org/copyright.html
Source: A817.exe, 00000006.00000003.2743892183.00000000035F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: A817.exe, 00000006.00000003.2743892183.00000000035F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: D91B.exe, 00000007.00000002.4351081673.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, D91B.exe, 00000007.00000002.4350368175.0000000000434000.00000004.00000001.01000000.00000007.sdmp, D91B.exe, 00000007.00000002.4351081673.0000000000647000.00000004.00000020.00020000.00000000.sdmp, D91B.exe, 00000007.00000003.4125965244.00000000006D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xiexie.wf/22_551/huge.dat
Source: D91B.exe, 00000007.00000002.4351381522.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, D91B.exe, 00000007.00000003.4125965244.00000000006D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xiexie.wf/22_551/huge.dat2c2e-da81-46d0-b6b6-535557bcc5fa
Source: D91B.exe, 00000007.00000002.4351381522.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, D91B.exe, 00000007.00000003.4125965244.00000000006D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xiexie.wf/22_551/huge.dat:
Source: D91B.exe, 00000007.00000002.4351081673.0000000000647000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xiexie.wf/22_551/huge.datg
Source: D91B.exe, 00000007.00000003.4342569603.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, D91B.exe, 00000007.00000002.4351081673.00000000006A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xiexie.wf/22_551/huge.datll
Source: D91B.exe, 00000007.00000002.4350368175.0000000000434000.00000004.00000001.01000000.00000007.sdmp String found in binary or memory: http://xiexie.wf/22_551/huge.datmCGBZvyfGQlwd
Source: D91B.exe, 00000007.00000003.4342569603.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, D91B.exe, 00000007.00000002.4351081673.00000000006A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xiexie.wf/22_551/huge.datx5#
Source: A817.exe, 00000006.00000003.2715295117.0000000003606000.00000004.00000800.00020000.00000000.sdmp, 898.exe, 00000008.00000003.3779995396.000000000A06C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000003.00000000.2322629700.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000003.00000000.2315285325.00000000076F8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000000.2318454001.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000003.00000000.2315285325.0000000007637000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000000.2314030513.00000000035FA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.coml
Source: 898.exe, 00000008.00000002.3806811525.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aui-cdn.atlassian.com/
Source: 898.exe, 00000008.00000002.3806811525.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/
Source: 898.exe, 00000008.00000002.3806811525.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/E
Source: 898.exe, 00000008.00000002.3806811525.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp, 898.exe, 00000008.00000002.3806811525.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee
Source: 898.exe, 00000008.00000002.3806811525.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupeet
Source: A817.exe, 00000006.00000003.2745437256.0000000000F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: A817.exe, 00000006.00000003.2745437256.0000000000F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: 898.exe, 00000008.00000002.3806811525.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cookielaw.org/
Source: A817.exe, 00000006.00000003.2715295117.0000000003606000.00000004.00000800.00020000.00000000.sdmp, 898.exe, 00000008.00000003.3779995396.000000000A06C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: A817.exe, 00000006.00000003.2715295117.0000000003606000.00000004.00000800.00020000.00000000.sdmp, 898.exe, 00000008.00000003.3779995396.000000000A06C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: A817.exe, 00000006.00000003.2715295117.0000000003606000.00000004.00000800.00020000.00000000.sdmp, 898.exe, 00000008.00000003.3779995396.000000000A06C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.4103690947.00000000057F0000.00000002.00000001.00040000.0000001B.sdmp, te.pak.9.dr, lv.pak.9.dr String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: GamePall.exe, 0000000D.00000002.4103690947.00000000057F0000.00000002.00000001.00040000.0000001B.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: GamePall.exe, 0000000D.00000002.4103690947.00000000057F0000.00000002.00000001.00040000.0000001B.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
Source: lv.pak.9.dr String found in binary or memory: https://chrome.google.com/webstore?hl=lvCtrl$1
Source: te.pak.9.dr String found in binary or memory: https://chrome.google.com/webstore?hl=te&category=theme81https://myactivity.google.com/myactivity/?u
Source: te.pak.9.dr String found in binary or memory: https://chrome.google.com/webstore?hl=teCtrl$1
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=ukCtrl$1
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=urCtrl$2
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=viCtrl$1
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CNCtrl$1
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TWCtrl$1
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.4103690947.00000000057F0000.00000002.00000001.00040000.0000001B.sdmp, te.pak.9.dr, lv.pak.9.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.4103690947.00000000057F0000.00000002.00000001.00040000.0000001B.sdmp, te.pak.9.dr, lv.pak.9.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.4103690947.00000000057F0000.00000002.00000001.00040000.0000001B.sdmp, te.pak.9.dr, lv.pak.9.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.4103690947.00000000057F0000.00000002.00000001.00040000.0000001B.sdmp, te.pak.9.dr, lv.pak.9.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.4103690947.00000000057F0000.00000002.00000001.00040000.0000001B.sdmp, te.pak.9.dr, lv.pak.9.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.4103690947.00000000057F0000.00000002.00000001.00040000.0000001B.sdmp, te.pak.9.dr, lv.pak.9.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.4103690947.00000000057F0000.00000002.00000001.00040000.0000001B.sdmp, te.pak.9.dr String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: A817.exe, 00000006.00000003.2745437256.0000000000F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: A817.exe, 00000006.00000003.2745437256.0000000000F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: 898.exe, 00000008.00000002.3806811525.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
Source: 898.exe, 00000008.00000002.3806811525.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
Source: A817.exe, 00000006.00000003.2715295117.0000000003606000.00000004.00000800.00020000.00000000.sdmp, 898.exe, 00000008.00000003.3779995396.000000000A06C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: A817.exe, 00000006.00000003.2715295117.0000000003606000.00000004.00000800.00020000.00000000.sdmp, 898.exe, 00000008.00000003.3779995396.000000000A06C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: A817.exe, 00000006.00000003.2715295117.0000000003606000.00000004.00000800.00020000.00000000.sdmp, 898.exe, 00000008.00000003.3779995396.000000000A06C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000003.00000000.2318454001.0000000009B41000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: A817.exe, 00000006.00000003.2743863458.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2745437256.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000002.2865792582.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/
Source: A817.exe, 00000006.00000002.2866285265.0000000000F27000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2863372577.0000000000F27000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2834714305.0000000000F27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/$p
Source: A817.exe, 00000006.00000002.2866285265.0000000000F27000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2863372577.0000000000F27000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2834714305.0000000000F27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/6C%
Source: A817.exe, 00000006.00000003.2725693658.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2814719028.0000000000F27000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2725757098.0000000000F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/api
Source: A817.exe, 00000006.00000002.2866285265.0000000000F27000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2863372577.0000000000F27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/apiT
Source: A817.exe, 00000006.00000003.2738569621.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/apiU8
Source: A817.exe, 00000006.00000003.2768851064.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2814985761.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/apie
Source: A817.exe, 00000006.00000003.2738569621.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/apir8
Source: A817.exe, 00000006.00000003.2814719028.0000000000F27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/ik
Source: A817.exe, 00000006.00000003.2725693658.0000000000F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/oi
Source: A817.exe, 00000006.00000003.2800904439.0000000000F1A000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2800685873.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2801014540.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2801990639.0000000000F27000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2814719028.0000000000F27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/op8
Source: A817.exe, 00000006.00000003.2768659017.0000000000F12000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/pi
Source: A817.exe, 00000006.00000002.2866285265.0000000000F27000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2863372577.0000000000F27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/pi8
Source: A817.exe, 00000006.00000003.2737319587.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2768659017.0000000000F12000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2745034642.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2743863458.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2745437256.0000000000F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/piO
Source: A817.exe, 00000006.00000003.2800685873.0000000000F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/pik
Source: A817.exe, 00000006.00000003.2800904439.0000000000F1A000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2800685873.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2801014540.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2801990639.0000000000F27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/s
Source: A817.exe, 00000006.00000003.2800904439.0000000000F1A000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2800685873.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2801014540.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2801990639.0000000000F27000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2814719028.0000000000F27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/s.
Source: A817.exe, 00000006.00000003.2745437256.0000000000F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: explorer.exe, 00000003.00000000.2318454001.0000000009B41000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://java.coA
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.4103690947.00000000057F0000.00000002.00000001.00040000.0000001B.sdmp, te.pak.9.dr, lv.pak.9.dr String found in binary or memory: https://myactivity.google.com/
Source: explorer.exe, 00000003.00000000.2318454001.0000000009B41000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://passwords.google.com
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.4103690947.00000000057F0000.00000002.00000001.00040000.0000001B.sdmp, te.pak.9.dr, lv.pak.9.dr String found in binary or memory: https://passwords.google.comGoogle
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://passwords.google.comT
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.4103690947.00000000057F0000.00000002.00000001.00040000.0000001B.sdmp, te.pak.9.dr, lv.pak.9.dr String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.4103690947.00000000057F0000.00000002.00000001.00040000.0000001B.sdmp, te.pak.9.dr, lv.pak.9.dr String found in binary or memory: https://policies.google.com/
Source: explorer.exe, 00000003.00000000.2322629700.000000000C460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: 898.exe, 00000008.00000002.3806811525.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: 898.exe, 00000008.00000002.3806811525.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp, te.pak.9.dr String found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.4103690947.00000000057F0000.00000002.00000001.00040000.0000001B.sdmp, te.pak.9.dr String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.4103690947.00000000057F0000.00000002.00000001.00040000.0000001B.sdmp, te.pak.9.dr, lv.pak.9.dr String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: A817.exe, 00000006.00000003.2745061280.00000000036F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: A817.exe, 00000006.00000003.2745061280.00000000036F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: GamePall.exe, 0000000D.00000002.4103415297.0000000005426000.00000002.00000001.01000000.00000011.sdmp, GamePall.exe, 0000000D.00000002.4103312012.00000000053E2000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1
Source: 898.exe, 00000008.00000002.3806811525.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: explorer.exe, 00000003.00000000.2318454001.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000003.00000000.2318454001.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comon
Source: A817.exe, 00000006.00000003.2745437256.0000000000F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: A817.exe, 00000006.00000003.2745437256.0000000000F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: A817.exe, 00000006.00000003.2715295117.0000000003606000.00000004.00000800.00020000.00000000.sdmp, 898.exe, 00000008.00000003.3779995396.000000000A06C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp, te.pak.9.dr String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&
Source: GamePall.exe, 0000000D.00000002.4103690947.00000000057F0000.00000002.00000001.00040000.0000001B.sdmp String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
Source: lv.pak.9.dr String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlP&al
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&r
Source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlYar&d
Source: A817.exe, 00000006.00000003.2715295117.0000000003606000.00000004.00000800.00020000.00000000.sdmp, 898.exe, 00000008.00000003.3779995396.000000000A06C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: A817.exe, 00000006.00000003.2745061280.00000000036F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: A817.exe, 00000006.00000003.2745061280.00000000036F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: A817.exe, 00000006.00000003.2745061280.00000000036F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: A817.exe, 00000006.00000003.2745061280.00000000036F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: A817.exe, 00000006.00000003.2745061280.00000000036F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: A817.exe, 00000006.00000003.2745061280.00000000036F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000005.00000002.2656272737.00000000028D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2656390640.0000000004391000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2338396480.0000000004271000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2338253538.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Code function: 7_2_004055E7 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 7_2_004055E7
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_03524BA2 GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,DeleteObject,DeleteDC,ReleaseDC, 8_2_03524BA2
Too many similar processes found
Source: GamePall.exe Process created: 56

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000005.00000002.2656272737.00000000028D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2338338339.00000000028E1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2338226742.00000000028A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.2656390640.0000000004391000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2656210461.0000000002791000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2338396480.0000000004271000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2656252926.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2338253538.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Code function: 0_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401538
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Code function: 0_2_00402FE9 RtlCreateUserThread,NtTerminateProcess, 0_2_00402FE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Code function: 0_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004014DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Code function: 0_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Code function: 0_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401543
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Code function: 0_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401565
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Code function: 0_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401579
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Code function: 0_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_0040157C
Source: C:\Users\user\AppData\Roaming\ihuhfti Code function: 5_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 5_2_00401538
Source: C:\Users\user\AppData\Roaming\ihuhfti Code function: 5_2_00402FE9 RtlCreateUserThread,NtTerminateProcess, 5_2_00402FE9
Source: C:\Users\user\AppData\Roaming\ihuhfti Code function: 5_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 5_2_004014DE
Source: C:\Users\user\AppData\Roaming\ihuhfti Code function: 5_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 5_2_00401496
Source: C:\Users\user\AppData\Roaming\ihuhfti Code function: 5_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 5_2_00401543
Source: C:\Users\user\AppData\Roaming\ihuhfti Code function: 5_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 5_2_00401565
Source: C:\Users\user\AppData\Roaming\ihuhfti Code function: 5_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 5_2_00401579
Source: C:\Users\user\AppData\Roaming\ihuhfti Code function: 5_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 5_2_0040157C
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Code function: 7_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary, 7_2_100010D0
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Code function: 7_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 7_2_004034CC
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Code function: 7_2_00406A88 7_2_00406A88
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_001B1490 8_2_001B1490
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_001BD515 8_2_001BD515
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_001C4775 8_2_001C4775
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_001BBE09 8_2_001BBE09
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: String function: 001B0310 appears 51 times
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000005.00000002.2656272737.00000000028D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2338338339.00000000028E1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2338226742.00000000028A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.2656390640.0000000004391000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2656210461.0000000002791000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2338396480.0000000004271000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2656252926.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2338253538.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ihuhfti.3.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Ionic.Zip.dll.9.dr, WinZipAesCipherStream.cs Cryptographic APIs: 'TransformBlock'
Source: Ionic.Zip.dll.9.dr, WinZipAesCipherStream.cs Cryptographic APIs: 'TransformFinalBlock'
Source: Ionic.Zip.dll.9.dr, WinZipAesCipherStream.cs Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: GamePall.exe.9.dr, Program.cs Base64 encoded string: 'pizR9uKkcZIkMW+F1cRjYV0LMt6eYXmLuiNCndESDPkTO3eY1Mjv7Hs2Qvo+t26G', 'ZTDMzZVpdA1FSa2RiY6ZCl2QGyLDtQ3OBRa/N40wO2xxcvcDsATtLRGwKtaEB36dqPJnDF8qXNs92JbMBlsOyg==', 'nYQvMVlU2Asj2rNkmi7xBNqGCkGzSnaP0raCPfB8A9hSwWFTIjPcsKgDrCVAEwSQ1lHf/WOhnKR59a5JjrkJVUOFvV43wO8MM1FKgjYuj7ZzvvuGve+okViUQx+oGN+llGnjS4Fm9o1MUn7p+qcPVIDZRcvMal1ARjQNk+bFvT5vC4J8slkhLZYtvBYmOybvSK90G7/f/U8GPBdM7WBmfFdHzzGxw6WFcHlkdySP8Nvmzff08RdOn8QOu8FlABEqqEjQ0W84v+/lU0lmhvzugpodd8fIp2kb2/twZPg9/Jsy5viOC65K8bs1ES63SA2d62f5cJYpFf1f0WBQbCBcSzfwiDlBCWVIW9vFXW1awyEMdm3q36+BViyETC5tnyHuoLRgf3bXoQAwqE0OIII5DROfW+LmqqHY82rVXHAqhVjdA2wZRWcSI1zxV7+qTfhmp9qbIQAWSuuXTzhbIvI3gjvtPCdz9uBv8rjyg1XZNxfdgYdtF+klyGgKdefnu5G2pgjfT3Kb/VbjgkFvLlqtWNr5K7iC080FVeHsZazMHUrrDtsmNdChtvnX8Zj77rIGVxi9RfvHhhIhBj+WSos+lJ2nuvQkUpqVEa1mrZSwPezG/uoh0qvs+BAHbNFNjv99WS6tgWIkvcQVCi2h3cfxTGQiZDetQZqB+N/mnvgC6WdrcRKGHBE4mp6bpgTY9+nt3lPiH6OZnlxC8rdHbuGtY6R/FgNFYkw49JWXYeZ1VV3KnjSrFMvDlkyMCAW1X9/1VoC+f73WVYMLwXafDKtGO2lfr9vwKms+8HoEgs7bj0aroIPdmLK/z/djAsFZO8Vp', 'T7BWwqrn4yISEECEAnARpwE8R+3lDHSc+RlcJT90an1SNsS27lGBQjOx4RmDHlrj7oJnnzx1IWXOkbTfLzBeCfU6UJhOIoQKhcWidAxAKIxvqZnoB6AujIU0F7dEj65vahyTdEvkIxzFaV2+akbl53KcDi5RPBOP16iXVi0WJdHV5AbSCI9WCEcSX/fUpmukBh4bjVF/T/P/B6TFVtNZintCOSO2Ha+2va2CJMOnJ020zYskwuvcH9d1rGD3Zf9RBC2obzrhRNK2LXTEIYnifs6L2UdqFhw5aANXILziQtzKvsTQKvc15hvHCCoeXJCyyK7/WgA/oRu7bdrTs2DwCQ==', 'ZY0WCEgzqiLEU8ZUVJwGTpbkuL9KoMwYVloBqJXjur8rfBZEXTysQNKRQ1H7/vn7o0wyHAux60SVy06r4v6So5WWxddei09LXvL6ZwK/tyY=', 's7iS2XfzyI+IBoARaZQlTINg1kEy7qT7EopaSHQzpqktZBtc7UiOYrPdv/6f4cNI', 'o2ZleBui4P9C2ZjnB98Vuesy1C+WucHiXjQJ8RANoX6TheGfnLYAWDsXRfSeNCDHWdkBP2RBrkWPBy/nuM2NFLMETMUsPFeG3JHWafvGKzaNEjYO3Up9m61SnaY5tINvLCYJ/TKITszJ9H1YSm2chnmQGLUzbz4pwvWvvKfH8m7z585W73/QZrtw3l/30vcZaVocgwemYusDJYsOTgeWc0okiDahD7qtJcBYZ0aOzxZZmHDMBYigkRVf8GTJ/xucA/i7EHBFpaWoLVZVcuGFMA==', 'T7BWwqrn4yISEECEAnARp+JyVgG3cZc2/9+3VbyOjc4PuRSCU7ZfXuXpIIH8uj2roUU+W7nSmXHqTuxLhe6DBfNVh8PFZrhNX/YhIexDxrk=', 'G4TxOgdwfNBdU+6bscw2hqt3kZYZMfoEuKZtmCxRLrF8xJCK1+L0ocd8eSQjty7d', 'PcG64iM3U1vDIVDm7HuwTSvKhuz45f/WPqYoWZvzLHcapbEfkynZkUjmDgg30eof', 'XGcq7Js3+2f2oGHGFzxJPiYsrodwK+bTw/0lKjiUd0tSWMHEjdVqzAclD1/nPksq3sGhVTN8oFeHMRE7wAt3mCLVCEXKF9JLnNeWw9vvCbs=', 'T7BWwqrn4yISEECEAnARp8UQ6kvfa8mDiwe39obQZ+Rxfj5bbo//kf+4mlTsZUEg0QM/4QBKb6sUDMsk9OTdYg==', 'T7BWwqrn4yISEECEAnARp/U1NCwfjpQ4K5UKuMbDqXSrjfU6Tf/pOCpHlHXtYnU5', 'Gg/rFkGmnFrfPAny9sQ3qerPGxlC7+cuu92x2tgXrCRkqABwTbbIR8+hJN0krbBD9OJX8s2JqeR+xICuD2u17N7KjlWCZwpg4+c7mG1xAahALfXXbu/EvJy+KsAzQlzR9bu8P4wbyuM6r6/7kdf+VQ==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLT3pudJg4gGhcEax3IHwBI0R5vZR7J9mjUQ8R9MdKz/Fw==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLTcCwJrbTmNGWmZutw1Di2FSZ+3JxFtC00BiemuQuq2+A=='
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@233/115@0/9
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Code function: 7_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 7_2_004034CC
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Code function: 7_2_00404897 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 7_2_00404897
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Code function: 0_2_028E425D CreateToolhelp32Snapshot,Module32First, 0_2_028E425D
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Code function: 7_2_00402173 CoCreateInstance,MultiByteToWideChar, 7_2_00402173
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\ihuhfti Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_mainLog.txt
Source: C:\Users\user\AppData\Local\Temp\898.exe Mutant created: \Sessions\1\BaseNamedObjects\1e7f31ac-1494-47cc-9633-054c20e7432e
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_rendLog.txt
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\A817.tmp Jump to behavior
Source: SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File read: C:\Program Files\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: A817.exe, 00000006.00000003.2714953905.00000000035F4000.00000004.00000800.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2726154356.00000000035E7000.00000004.00000800.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2715528518.00000000035D5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe ReversingLabs: Detection: 47%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\ihuhfti C:\Users\user\AppData\Roaming\ihuhfti
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\A817.exe C:\Users\user\AppData\Local\Temp\A817.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\D91B.exe C:\Users\user\AppData\Local\Temp\D91B.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\898.exe C:\Users\user\AppData\Local\Temp\898.exe
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"
Source: C:\Users\user\AppData\Local\Temp\setup.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3616 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3824 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3812 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719942231320003 --launch-time-ticks=6813093635 --mojo-platform-channel-handle=4168 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719942231320003 --launch-time-ticks=6813175347 --mojo-platform-channel-handle=4216 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\A817.exe C:\Users\user\AppData\Local\Temp\A817.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\D91B.exe C:\Users\user\AppData\Local\Temp\D91B.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\898.exe C:\Users\user\AppData\Local\Temp\898.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3616 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3824 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3812 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719942231320003 --launch-time-ticks=6813093635 --mojo-platform-channel-handle=4168 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719942231320003 --launch-time-ticks=6813175347 --mojo-platform-channel-handle=4216 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cdprt.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ihuhfti Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ihuhfti Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ihuhfti Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ihuhfti Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: firewallapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: fwbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mmdevapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: audioses.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.ui.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mdmregistration.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mdmregistration.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: omadmapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dmcmnutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iri.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dsreg.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winsta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscms.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: coloradapterclient.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mfplat.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sppc.dll
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\setup.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exeePallll source: setup.exe, 00000009.00000002.4324246511.000000000040A000.00000004.00000001.01000000.0000000D.sdmp
Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdb source: widevinecdmadapter.dll.9.dr
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbU^1 source: 898.exe, 00000008.00000002.4009806264.000000000A808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbZ`0 source: 898.exe, 00000008.00000002.4009806264.000000000A808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: 898.exe, 00000008.00000002.4009806264.000000000A808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: libEGL.dll.pdb source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbx source: 898.exe, 00000008.00000002.4009806264.000000000A808000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000A.00000000.4014951511.0000000000442000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 0000000D.00000002.4104356642.0000000005EF2000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 0000000D.00000002.4131714578.0000000060519000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\** source: 898.exe, 00000008.00000002.3806811525.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 0000000D.00000002.4104356642.0000000005EF2000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 0000000D.00000002.4103312012.00000000053E2000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 0000000D.00000002.4131714578.0000000060519000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdbGCTL source: widevinecdmadapter.dll.9.dr
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 0000000D.00000002.4103312012.00000000053E2000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: \Desktop\projects\Release\BigProject.pdb source: 898.exe, 00000008.00000000.2854208305.00000000001C9000.00000002.00000001.01000000.0000000B.sdmp, 898.exe, 00000008.00000002.3799984274.00000000001C9000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 00000009.00000002.4325458416.000000000050A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 00000009.00000002.4325458416.000000000050A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: libGLESv2.dll.pdb source: setup.exe, 00000009.00000002.4326188374.000000000273F000.00000004.00000020.00020000.00000000.sdmp, libGLESv2.dll0.9.dr
Source: Binary string: \Desktop\projects\Release\BigProject.pdb. source: 898.exe, 00000008.00000000.2854208305.00000000001C9000.00000002.00000001.01000000.0000000B.sdmp, 898.exe, 00000008.00000002.3799984274.00000000001C9000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2*t source: 898.exe, 00000008.00000002.3806811525.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Unpacked PE file: 0.2.SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\ihuhfti Unpacked PE file: 5.2.ihuhfti.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Binary contains a suspicious time stamp
Source: Newtonsoft.Json.dll.9.dr Static PE information: 0xF68F744F [Mon Jan 31 06:35:59 2101 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Code function: 7_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary, 7_2_100010D0
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmpLp
PE file contains sections with non-standard names
Source: A817.exe.3.dr Static PE information: section name: .vmpLp
Source: A817.exe.3.dr Static PE information: section name: .vmpLp
Source: A817.exe.3.dr Static PE information: section name: .vmpLp
Source: chrome_elf.dll.9.dr Static PE information: section name: .00cfg
Source: chrome_elf.dll.9.dr Static PE information: section name: .crthunk
Source: chrome_elf.dll.9.dr Static PE information: section name: CPADinfo
Source: chrome_elf.dll.9.dr Static PE information: section name: malloc_h
Source: libEGL.dll.9.dr Static PE information: section name: .00cfg
Source: libGLESv2.dll.9.dr Static PE information: section name: .00cfg
Source: libcef.dll.9.dr Static PE information: section name: .00cfg
Source: libcef.dll.9.dr Static PE information: section name: .rodata
Source: libcef.dll.9.dr Static PE information: section name: CPADinfo
Source: libcef.dll.9.dr Static PE information: section name: malloc_h
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Code function: 0_2_00401CD1 push ecx; ret 0_2_00401CD2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Code function: 0_2_00401C91 push 00000076h; iretd 0_2_00401C93
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Code function: 0_2_00402E96 push B92A2F4Ch; retf 0_2_00402E9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Code function: 0_2_028A1CF8 push 00000076h; iretd 0_2_028A1CFA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Code function: 0_2_028A2EFD push B92A2F4Ch; retf 0_2_028A2F02
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Code function: 0_2_028A1D38 push ecx; ret 0_2_028A1D39
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Code function: 0_2_028E9CAF push edx; ret 0_2_028E9CB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Code function: 0_2_028EBD2D push FFFFFFFBh; iretd 0_2_028EBD43
Source: C:\Users\user\AppData\Roaming\ihuhfti Code function: 5_2_00401CD1 push ecx; ret 5_2_00401CD2
Source: C:\Users\user\AppData\Roaming\ihuhfti Code function: 5_2_00401C91 push 00000076h; iretd 5_2_00401C93
Source: C:\Users\user\AppData\Roaming\ihuhfti Code function: 5_2_00402E96 push B92A2F4Ch; retf 5_2_00402E9B
Source: C:\Users\user\AppData\Roaming\ihuhfti Code function: 5_2_0279BF1D push FFFFFFFBh; iretd 5_2_0279BF33
Source: C:\Users\user\AppData\Roaming\ihuhfti Code function: 5_2_02799E9F push edx; ret 5_2_02799EA0
Source: C:\Users\user\AppData\Roaming\ihuhfti Code function: 5_2_028C2EFD push B92A2F4Ch; retf 5_2_028C2F02
Source: C:\Users\user\AppData\Roaming\ihuhfti Code function: 5_2_028C1CF8 push 00000076h; iretd 5_2_028C1CFA
Source: C:\Users\user\AppData\Roaming\ihuhfti Code function: 5_2_028C1D38 push ecx; ret 5_2_028C1D39
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_001B004B push ecx; ret 8_2_001B005E
Source: SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Static PE information: section name: .text entropy: 7.492943572532929
Source: ihuhfti.3.dr Static PE information: section name: .text entropy: 7.492943572532929
Source: Ionic.Zip.dll.9.dr Static PE information: section name: .text entropy: 6.821349263259562
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\libcef.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\libEGL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\log4net.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\Del.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D91B.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D91B.exe File created: C:\Users\user\AppData\Local\Temp\nsgD880.tmp\blowfish.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Local\Temp\nsdB435.tmp\liteFirewall.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\A817.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D91B.exe File created: C:\Users\user\AppData\Local\Temp\nsgD880.tmp\nsProcess.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D91B.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\ihuhfti Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D91B.exe File created: C:\Users\user\AppData\Local\Temp\setup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D91B.exe File created: C:\Users\user\AppData\Local\Temp\nsgD880.tmp\INetC.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\898.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\ihuhfti Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall
Source: C:\Users\user\AppData\Local\Temp\setup.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\securiteinfo.com.win32.dropperx-gen.32377.19302.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\ihuhfti:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ihuhfti Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ihuhfti Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ihuhfti Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ihuhfti Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ihuhfti Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ihuhfti Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\A817.exe System information queried: FirmwareTableInformation Jump to behavior
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe API/Special instruction interceptor: Address: 7FF8C88ED584
Source: C:\Users\user\AppData\Roaming\ihuhfti API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\AppData\Roaming\ihuhfti API/Special instruction interceptor: Address: 7FF8C88ED584
Source: C:\Users\user\AppData\Local\Temp\A817.exe API/Special instruction interceptor: Address: 70522F
Source: C:\Users\user\AppData\Local\Temp\A817.exe API/Special instruction interceptor: Address: 704080
Source: C:\Users\user\AppData\Local\Temp\A817.exe API/Special instruction interceptor: Address: AA20B2
Source: C:\Users\user\AppData\Local\Temp\A817.exe API/Special instruction interceptor: Address: 7F5B80
Source: C:\Users\user\AppData\Local\Temp\A817.exe API/Special instruction interceptor: Address: 7491D7
Source: C:\Users\user\AppData\Local\Temp\A817.exe API/Special instruction interceptor: Address: 783463
Source: C:\Users\user\AppData\Local\Temp\A817.exe API/Special instruction interceptor: Address: 6B6310
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe, 00000000.00000002.2338276732.00000000028CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK,EF
Source: ihuhfti, 00000005.00000002.2656148630.000000000277E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOKF"EI
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 25B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 27A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 47A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 7D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2390000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4390000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1220000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2BB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4BB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2320000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 23E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2320000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1410000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2F90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 14D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 790000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2470000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2190000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: B80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2790000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4790000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 10E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2BA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1110000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2040000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 22E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 42E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 22F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 24B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 44B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 8F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 25D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 45D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1850000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 31B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 51B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: BE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2710000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 24E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2B90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2DC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2D10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: ED0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2AA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 27F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1720000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 31D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2F10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: D40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2840000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4840000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 9A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 23A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 43A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2CE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2ED0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2CE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1590000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2F60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4F60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2660000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2890000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4890000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1400000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2E50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4E50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: A90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2560000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: B10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1300000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2D50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2B20000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: FD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2AC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 29F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1050000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2A70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2840000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1560000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2FC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2DE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: E40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2AB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 28C0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Thread delayed: delay time: 600000
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 433 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1040 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 740 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 3911 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 877 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 869 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libcef.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libEGL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\log4net.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsgD880.tmp\INetC.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Del.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsgD880.tmp\blowfish.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdB435.tmp\liteFirewall.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsgD880.tmp\nsProcess.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5952 Thread sleep time: -104000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 828 Thread sleep time: -74000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5952 Thread sleep time: -391100s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe TID: 6600 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 1096 Thread sleep time: -600000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Code function: 7_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 7_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Code function: 7_2_004066FF FindFirstFileA,FindClose, 7_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Code function: 7_2_004027AA FindFirstFileA, 7_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_001C24BD FindFirstFileExW, 8_2_001C24BD
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_03521000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection, 8_2_03521000
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_03524E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW, 8_2_03524E27
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_03521D3C FindFirstFileW,FindNextFileW, 8_2_03521D3C
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_035240BA FindFirstFileW,FindNextFileW, 8_2_035240BA
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_03523EFC FindFirstFileW,FindNextFileW, 8_2_03523EFC
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_03522054 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA, 8_2_03522054
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\898.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe File opened: C:\Users\user\AppData\Local\Adobe\ Jump to behavior
Source: explorer.exe, 00000003.00000000.2318454001.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000003.00000000.2318454001.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: explorer.exe, 00000003.00000000.2313119165.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: A817.exe, 00000006.00000003.2726351368.000000000360D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696428655p
Source: explorer.exe, 00000003.00000000.2318454001.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2768851064.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2863594462.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000002.2865921435.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2699414998.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2713601252.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2863594462.0000000000E87000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2738569621.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000002.2865921435.0000000000E87000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2715137106.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, D91B.exe, 00000007.00000003.4342569603.00000000006A6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: explorer.exe, 00000003.00000000.2318454001.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: explorer.exe, 00000003.00000000.2318454001.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: explorer.exe, 00000003.00000000.2315285325.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: A817.exe, 00000006.00000003.2726351368.000000000360D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: YNVMware
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: explorer.exe, 00000003.00000000.2314030513.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: explorer.exe, 00000003.00000000.2318454001.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000003.00000000.2318454001.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.2315285325.000000000769A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: explorer.exe, 00000003.00000000.2315285325.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000003.00000000.2315285325.0000000007637000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 1efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAZ
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: explorer.exe, 00000003.00000000.2314030513.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: explorer.exe, 00000003.00000000.2318454001.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: explorer.exe, 00000003.00000000.2314030513.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: D91B.exe, 00000007.00000002.4351381522.00000000006EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWJ
Source: explorer.exe, 00000003.00000000.2314030513.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware,p
Source: A817.exe, 00000006.00000003.2726351368.0000000003608000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: explorer.exe, 00000003.00000000.2313119165.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Users\user\AppData\Local\Temp\D91B.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ihuhfti System information queried: CodeIntegrityInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\ihuhfti Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_001B4383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_001B4383
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Code function: 7_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary, 7_2_100010D0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Code function: 0_2_028A0D90 mov eax, dword ptr fs:[00000030h] 0_2_028A0D90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Code function: 0_2_028A092B mov eax, dword ptr fs:[00000030h] 0_2_028A092B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Code function: 0_2_028E3B3A push dword ptr fs:[00000030h] 0_2_028E3B3A
Source: C:\Users\user\AppData\Roaming\ihuhfti Code function: 5_2_02793D2A push dword ptr fs:[00000030h] 5_2_02793D2A
Source: C:\Users\user\AppData\Roaming\ihuhfti Code function: 5_2_028C0D90 mov eax, dword ptr fs:[00000030h] 5_2_028C0D90
Source: C:\Users\user\AppData\Roaming\ihuhfti Code function: 5_2_028C092B mov eax, dword ptr fs:[00000030h] 5_2_028C092B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_001C5891 GetProcessHeap, 8_2_001C5891
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_001B4383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_001B4383
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_001B0495 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_001B0495
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_001B0622 SetUnhandledExceptionFilter, 8_2_001B0622
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_001B06F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_001B06F0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: 898.exe.3.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 186.233.231.45 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 141.8.192.126 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.68.16.7 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 127.0.0.127 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 123.212.43.225 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 188.114.97.3 80 Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Thread created: C:\Windows\explorer.exe EIP: 83819D0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ihuhfti Thread created: unknown EIP: 87B19D0 Jump to behavior
LummaC encrypted strings found
Source: A817.exe, 00000006.00000002.2864832808.000000000029D000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: pedestriankodwu.xyz
Source: A817.exe, 00000006.00000002.2864832808.000000000029D000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: towerxxuytwi.xyz
Source: A817.exe, 00000006.00000002.2864832808.000000000029D000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: ellaboratepwsz.xyz
Source: A817.exe, 00000006.00000002.2864832808.000000000029D000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: penetratedpoopp.xyz
Source: A817.exe, 00000006.00000002.2864832808.000000000029D000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: swellfrrgwwos.xyz
Source: A817.exe, 00000006.00000002.2864832808.000000000029D000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: contintnetksows.shop
Source: A817.exe, 00000006.00000002.2864832808.000000000029D000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: foodypannyjsud.shop
Source: A817.exe, 00000006.00000002.2864832808.000000000029D000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: potterryisiw.shop
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\ihuhfti Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\ihuhfti Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3616 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3824 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3812 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719942231320003 --launch-time-ticks=6813093635 --mojo-platform-channel-handle=4168 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719942231320003 --launch-time-ticks=6813175347 --mojo-platform-channel-handle=4216 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (android 13; mobile; rv:127.0) gecko/127.0 firefox/127.0" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3616 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (android 13; mobile; rv:127.0) gecko/127.0 firefox/127.0" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3824 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (android 13; mobile; rv:127.0) gecko/127.0 firefox/127.0" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3812 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (android 13; mobile; rv:127.0) gecko/127.0 firefox/127.0" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719942231320003 --launch-time-ticks=6813093635 --mojo-platform-channel-handle=4168 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (android 13; mobile; rv:127.0) gecko/127.0 firefox/127.0" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719942231320003 --launch-time-ticks=6813175347 --mojo-platform-channel-handle=4216 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (android 13; mobile; rv:127.0) gecko/127.0 firefox/127.0" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3616 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (android 13; mobile; rv:127.0) gecko/127.0 firefox/127.0" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3824 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (android 13; mobile; rv:127.0) gecko/127.0 firefox/127.0" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3812 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (android 13; mobile; rv:127.0) gecko/127.0 firefox/127.0" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719942231320003 --launch-time-ticks=6813093635 --mojo-platform-channel-handle=4168 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (android 13; mobile; rv:127.0) gecko/127.0 firefox/127.0" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719942231320003 --launch-time-ticks=6813175347 --mojo-platform-channel-handle=4216 --field-trial-handle=3608,i,5322583597789313851,6405145499234275535,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: explorer.exe, 00000003.00000000.2318454001.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000003.00000000.2313611977.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000000.2315095585.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2313611977.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.2313611977.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.2313611977.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.2313119165.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PProgman
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_001B013C cpuid 8_2_001B013C
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: EnumSystemLocalesW, 8_2_001C5051
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: GetLocaleInfoW, 8_2_001BE096
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 8_2_001C50DC
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: GetLocaleInfoW, 8_2_001C532F
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 8_2_001C5458
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: GetLocaleInfoW, 8_2_001C555E
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 8_2_001C5634
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: EnumSystemLocalesW, 8_2_001BDBC7
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 8_2_001C4CBF
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: EnumSystemLocalesW, 8_2_001C4F6B
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: EnumSystemLocalesW, 8_2_001C4FB6
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\A817.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\898.exe Code function: 8_2_001B038F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 8_2_001B038F
Source: C:\Users\user\AppData\Local\Temp\D91B.exe Code function: 7_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 7_2_004034CC
Source: C:\Users\user\AppData\Local\Temp\A817.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: A817.exe, 00000006.00000003.2863594462.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000003.2828994575.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, A817.exe, 00000006.00000002.2865921435.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\A817.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: A817.exe PID: 5768, type: MEMORYSTR
Yara detected Poverty Stealer
Source: Yara match File source: 8.2.898.exe.c49e40.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.898.exe.3520000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.898.exe.3520000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.898.exe.c8f7a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.898.exe.c8f7a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.898.exe.c49e40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.3830896916.0000000003520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3806811525.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 898.exe PID: 5300, type: MEMORYSTR
Yara detected SmokeLoader
Source: Yara match File source: 00000005.00000002.2656272737.00000000028D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2656390640.0000000004391000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2338396480.0000000004271000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2338253538.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: A817.exe, 00000006.00000003.2715114703.0000000000F14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s/Electrum-LTCE
Source: A817.exe, 00000006.00000003.2768851064.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: A817.exe, 00000006.00000003.2715114703.0000000000F14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Liberty
Source: A817.exe, 00000006.00000003.2768851064.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: A817.exe, 00000006.00000003.2768851064.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: A817.exe, 00000006.00000003.2715114703.0000000000F14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3
Source: A817.exe, 00000006.00000003.2713601252.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\BinanceV
Source: A817.exe, 00000006.00000003.2768851064.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Ethereum
Source: A817.exe, 00000006.00000003.2715114703.0000000000F14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: A817.exe, 00000006.00000003.2715114703.0000000000F14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: A817.exe, 00000006.00000003.2715137106.0000000000E98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\898.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla\Notes9.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\A817.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Directory queried: C:\Users\user\Documents\AFWAAFRXKO Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Directory queried: C:\Users\user\Documents\AFWAAFRXKO Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Directory queried: C:\Users\user\Documents\TQDGENUHWP Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A817.exe Directory queried: C:\Users\user\Documents\TQDGENUHWP Jump to behavior
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Directory queried: number of queries: 1265
Yara detected Credential Stealer
Source: Yara match File source: 00000006.00000003.2715114703.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2800904439.0000000000F1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2768851064.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2779961853.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2737319587.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2800685873.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2710885777.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2801130375.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2768659017.0000000000F12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2725693658.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2738569621.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2745034642.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2743863458.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2745437256.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2725757098.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: A817.exe PID: 5768, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: A817.exe PID: 5768, type: MEMORYSTR
Yara detected Poverty Stealer
Source: Yara match File source: 8.2.898.exe.c49e40.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.898.exe.3520000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.898.exe.3520000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.898.exe.c8f7a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.898.exe.c8f7a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.898.exe.c49e40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.3830896916.0000000003520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3806811525.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 898.exe PID: 5300, type: MEMORYSTR
Yara detected SmokeLoader
Source: Yara match File source: 00000005.00000002.2656272737.00000000028D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2656390640.0000000004391000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2338396480.0000000004271000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2338253538.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1466391 Sample: SecuriteInfo.com.Win32.Drop... Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 105 Found malware configuration 2->105 107 Malicious sample detected (through community Yara rule) 2->107 109 Antivirus detection for dropped file 2->109 111 10 other signatures 2->111 12 SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe 2->12         started        15 ihuhfti 2->15         started        process3 signatures4 139 Detected unpacking (changes PE section rights) 12->139 141 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->141 143 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->143 151 2 other signatures 12->151 17 explorer.exe 77 13 12->17 injected 145 Multi AV Scanner detection for dropped file 15->145 147 Maps a DLL or memory area into another process 15->147 149 Checks if the current machine is a virtual machine (disk enumeration) 15->149 process5 dnsIp6 89 185.68.16.7 UKRAINE-ASUA Ukraine 17->89 91 186.233.231.45 SolucaoNetworkProvedorLtdaBR Brazil 17->91 93 3 other IPs or domains 17->93 65 C:\Users\user\AppData\Roaming\ihuhfti, PE32 17->65 dropped 67 C:\Users\user\AppData\Local\Temp\D91B.exe, PE32 17->67 dropped 69 C:\Users\user\AppData\Local\Temp\A817.exe, PE32 17->69 dropped 71 2 other malicious files 17->71 dropped 113 System process connects to network (likely due to code injection or exploit) 17->113 115 Benign windows process drops PE files 17->115 117 Deletes itself after installation 17->117 119 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->119 22 D91B.exe 3 35 17->22         started        26 A817.exe 17->26         started        29 898.exe 12 17->29         started        file7 signatures8 process9 dnsIp10 73 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 22->73 dropped 75 C:\Users\user\AppData\Local\...\blowfish.dll, PE32 22->75 dropped 77 C:\Users\user\AppData\Local\...\huge[1].dat, PE32 22->77 dropped 79 2 other files (none is malicious) 22->79 dropped 125 Antivirus detection for dropped file 22->125 127 Multi AV Scanner detection for dropped file 22->127 31 setup.exe 112 22->31         started        97 188.114.97.3 CLOUDFLARENETUS European Union 26->97 129 Query firmware table information (likely to detect VMs) 26->129 131 Machine Learning detection for dropped file 26->131 133 Found many strings related to Crypto-Wallets (likely being stolen) 26->133 137 4 other signatures 26->137 99 146.70.169.164 TENET-1ZA United Kingdom 29->99 101 104.192.141.1 AMAZON-02US United States 29->101 135 Tries to harvest and steal browser information (history, passwords, etc) 29->135 file11 signatures12 process13 file14 81 C:\Users\user\AppData\...\vulkan-1.dll, PE32 31->81 dropped 83 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32 31->83 dropped 85 C:\Users\user\AppData\...\libGLESv2.dll, PE32 31->85 dropped 87 16 other files (13 malicious) 31->87 dropped 103 Antivirus detection for dropped file 31->103 35 GamePall.exe 31->35         started        signatures15 process16 dnsIp17 95 172.67.221.174 CLOUDFLARENETUS United States 35->95 121 Antivirus detection for dropped file 35->121 123 Machine Learning detection for dropped file 35->123 39 GamePall.exe 35->39         started        41 GamePall.exe 35->41         started        43 GamePall.exe 35->43         started        45 5 other processes 35->45 signatures18 process19 process20 47 GamePall.exe 39->47         started        49 GamePall.exe 39->49         started        51 GamePall.exe 39->51         started        53 12 other processes 39->53 process21 55 GamePall.exe 47->55         started        57 GamePall.exe 47->57         started        59 GamePall.exe 47->59         started        61 GamePall.exe 49->61         started        63 GamePall.exe 51->63         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
186.233.231.45
 unknown Brazil
262675 SolucaoNetworkProvedorLtdaBR true
104.192.141.1
 unknown United States
16509 AMAZON-02US false
188.114.97.3
 unknown European Union
13335 CLOUDFLARENETUS true
141.8.192.126
 unknown Russian Federation
35278 SPRINTHOSTRU true
172.67.221.174
 unknown United States
13335 CLOUDFLARENETUS false
185.68.16.7
 unknown Ukraine
200000 UKRAINE-ASUA true
146.70.169.164
 unknown United Kingdom
2018 TENET-1ZA true
123.212.43.225
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true

Private

IP
127.0.0.127

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://gebeus.ru/tmp/index.php true
    http://cx5519.com/tmp/index.php true
      contintnetksows.shop true
        http://evilos.cc/tmp/index.php true
          ellaboratepwsz.xyz true
            swellfrrgwwos.xyz true
              foodypannyjsud.shop true
                pedestriankodwu.xyz true
                  towerxxuytwi.xyz true
                    http://office-techs.biz/tmp/index.php true