Windows Analysis Report
37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe

Overview

General Information

Sample name: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe
Analysis ID: 1466523
MD5: c280b435ae8e9bcf43b221df43e9fc65
SHA1: 5185a39475de9e0b98f1faba04a9e3bf9e3d5d76
SHA256: fa39d4dbbf0828f381cf30adfb6b5f3c207e86d22eccbfcc4d4ecd90573e4b6b
Tags: exe
Infos:

Detection

LummaC, Poverty Stealer, SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected LummaC Stealer
Yara detected Poverty Stealer
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
SmokeLoader The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
 https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Avira: detected
Antivirus detection for URL or domain
Source: https://foodypannyjsud.shop/api6 Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/api2 Avira URL Cloud: Label: malware
Source: http://gebeus.ru/tmp/index.php Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/e Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/j Avira URL Cloud: Label: malware
Source: http://cx5519.com/tmp/index.php Avira URL Cloud: Label: malware
Source: contintnetksows.shop Avira URL Cloud: Label: malware
Source: http://evilos.cc/tmp/index.php Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/ob Avira URL Cloud: Label: malware
Source: ellaboratepwsz.xyz Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/apid Avira URL Cloud: Label: malware
Source: swellfrrgwwos.xyz Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/re1 Avira URL Cloud: Label: malware
Source: foodypannyjsud.shop Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/apiW Avira URL Cloud: Label: malware
Source: pedestriankodwu.xyz Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Avira: detection malicious, Label: HEUR/AGEN.1313486
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Avira: detection malicious, Label: HEUR/AGEN.1352426
Source: C:\Users\user\AppData\Local\Temp\setup.exe Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat Avira: detection malicious, Label: HEUR/AGEN.1359405
Found malware configuration
Source: 00000000.00000002.1691528939.00000000001E0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}
Source: 9.2.1B6E.exe.165ea20.1.raw.unpack Malware Configuration Extractor: Poverty Stealer {"C2 url": "146.70.169.164:2227"}
Source: DBD3.exe.7704.6.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "potterryisiw.shop"], "Build id": "bOKHNM--"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\FD47.exe ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Roaming\etvjrtf ReversingLabs: Detection: 60%
Multi AV Scanner detection for submitted file
Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe ReversingLabs: Detection: 60%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GamePall\Del.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: 9_2_03CD1C94 CryptProtectData, 9_2_03CD1C94
Uses 32bit PE files
Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\setup.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall Jump to behavior
Source: Binary string: ntkrnlmp.pdbx, source: 1B6E.exe, 00000009.00000002.2893422102.000000000AEB9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: GamePall.exe, 0000000C.00000002.4716327288.00000000060B2000.00000002.00000001.01000000.00000014.sdmp, Newtonsoft.Json.dll.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: 1B6E.exe, 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbe source: 1B6E.exe, 00000009.00000002.2893422102.000000000AEB9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: GamePall.exe, GamePall.exe, 0000000C.00000002.4716327288.00000000060B2000.00000002.00000001.01000000.00000014.sdmp, Newtonsoft.Json.dll.11.dr
Source: Binary string: libEGL.dll.pdb source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbly source: 1B6E.exe, 00000009.00000002.2893422102.000000000AEC2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000C.00000000.3173116453.00000000003B2000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 00000010.00000002.4666674998.0000000060139000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 00000014.00000002.3264768163.0000000005952000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\*mp source: 1B6E.exe, 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000014.00000002.3256301243.00000000054E2000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 00000014.00000002.3264768163.0000000005952000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 00000010.00000002.4666674998.0000000060139000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exemePalll source: setup.exe, 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmp
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 00000014.00000002.3256301243.00000000054E2000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: \Desktop\projects\Release\BigProject.pdb source: 1B6E.exe, 00000009.00000000.2135317082.0000000000A99000.00000002.00000001.01000000.0000000C.sdmp, 1B6E.exe, 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: 1B6E.exe, 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: libGLESv2.dll.pdb source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3374106210.0000000000689000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3374106210.0000000000689000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbmw source: 1B6E.exe, 00000009.00000002.2893422102.000000000AEC2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Desktop\projects\Release\BigProject.pdb. source: 1B6E.exe, 00000009.00000000.2135317082.0000000000A99000.00000002.00000001.01000000.0000000C.sdmp, 1B6E.exe, 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmp
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Directory queried: number of queries: 1437
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Code function: 7_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 7_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Code function: 7_2_004066FF FindFirstFileA,FindClose, 7_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Code function: 7_2_004027AA FindFirstFileA, 7_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: 9_2_00A924BD FindFirstFileExW, 9_2_00A924BD
Source: C:\Users\user\AppData\Local\Temp\setup.exe Code function: 11_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 11_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\setup.exe Code function: 11_2_004066FF FindFirstFileA,FindClose, 11_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\setup.exe Code function: 11_2_004027AA FindFirstFileA, 11_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe File opened: C:\Users\user\AppData\Local\Adobe\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\ Jump to behavior

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 181.52.122.51 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 141.8.192.126 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.68.16.7 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 127.0.0.127 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 188.114.96.3 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: pedestriankodwu.xyz
Source: Malware configuration extractor URLs: towerxxuytwi.xyz
Source: Malware configuration extractor URLs: ellaboratepwsz.xyz
Source: Malware configuration extractor URLs: penetratedpoopp.xyz
Source: Malware configuration extractor URLs: swellfrrgwwos.xyz
Source: Malware configuration extractor URLs: contintnetksows.shop
Source: Malware configuration extractor URLs: foodypannyjsud.shop
Source: Malware configuration extractor URLs: potterryisiw.shop
Source: Malware configuration extractor URLs: potterryisiw.shop
Source: Malware configuration extractor URLs: http://evilos.cc/tmp/index.php
Source: Malware configuration extractor URLs: http://gebeus.ru/tmp/index.php
Source: Malware configuration extractor URLs: http://office-techs.biz/tmp/index.php
Source: Malware configuration extractor URLs: http://cx5519.com/tmp/index.php
Source: Malware configuration extractor URLs: 146.70.169.164:2227
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 141.8.192.126 141.8.192.126
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TelmexColombiaSACO TelmexColombiaSACO
Source: Joe Sandbox View ASN Name: SPRINTHOSTRU SPRINTHOSTRU
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: GamePall.exe, 00000028.00000002.3663716705.0000000003017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.install-stat.debug.world/clients/activity
Source: GamePall.exe, 00000018.00000002.3894887215.00000000023F8000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000019.00000002.3931428802.0000000002718000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001C.00000002.3768604841.0000000002541000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001D.00000002.3773257982.0000000002358000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000021.00000002.4013382785.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000022.00000002.4123152076.0000000003268000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.install-stat.debug.world/clients/activity.0
Source: GamePall.exe, 00000028.00000002.3663716705.0000000003017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.install-stat.debug.world/clients/installs
Source: GamePall.exe, 00000028.00000002.3663716705.0000000003017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bageyou.xyz
Source: GamePall.exe, 0000000C.00000002.3507088794.00000000027F7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bageyou.xyz/c/g
Source: GamePall.exe, 0000000C.00000002.3507088794.00000000027F7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bageyou.xyz/c/g4
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: explorer.exe, 00000001.00000000.1683280405.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1684623334.000000000982D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmp String found in binary or memory: http://crbug.com/275944
Source: GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmp String found in binary or memory: http://crbug.com/497301
Source: GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmp String found in binary or memory: http://crbug.com/514696
Source: GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmp String found in binary or memory: http://crbug.com/717501
Source: GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmp String found in binary or memory: http://crbug.com/775961
Source: GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmp String found in binary or memory: http://crbug.com/839189
Source: DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000001.00000000.1683280405.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1684623334.000000000982D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: explorer.exe, 00000001.00000000.1683280405.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1684623334.000000000982D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: GamePall.exe, 0000000C.00000002.4777657271.0000000037F04000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://groutchoay.com/
Source: GamePall.exe, 0000000C.00000002.4777657271.0000000037F04000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://groutchoay.com/7
Source: GamePall.exe, 0000000C.00000002.3507088794.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://groutchoay.com/?l=8pVpPBflecjcgHU
Source: GamePall.exe, 0000000C.00000002.4765285515.0000000037D68000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://groutchoay.com/?l=8pVpPBflecjcgHU&s=831805244739428353&z=6966849&tb=6424104&pz=6424105
Source: GamePall.exe, 0000000C.00000002.4757714643.0000000037C74000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://groutchoay.com/?l=8pVpPBflecjcgHU&s=831805244739428353&z=6966849&tb=6424104&pz=64241057
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://james.newtonking.com/projects/json
Source: GamePall.exe, 00000014.00000002.3256301243.00000000054E2000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
Source: setup.exe, setup.exe, 0000000B.00000003.3173882874.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmp, setup.exe, 0000000B.00000000.2873916150.000000000040A000.00000008.00000001.01000000.0000000E.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: FD47.exe, 00000007.00000000.2074830237.000000000040A000.00000008.00000001.01000000.00000008.sdmp, FD47.exe, 00000007.00000002.3392772563.000000000040A000.00000004.00000001.01000000.00000008.sdmp, setup.exe, 0000000B.00000003.3173882874.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmp, setup.exe, 0000000B.00000000.2873916150.000000000040A000.00000008.00000001.01000000.0000000E.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000001.00000000.1683280405.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1684623334.000000000982D000.00000004.00000001.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://ocsp.digicert.com0K
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 00000001.00000000.1683280405.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: explorer.exe, 00000001.00000000.1684248888.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1685237344.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1683896450.0000000007F40000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: GamePall.exe, 0000000C.00000002.3507088794.0000000002AEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: GamePall.exe, 0000000C.00000002.4776026493.0000000037ECC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/
Source: GamePall.exe, 00000014.00000002.3256301243.00000000054E2000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: http://www.apache.org/).
Source: GamePall.exe, 00000014.00000002.3256301243.00000000054E2000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: http://www.apache.org/licenses/
Source: GamePall.exe, 00000014.00000002.3256301243.00000000054E2000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: GamePall.exe, 00000010.00000002.3378641499.0000000006140000.00000002.00000001.00040000.0000001B.sdmp String found in binary or memory: http://www.unicode.org/copyright.html
Source: DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: DBD3.exe, 00000006.00000003.2048454548.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2821062331.000000000AF1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: FD47.exe, 00000007.00000003.2077335796.00000000030D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://xiexie.wf/22_551/huge.dat
Source: FD47.exe, 00000007.00000002.3536265180.00000000007A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xiexie.wf/22_551/huge.datf
Source: FD47.exe, 00000007.00000002.3536265180.00000000007A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xiexie.wf/22_551/huge.datlb
Source: FD47.exe, 00000007.00000002.3392772563.0000000000434000.00000004.00000001.01000000.00000008.sdmp String found in binary or memory: http://xiexie.wf/22_551/huge.datmCGBZvyfGQlwd
Source: DBD3.exe, 00000006.00000003.2024480676.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024611734.0000000003B48000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000002.2863419240.000000000A81F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000001.00000000.1686438182.000000000C893000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1683280405.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1683280405.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1686438182.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1684623334.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1684623334.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000001.00000000.1682187494.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1681641684.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1684623334.00000000096DF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1684623334.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1684623334.00000000096DF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: 1B6E.exe, 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664327299.0000000001620000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664386169.0000000001623000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aui-cdn.atlassian.com/
Source: 1B6E.exe, 00000009.00000002.2833845596.00000000015ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/
Source: 1B6E.exe, 00000009.00000002.2833845596.00000000015ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/I
Source: 1B6E.exe, 00000009.00000002.2833845596.00000000015A0000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000002.2833845596.00000000015ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee
Source: DBD3.exe, 00000006.00000003.2050013210.00000000016CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: DBD3.exe, 00000006.00000003.2050013210.00000000016CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: 1B6E.exe, 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664327299.0000000001620000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664386169.0000000001623000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cookielaw.org/
Source: DBD3.exe, 00000006.00000003.2024480676.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024611734.0000000003B48000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000002.2863419240.000000000A81F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1683280405.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1683280405.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: DBD3.exe, 00000006.00000003.2024480676.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024611734.0000000003B48000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000002.2863419240.000000000A81F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: DBD3.exe, 00000006.00000003.2024480676.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024611734.0000000003B48000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000002.2863419240.000000000A81F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: GamePall.exe, 0000000C.00000002.4788856489.0000000056670000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=ukCtrl$1
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=urCtrl$2
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=viCtrl$1
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CNCtrl$1
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TWCtrl$1
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: GamePall.exe, 0000000C.00000002.4788856489.0000000056670000.00000004.00001000.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmp String found in binary or memory: https://chromewebstore.google.com/
Source: GamePall.exe, 0000000C.00000002.4788856489.0000000056670000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/declarativeNetRequestWithHostAccessapp.window.fullscreen.overrideE
Source: GamePall.exe, 0000000C.00000002.4787685561.000000005662C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmp String found in binary or memory: https://codereview.chromium.org/25305002).
Source: DBD3.exe, 00000006.00000003.2050013210.00000000016CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: DBD3.exe, 00000006.00000003.2050013210.00000000016CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmp String found in binary or memory: https://crbug.com/1245093):
Source: GamePall.exe, 0000000F.00000002.4113180925.000000000672C000.00000002.00000001.00040000.0000001E.sdmp String found in binary or memory: https://crbug.com/1446731
Source: 1B6E.exe, 00000009.00000003.2664386169.0000000001623000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
Source: 1B6E.exe, 00000009.00000003.2664386169.0000000001623000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
Source: DBD3.exe, 00000006.00000003.2024480676.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024611734.0000000003B48000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000002.2863419240.000000000A81F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: DBD3.exe, 00000006.00000003.2024480676.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024611734.0000000003B48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: DBD3.exe, 00000006.00000003.2024480676.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024611734.0000000003B48000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000002.2863419240.000000000A81F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 1B6E.exe, 00000009.00000003.2664327299.0000000001620000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664463768.000000000165D000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664386169.0000000001623000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: explorer.exe, 00000001.00000000.1686438182.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: DBD3.exe, 00000006.00000003.2076723236.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2119386462.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2037792556.000000000169D000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2087019391.00000000016B6000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076801213.00000000016B2000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000002.2122102908.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2037792556.000000000165C000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076955432.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2097922295.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076766706.00000000016AC000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2023067511.000000000163F000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2022920516.000000000165B000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024545560.000000000165B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/
Source: DBD3.exe, 00000006.00000003.2119386462.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000002.2122102908.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2097922295.00000000016B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/F9Q
Source: DBD3.exe, 00000006.00000003.2022920516.000000000165B000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000002.2122082002.00000000016A7000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024545560.000000000165B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/api
Source: DBD3.exe, 00000006.00000003.2037792556.000000000165C000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2022920516.000000000165B000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024545560.000000000165B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/api2
Source: DBD3.exe, 00000006.00000003.2087019391.00000000016B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/api6
Source: DBD3.exe, 00000006.00000003.2119940512.00000000016A7000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000002.2122082002.00000000016A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/apiW
Source: DBD3.exe, 00000006.00000003.2037792556.000000000169D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/apid
Source: DBD3.exe, 00000006.00000003.2087019391.00000000016B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/bm/
Source: DBD3.exe, 00000006.00000003.2119386462.000000000163D000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000002.2121863832.000000000163D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/e
Source: DBD3.exe, 00000006.00000003.2076723236.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2087019391.00000000016B6000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076801213.00000000016B2000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076955432.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076766706.00000000016AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/j
Source: DBD3.exe, 00000006.00000003.2087019391.00000000016B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/jhg
Source: DBD3.exe, 00000006.00000003.2087019391.00000000016B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/ob
Source: DBD3.exe, 00000006.00000003.2097922295.00000000016B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/pi
Source: DBD3.exe, 00000006.00000003.2119386462.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000002.2122102908.00000000016B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/re1
Source: DBD3.exe, 00000006.00000003.2076723236.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2087019391.00000000016B6000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076801213.00000000016B2000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076955432.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076766706.00000000016AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/sG
Source: DBD3.exe, 00000006.00000003.2076723236.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2087019391.00000000016B6000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076801213.00000000016B2000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076955432.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2076766706.00000000016AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/sc
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1683280405.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: DBD3.exe, 00000006.00000003.2050013210.00000000016CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://myactivity.google.com/
Source: explorer.exe, 00000001.00000000.1686438182.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com_
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://passwords.google.com
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://passwords.google.comGoogle
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://passwords.google.comT
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://policies.google.com/
Source: explorer.exe, 00000001.00000000.1686438182.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: 1B6E.exe, 00000009.00000003.2664327299.0000000001620000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664463768.000000000165D000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664386169.0000000001623000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: 1B6E.exe, 00000009.00000003.2664327299.0000000001620000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664463768.000000000165D000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664386169.0000000001623000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: GamePall.exe, 0000000C.00000002.4776026493.0000000037ECC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: GamePall.exe, 0000000C.00000002.4759970266.0000000037CB8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=dummytoken
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: DBD3.exe, 00000006.00000003.2023916098.0000000003B8E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: DBD3.exe, 00000006.00000003.2049741742.0000000003C57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: DBD3.exe, 00000006.00000003.2049741742.0000000003C57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: DBD3.exe, 00000006.00000003.2024184644.0000000003B85000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2023916098.0000000003B8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: DBD3.exe, 00000006.00000003.2024184644.0000000003B60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: DBD3.exe, 00000006.00000003.2024184644.0000000003B85000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2023916098.0000000003B8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: DBD3.exe, 00000006.00000003.2024184644.0000000003B60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: GamePall.exe, 00000014.00000002.3256945805.0000000005526000.00000002.00000001.01000000.00000012.sdmp, GamePall.exe, 00000014.00000002.3256301243.00000000054E2000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1
Source: 1B6E.exe, 00000009.00000003.2664327299.0000000001620000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664463768.000000000165D000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000003.2664386169.0000000001623000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1686438182.000000000C557000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1686438182.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: DBD3.exe, 00000006.00000003.2050013210.00000000016CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: DBD3.exe, 00000006.00000003.2024480676.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024611734.0000000003B48000.00000004.00000800.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000002.2863419240.000000000A81F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: DBD3.exe, 00000006.00000003.2050013210.00000000016CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&
Source: GamePall.exe, 00000010.00000002.3970596633.0000000006C20000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&r
Source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlYar&d
Source: DBD3.exe, 00000006.00000003.2024480676.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2024611734.0000000003B48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: DBD3.exe, 00000006.00000003.2049741742.0000000003C57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: DBD3.exe, 00000006.00000003.2049741742.0000000003C57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: DBD3.exe, 00000006.00000003.2049741742.0000000003C57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: DBD3.exe, 00000006.00000003.2049741742.0000000003C57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: DBD3.exe, 00000006.00000003.2049741742.0000000003C57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1683280405.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1683280405.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: GamePall.exe, GamePall.exe, 0000000C.00000002.4716327288.00000000060B2000.00000002.00000001.01000000.00000014.sdmp, Newtonsoft.Json.dll.11.dr String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1683280405.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000003.00000002.1924153562.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1691624070.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1691528939.00000000001E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1923776407.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Code function: 7_2_004055E7 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 7_2_004055E7
Too many similar processes found
Source: GamePall.exe Process created: 54

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000003.00000002.1924153562.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1691624070.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1691528939.00000000001E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000003.00000002.1923776407.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
PE file has a writeable .text section
Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: etvjrtf.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Abnormal high CPU Usage
Source: C:\Windows\explorer.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Code function: 0_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401538
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Code function: 0_2_00402FE9 RtlCreateUserThread,NtTerminateProcess, 0_2_00402FE9
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Code function: 0_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004014DE
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Code function: 0_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401496
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Code function: 0_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401543
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Code function: 0_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401565
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Code function: 0_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401579
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Code function: 0_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_0040157C
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Code function: 7_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary, 7_2_100010D0
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Code function: 7_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 7_2_004034CC
Source: C:\Users\user\AppData\Local\Temp\setup.exe Code function: 11_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 11_2_004034CC
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Code function: 7_2_00406A88 7_2_00406A88
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: 9_2_00A81490 9_2_00A81490
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: 9_2_00A8D515 9_2_00A8D515
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: 9_2_00A94775 9_2_00A94775
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: 9_2_00A8BE09 9_2_00A8BE09
Source: C:\Users\user\AppData\Local\Temp\setup.exe Code function: 11_2_00406A88 11_2_00406A88
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Code function: 12_2_02564F58 12_2_02564F58
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Code function: 12_2_02561049 12_2_02561049
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Code function: 12_2_059F6608 12_2_059F6608
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Code function: 12_2_06A90790 12_2_06A90790
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Code function: 12_2_06A9D650 12_2_06A9D650
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Code function: 12_2_63CE1D27 12_2_63CE1D27
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Code function: 12_2_635714C0 12_2_635714C0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Code function: 12_2_63C44960 12_2_63C44960
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Code function: 12_2_63D37460 12_2_63D37460
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Code function: 12_2_63D37C50 12_2_63D37C50
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Code function: 12_2_61E89120 12_2_61E89120
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Code function: 12_2_63CA4003 12_2_63CA4003
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Code function: 12_2_61D342A0 12_2_61D342A0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: String function: 00A80310 appears 51 times
PE file does not import any functions
Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Static PE information: No import functions for PE file found
Source: etvjrtf.1.dr Static PE information: No import functions for PE file found
Uses 32bit PE files
Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 00000003.00000002.1924153562.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1691624070.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1691528939.00000000001E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000003.00000002.1923776407.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: etvjrtf.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Static PE information: Section .text
Source: etvjrtf.1.dr Static PE information: Section .text
Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.cs Cryptographic APIs: 'TransformBlock'
Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.cs Cryptographic APIs: 'TransformFinalBlock'
Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.cs Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: GamePall.exe.11.dr, Program.cs Base64 encoded string: 'pizR9uKkcZIkMW+F1cRjYV0LMt6eYXmLuiNCndESDPkTO3eY1Mjv7Hs2Qvo+t26G', 'ZTDMzZVpdA1FSa2RiY6ZCl2QGyLDtQ3OBRa/N40wO2xxcvcDsATtLRGwKtaEB36dqPJnDF8qXNs92JbMBlsOyg==', 'nYQvMVlU2Asj2rNkmi7xBNqGCkGzSnaP0raCPfB8A9hSwWFTIjPcsKgDrCVAEwSQ1lHf/WOhnKR59a5JjrkJVUOFvV43wO8MM1FKgjYuj7ZzvvuGve+okViUQx+oGN+llGnjS4Fm9o1MUn7p+qcPVIDZRcvMal1ARjQNk+bFvT5vC4J8slkhLZYtvBYmOybvSK90G7/f/U8GPBdM7WBmfFdHzzGxw6WFcHlkdySP8Nvmzff08RdOn8QOu8FlABEqqEjQ0W84v+/lU0lmhvzugpodd8fIp2kb2/twZPg9/Jsy5viOC65K8bs1ES63SA2d62f5cJYpFf1f0WBQbCBcSzfwiDlBCWVIW9vFXW1awyEMdm3q36+BViyETC5tnyHuoLRgf3bXoQAwqE0OIII5DROfW+LmqqHY82rVXHAqhVjdA2wZRWcSI1zxV7+qTfhmp9qbIQAWSuuXTzhbIvI3gjvtPCdz9uBv8rjyg1XZNxfdgYdtF+klyGgKdefnu5G2pgjfT3Kb/VbjgkFvLlqtWNr5K7iC080FVeHsZazMHUrrDtsmNdChtvnX8Zj77rIGVxi9RfvHhhIhBj+WSos+lJ2nuvQkUpqVEa1mrZSwPezG/uoh0qvs+BAHbNFNjv99WS6tgWIkvcQVCi2h3cfxTGQiZDetQZqB+N/mnvgC6WdrcRKGHBE4mp6bpgTY9+nt3lPiH6OZnlxC8rdHbuGtY6R/FgNFYkw49JWXYeZ1VV3KnjSrFMvDlkyMCAW1X9/1VoC+f73WVYMLwXafDKtGO2lfr9vwKms+8HoEgs7bj0aroIPdmLK/z/djAsFZO8Vp', 'T7BWwqrn4yISEECEAnARpwE8R+3lDHSc+RlcJT90an1SNsS27lGBQjOx4RmDHlrj7oJnnzx1IWXOkbTfLzBeCfU6UJhOIoQKhcWidAxAKIxvqZnoB6AujIU0F7dEj65vahyTdEvkIxzFaV2+akbl53KcDi5RPBOP16iXVi0WJdHV5AbSCI9WCEcSX/fUpmukBh4bjVF/T/P/B6TFVtNZintCOSO2Ha+2va2CJMOnJ020zYskwuvcH9d1rGD3Zf9RBC2obzrhRNK2LXTEIYnifs6L2UdqFhw5aANXILziQtzKvsTQKvc15hvHCCoeXJCyyK7/WgA/oRu7bdrTs2DwCQ==', 'ZY0WCEgzqiLEU8ZUVJwGTpbkuL9KoMwYVloBqJXjur8rfBZEXTysQNKRQ1H7/vn7o0wyHAux60SVy06r4v6So5WWxddei09LXvL6ZwK/tyY=', 's7iS2XfzyI+IBoARaZQlTINg1kEy7qT7EopaSHQzpqktZBtc7UiOYrPdv/6f4cNI', 'o2ZleBui4P9C2ZjnB98Vuesy1C+WucHiXjQJ8RANoX6TheGfnLYAWDsXRfSeNCDHWdkBP2RBrkWPBy/nuM2NFLMETMUsPFeG3JHWafvGKzaNEjYO3Up9m61SnaY5tINvLCYJ/TKITszJ9H1YSm2chnmQGLUzbz4pwvWvvKfH8m7z585W73/QZrtw3l/30vcZaVocgwemYusDJYsOTgeWc0okiDahD7qtJcBYZ0aOzxZZmHDMBYigkRVf8GTJ/xucA/i7EHBFpaWoLVZVcuGFMA==', 'T7BWwqrn4yISEECEAnARp+JyVgG3cZc2/9+3VbyOjc4PuRSCU7ZfXuXpIIH8uj2roUU+W7nSmXHqTuxLhe6DBfNVh8PFZrhNX/YhIexDxrk=', 'G4TxOgdwfNBdU+6bscw2hqt3kZYZMfoEuKZtmCxRLrF8xJCK1+L0ocd8eSQjty7d', 'PcG64iM3U1vDIVDm7HuwTSvKhuz45f/WPqYoWZvzLHcapbEfkynZkUjmDgg30eof', 'XGcq7Js3+2f2oGHGFzxJPiYsrodwK+bTw/0lKjiUd0tSWMHEjdVqzAclD1/nPksq3sGhVTN8oFeHMRE7wAt3mCLVCEXKF9JLnNeWw9vvCbs=', 'T7BWwqrn4yISEECEAnARp8UQ6kvfa8mDiwe39obQZ+Rxfj5bbo//kf+4mlTsZUEg0QM/4QBKb6sUDMsk9OTdYg==', 'T7BWwqrn4yISEECEAnARp/U1NCwfjpQ4K5UKuMbDqXSrjfU6Tf/pOCpHlHXtYnU5', 'Gg/rFkGmnFrfPAny9sQ3qerPGxlC7+cuu92x2tgXrCRkqABwTbbIR8+hJN0krbBD9OJX8s2JqeR+xICuD2u17N7KjlWCZwpg4+c7mG1xAahALfXXbu/EvJy+KsAzQlzR9bu8P4wbyuM6r6/7kdf+VQ==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLT3pudJg4gGhcEax3IHwBI0R5vZR7J9mjUQ8R9MdKz/Fw==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLTcCwJrbTmNGWmZutw1Di2FSZ+3JxFtC00BiemuQuq2+A=='
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@273/116@0/8
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Code function: 7_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 7_2_004034CC
Source: C:\Users\user\AppData\Local\Temp\setup.exe Code function: 11_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 11_2_004034CC
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Code function: 7_2_00404897 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 7_2_00404897
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Code function: 7_2_00402173 CoCreateInstance,MultiByteToWideChar, 7_2_00402173
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\etvjrtf Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_rendLog.txt
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Mutant created: \Sessions\1\BaseNamedObjects\1e7f31ac-1494-47cc-9633-054c20e7432e
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_mainLog.txt
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\DBD3.tmp Jump to behavior
Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: DBD3.exe, 00000006.00000003.2024312683.0000000003B64000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe ReversingLabs: Detection: 60%
Source: unknown Process created: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe "C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\etvjrtf C:\Users\user\AppData\Roaming\etvjrtf
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\DBD3.exe C:\Users\user\AppData\Local\Temp\DBD3.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\FD47.exe C:\Users\user\AppData\Local\Temp\FD47.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\1B6E.exe C:\Users\user\AppData\Local\Temp\1B6E.exe
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"
Source: C:\Users\user\AppData\Local\Temp\setup.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3300 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3972 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3996 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171165647 --mojo-platform-channel-handle=4028 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171215235 --mojo-platform-channel-handle=4164 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\DBD3.exe C:\Users\user\AppData\Local\Temp\DBD3.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\FD47.exe C:\Users\user\AppData\Local\Temp\FD47.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\1B6E.exe C:\Users\user\AppData\Local\Temp\1B6E.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3300 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3972 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3996 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171165647 --mojo-platform-channel-handle=4028 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171215235 --mojo-platform-channel-handle=4164 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mfsrcsnk.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cdprt.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\etvjrtf Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mmdevapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: audioses.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.ui.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winsta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscms.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: coloradapterclient.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mdmregistration.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mdmregistration.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: omadmapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dmcmnutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iri.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dsreg.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\setup.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall Jump to behavior
Source: Binary string: ntkrnlmp.pdbx, source: 1B6E.exe, 00000009.00000002.2893422102.000000000AEB9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: GamePall.exe, 0000000C.00000002.4716327288.00000000060B2000.00000002.00000001.01000000.00000014.sdmp, Newtonsoft.Json.dll.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: 1B6E.exe, 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbe source: 1B6E.exe, 00000009.00000002.2893422102.000000000AEB9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: GamePall.exe, GamePall.exe, 0000000C.00000002.4716327288.00000000060B2000.00000002.00000001.01000000.00000014.sdmp, Newtonsoft.Json.dll.11.dr
Source: Binary string: libEGL.dll.pdb source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbly source: 1B6E.exe, 00000009.00000002.2893422102.000000000AEC2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000C.00000000.3173116453.00000000003B2000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 00000010.00000002.4666674998.0000000060139000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 00000014.00000002.3264768163.0000000005952000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\*mp source: 1B6E.exe, 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000014.00000002.3256301243.00000000054E2000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 00000014.00000002.3264768163.0000000005952000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 00000010.00000002.4666674998.0000000060139000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exemePalll source: setup.exe, 0000000B.00000002.3373661700.000000000040A000.00000004.00000001.01000000.0000000E.sdmp
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 00000014.00000002.3256301243.00000000054E2000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: \Desktop\projects\Release\BigProject.pdb source: 1B6E.exe, 00000009.00000000.2135317082.0000000000A99000.00000002.00000001.01000000.0000000C.sdmp, 1B6E.exe, 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: 1B6E.exe, 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: libGLESv2.dll.pdb source: setup.exe, 0000000B.00000002.3374533199.0000000002737000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3374106210.0000000000689000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3374106210.0000000000689000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbmw source: 1B6E.exe, 00000009.00000002.2893422102.000000000AEC2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Desktop\projects\Release\BigProject.pdb. source: 1B6E.exe, 00000009.00000000.2135317082.0000000000A99000.00000002.00000001.01000000.0000000C.sdmp, 1B6E.exe, 00000009.00000002.2833158937.0000000000A99000.00000002.00000001.01000000.0000000C.sdmp
Binary contains a suspicious time stamp
Source: Newtonsoft.Json.dll.11.dr Static PE information: 0xF68F744F [Mon Jan 31 06:35:59 2101 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Code function: 7_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary, 7_2_100010D0
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmpLp
PE file contains an invalid checksum
Source: chrome_elf.dll.11.dr Static PE information: real checksum: 0x0 should be: 0x11ff85
Source: Del.exe.11.dr Static PE information: real checksum: 0x0 should be: 0x556d
Source: libGLESv2.dll.11.dr Static PE information: real checksum: 0x0 should be: 0x263106
Source: 1B6E.exe.1.dr Static PE information: real checksum: 0x0 should be: 0x9498e
Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Static PE information: real checksum: 0xe07f should be: 0x194ea
Source: GamePall.exe.11.dr Static PE information: real checksum: 0x0 should be: 0x5286e
Source: Uninstall.exe.11.dr Static PE information: real checksum: 0x0 should be: 0x3fba6
Source: FD47.exe.1.dr Static PE information: real checksum: 0x0 should be: 0x5633b
Source: INetC.dll.7.dr Static PE information: real checksum: 0x0 should be: 0xa6c6
Source: libEGL.dll.11.dr Static PE information: real checksum: 0x0 should be: 0x690e6
Source: blowfish.dll.7.dr Static PE information: real checksum: 0x0 should be: 0x152a5
Source: Xilium.CefGlue.dll.11.dr Static PE information: real checksum: 0x0 should be: 0xdde0b
Source: etvjrtf.1.dr Static PE information: real checksum: 0xe07f should be: 0x194ea
Source: libGLESv2.dll0.11.dr Static PE information: real checksum: 0x0 should be: 0x65b4a2
PE file contains sections with non-standard names
Source: DBD3.exe.1.dr Static PE information: section name: .vmpLp
Source: DBD3.exe.1.dr Static PE information: section name: .vmpLp
Source: DBD3.exe.1.dr Static PE information: section name: .vmpLp
Source: libGLESv2.dll.11.dr Static PE information: section name: .00cfg
Source: libGLESv2.dll.11.dr Static PE information: section name: .voltbl
Source: chrome_elf.dll.11.dr Static PE information: section name: .00cfg
Source: chrome_elf.dll.11.dr Static PE information: section name: .crthunk
Source: chrome_elf.dll.11.dr Static PE information: section name: CPADinfo
Source: chrome_elf.dll.11.dr Static PE information: section name: malloc_h
Source: libEGL.dll.11.dr Static PE information: section name: .00cfg
Source: libGLESv2.dll0.11.dr Static PE information: section name: .00cfg
Source: libcef.dll.11.dr Static PE information: section name: .00cfg
Source: libcef.dll.11.dr Static PE information: section name: .rodata
Source: libcef.dll.11.dr Static PE information: section name: CPADinfo
Source: libcef.dll.11.dr Static PE information: section name: malloc_h
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Code function: 0_2_00408616 push eax; retf 0000h 0_2_00408619
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Code function: 0_2_00401CD1 push ecx; ret 0_2_00401CD2
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Code function: 0_2_004084E6 push FFFFFFFBh; iretd 0_2_004084FC
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Code function: 0_2_00401C91 push 00000076h; iretd 0_2_00401C93
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Code function: 0_2_00402E96 push B92A2F4Ch; retf 0_2_00402E9B
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: 9_2_00A8004B push ecx; ret 9_2_00A8005E
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Code function: 12_2_62036B54 push ss; retf 12_2_62036B57
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Code function: 12_2_63C458D2 push ebp; iretd 12_2_63C458D3
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Code function: 12_2_63C4589C push ebp; iretd 12_2_63C4589D
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Code function: 12_2_63597138 push esp; ret 12_2_63597139
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Code function: 12_2_61DA38A9 push ecx; ret 12_2_61DA38AC
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Code function: 12_2_61E5A1BA push 83000004h; ret 12_2_61E5A1BF
Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Static PE information: section name: .text entropy: 7.062241098302679
Source: etvjrtf.1.dr Static PE information: section name: .text entropy: 7.062241098302679
Source: Ionic.Zip.dll.11.dr Static PE information: section name: .text entropy: 6.821349263259562
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\FD47.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\log4net.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FD47.exe File created: C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\nsProcess.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FD47.exe File created: C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\blowfish.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FD47.exe File created: C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\INetC.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\libEGL.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\etvjrtf Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\Del.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\DBD3.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\libcef.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Local\Temp\nsiA896.tmp\liteFirewall.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\1B6E.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FD47.exe File created: C:\Users\user\AppData\Local\Temp\setup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FD47.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\etvjrtf Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\etvjrtf:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\etvjrtf Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\etvjrtf Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\etvjrtf Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\etvjrtf Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\etvjrtf Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\etvjrtf Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe System information queried: FirmwareTableInformation Jump to behavior
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\etvjrtf API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\etvjrtf API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe API/Special instruction interceptor: Address: E87E15
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe API/Special instruction interceptor: Address: 9A76F5
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe API/Special instruction interceptor: Address: A84E89
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe API/Special instruction interceptor: Address: BB5B80
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe API/Special instruction interceptor: Address: AC522F
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe API/Special instruction interceptor: Address: B8F069
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: etvjrtf, 00000003.00000002.1923896582.00000000004E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK.
Source: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe, 00000000.00000002.1691660005.0000000000540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2520000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 27A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 26A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1230000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2D10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4D10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 9A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 26E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 46E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1620000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 3160000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2FA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2EB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 3000000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2EB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1060000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2B90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 29A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 13D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2FB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2CE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2B60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2CE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4CE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 950000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2560000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 24A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2F70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 3220000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 5220000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 3030000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 3160000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 5160000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 650000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 23D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 930000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: D40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 26F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 46F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 16F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 3080000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 5080000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1250000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2CD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2C10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: BF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2540000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4540000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: A70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2330000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 20C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 11F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2C90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4C90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: E40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2B10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 10C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1080000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 28D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 48D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1540000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 3090000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2E90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 14D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 3240000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1670000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 29D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2BB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4BB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1310000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2F30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 13D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: A60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2470000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2290000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: B40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 24F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 44F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1570000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2FC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1570000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Thread delayed: delay time: 600000
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 414 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 4639 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 891 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 369 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 878 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 868 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\log4net.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\nsProcess.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\blowfish.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Del.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libcef.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiA896.tmp\liteFirewall.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskFDD4.tmp\INetC.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libEGL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe API coverage: 9.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 7320 Thread sleep time: -463900s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7316 Thread sleep time: -89100s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7672 Thread sleep time: -36900s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7676 Thread sleep time: -33400s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe TID: 7732 Thread sleep time: -210000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 7644 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 7748 Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 4168 Thread sleep count: 32 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Code function: 7_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 7_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Code function: 7_2_004066FF FindFirstFileA,FindClose, 7_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Code function: 7_2_004027AA FindFirstFileA, 7_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: 9_2_00A924BD FindFirstFileExW, 9_2_00A924BD
Source: C:\Users\user\AppData\Local\Temp\setup.exe Code function: 11_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 11_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\setup.exe Code function: 11_2_004066FF FindFirstFileA,FindClose, 11_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\setup.exe Code function: 11_2_004027AA FindFirstFileA, 11_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: 9_2_03CD2054 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA, 9_2_03CD2054
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe File opened: C:\Users\user\AppData\Local\Adobe\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\ Jump to behavior
Source: explorer.exe, 00000001.00000000.1685084391.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: DBD3.exe, 00000006.00000002.2121763571.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, FD47.exe, 00000007.00000003.3383606451.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, FD47.exe, 00000007.00000003.3383411439.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, FD47.exe, 00000007.00000002.3584082427.00000000007F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: explorer.exe, 00000001.00000000.1681641684.0000000001248000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000001.00000000.1683280405.00000000079FB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.1684623334.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1684623334.000000000982D000.00000004.00000001.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2023067511.000000000163F000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000003.2119386462.000000000163D000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000002.2121863832.000000000163D000.00000004.00000020.00020000.00000000.sdmp, FD47.exe, 00000007.00000003.3383538487.000000000081D000.00000004.00000020.00020000.00000000.sdmp, FD47.exe, 00000007.00000002.3613821225.000000000081D000.00000004.00000020.00020000.00000000.sdmp, 1B6E.exe, 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: GamePall.exe, 00000027.00000002.3543813931.00000000006B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y`
Source: 1B6E.exe, 00000009.00000002.2833845596.00000000015ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnS
Source: 1B6E.exe, 00000009.00000002.2833845596.00000000015AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWn`
Source: explorer.exe, 00000001.00000000.1685084391.0000000009977000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: GamePall.exe, 0000000C.00000002.3351452366.0000000000803000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000001.00000000.1684623334.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1684623334.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1685084391.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1685084391.0000000009977000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: GamePall.exe, 00000027.00000002.3543813931.0000000000733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: explorer.exe, 00000001.00000000.1683280405.00000000078AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTTAVMWare
Source: GamePall.exe, 00000027.00000002.3543813931.00000000006F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3U7X`t Tt500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.1684623334.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: GamePall.exe, 00000027.00000002.3543813931.00000000006F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:PP*7PXtxK
Source: explorer.exe, 00000001.00000000.1683280405.0000000007A34000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnx
Source: FD47.exe, 00000007.00000003.3383538487.000000000081D000.00000004.00000020.00020000.00000000.sdmp, FD47.exe, 00000007.00000002.3613821225.000000000081D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWA
Source: explorer.exe, 00000001.00000000.1684623334.0000000009660000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000001.00000000.1681641684.0000000001248000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000001.00000000.1681641684.0000000001248000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\AppData\Local\Temp\FD47.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\setup.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\etvjrtf System information queried: CodeIntegrityInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\etvjrtf Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: 9_2_00A84383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_00A84383
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Code function: 7_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary, 7_2_100010D0
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Code function: 12_2_64094DA1 mov esi, dword ptr fs:[00000030h] 12_2_64094DA1
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: 9_2_00A95891 GetProcessHeap, 9_2_00A95891
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: 9_2_00A84383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_00A84383
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: 9_2_00A80495 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_00A80495
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: 9_2_00A806F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_00A806F0
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: 9_2_00A80622 SetUnhandledExceptionFilter, 9_2_00A80622
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: 1B6E.exe.1.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 181.52.122.51 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 141.8.192.126 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.68.16.7 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 127.0.0.127 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 188.114.96.3 80 Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Thread created: C:\Windows\explorer.exe EIP: 31419D0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\etvjrtf Thread created: unknown EIP: 7DB19D0 Jump to behavior
LummaC encrypted strings found
Source: DBD3.exe, 00000006.00000002.2120635192.000000000065D000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: pedestriankodwu.xyz
Source: DBD3.exe, 00000006.00000002.2120635192.000000000065D000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: towerxxuytwi.xyz
Source: DBD3.exe, 00000006.00000002.2120635192.000000000065D000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: ellaboratepwsz.xyz
Source: DBD3.exe, 00000006.00000002.2120635192.000000000065D000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: penetratedpoopp.xyz
Source: DBD3.exe, 00000006.00000002.2120635192.000000000065D000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: swellfrrgwwos.xyz
Source: DBD3.exe, 00000006.00000002.2120635192.000000000065D000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: contintnetksows.shop
Source: DBD3.exe, 00000006.00000002.2120635192.000000000065D000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: foodypannyjsud.shop
Source: DBD3.exe, 00000006.00000002.2120635192.000000000065D000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: potterryisiw.shop
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\etvjrtf Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\etvjrtf Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3300 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3972 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3996 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171165647 --mojo-platform-channel-handle=4028 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171215235 --mojo-platform-channel-handle=4164 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3300 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3972 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3996 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171165647 --mojo-platform-channel-handle=4028 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171215235 --mojo-platform-channel-handle=4164 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3300 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3972 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3996 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171165647 --mojo-platform-channel-handle=4028 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719958699492342 --launch-time-ticks=5171215235 --mojo-platform-channel-handle=4164 --field-trial-handle=3304,i,1949751332316853400,13227287206754683143,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: explorer.exe, 00000001.00000000.1683124534.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1684623334.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1681865280.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1681865280.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1681641684.0000000001248000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1681865280.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1681865280.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: 9_2_00A8013C cpuid 9_2_00A8013C
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: GetLocaleInfoW, 9_2_00A8E096
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 9_2_00A950DC
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: EnumSystemLocalesW, 9_2_00A95051
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: GetLocaleInfoW, 9_2_00A9532F
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 9_2_00A95458
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: GetLocaleInfoW, 9_2_00A9555E
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 9_2_00A95634
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: EnumSystemLocalesW, 9_2_00A8DBC7
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 9_2_00A94CBF
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: EnumSystemLocalesW, 9_2_00A94FB6
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: EnumSystemLocalesW, 9_2_00A94F6B
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe Code function: 9_2_00A8038F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 9_2_00A8038F
Source: C:\Users\user\AppData\Local\Temp\FD47.exe Code function: 7_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 7_2_004034CC
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: DBD3.exe, 00000006.00000003.2119386462.0000000001628000.00000004.00000020.00020000.00000000.sdmp, DBD3.exe, 00000006.00000002.2121863832.0000000001628000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: DBD3.exe PID: 7704, type: MEMORYSTR
Yara detected Poverty Stealer
Source: Yara match File source: 9.2.1B6E.exe.165ea20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.1B6E.exe.165ea20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.1B6E.exe.3cd0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.1B6E.exe.3cd0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.1B6E.exe.1618320.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.1B6E.exe.1618320.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1B6E.exe PID: 7888, type: MEMORYSTR
Yara detected SmokeLoader
Source: Yara match File source: 00000003.00000002.1924153562.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1691624070.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1691528939.00000000001E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1923776407.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: DBD3.exe, 00000006.00000003.2037792556.000000000165C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum
Source: DBD3.exe, 00000006.00000003.2037792556.000000000165C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: DBD3.exe, 00000006.00000003.2076723236.00000000016A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx LibertynDS
Source: DBD3.exe, 00000006.00000003.2037792556.000000000165C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: DBD3.exe, 00000006.00000003.2037792556.000000000165C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: DBD3.exe, 00000006.00000003.2076723236.00000000016A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Exodus
Source: DBD3.exe, 00000006.00000003.2037792556.000000000165C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum
Source: DBD3.exe, 00000006.00000003.2076723236.00000000016A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: DBD3.exe, 00000006.00000003.2076723236.00000000016A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1B6E.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla\Notes9.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Directory queried: C:\Users\user\Documents\JSDNGYCOWY Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Directory queried: C:\Users\user\Documents\JSDNGYCOWY Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DBD3.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH Jump to behavior
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Directory queried: number of queries: 1437
Yara detected Credential Stealer
Source: Yara match File source: 00000006.00000003.2076723236.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2037792556.000000000169D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2024545560.000000000169D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2022920516.000000000169D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DBD3.exe PID: 7704, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: DBD3.exe PID: 7704, type: MEMORYSTR
Yara detected Poverty Stealer
Source: Yara match File source: 9.2.1B6E.exe.165ea20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.1B6E.exe.165ea20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.1B6E.exe.3cd0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.1B6E.exe.3cd0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.1B6E.exe.1618320.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.1B6E.exe.1618320.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2840578452.0000000003CD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2833845596.000000000160D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1B6E.exe PID: 7888, type: MEMORYSTR
Yara detected SmokeLoader
Source: Yara match File source: 00000003.00000002.1924153562.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1691624070.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1691528939.00000000001E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1923776407.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1466523 Sample: 37e6e5d8b399fefb9ae774516ff... Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 103 Found malware configuration 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 Antivirus detection for URL or domain 2->107 109 11 other signatures 2->109 12 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe 2->12         started        15 etvjrtf 2->15         started        process3 signatures4 141 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->141 143 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->143 145 Maps a DLL or memory area into another process 12->145 147 Switches to a custom stack to bypass stack traces 12->147 17 explorer.exe 56 10 12->17 injected 149 Multi AV Scanner detection for dropped file 15->149 151 Checks if the current machine is a virtual machine (disk enumeration) 15->151 153 Creates a thread in another existing process (thread injection) 15->153 process5 dnsIp6 89 185.68.16.7 UKRAINE-ASUA Ukraine 17->89 91 181.52.122.51 TelmexColombiaSACO Colombia 17->91 93 2 other IPs or domains 17->93 73 C:\Users\user\AppData\Roaming\etvjrtf, PE32 17->73 dropped 75 C:\Users\user\AppData\Local\Temp\FD47.exe, PE32 17->75 dropped 77 C:\Users\user\AppData\Local\Temp\DBD3.exe, PE32 17->77 dropped 79 2 other malicious files 17->79 dropped 113 System process connects to network (likely due to code injection or exploit) 17->113 115 Benign windows process drops PE files 17->115 117 Deletes itself after installation 17->117 119 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->119 22 FD47.exe 3 35 17->22         started        26 DBD3.exe 17->26         started        29 1B6E.exe 12 17->29         started        31 GamePall.exe 17->31         started        file7 signatures8 process9 dnsIp10 81 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 22->81 dropped 83 C:\Users\user\AppData\Local\...\blowfish.dll, PE32 22->83 dropped 85 C:\Users\user\AppData\Local\...\huge[1].dat, PE32 22->85 dropped 87 2 other files (none is malicious) 22->87 dropped 121 Antivirus detection for dropped file 22->121 123 Multi AV Scanner detection for dropped file 22->123 33 setup.exe 9 112 22->33         started        97 188.114.96.3 CLOUDFLARENETUS European Union 26->97 125 Query firmware table information (likely to detect VMs) 26->125 127 Machine Learning detection for dropped file 26->127 129 Found many strings related to Crypto-Wallets (likely being stolen) 26->129 135 4 other signatures 26->135 99 146.70.169.164 TENET-1ZA United Kingdom 29->99 101 185.166.143.48 AMAZON-02US Germany 29->101 131 Found evasive API chain (may stop execution after checking mutex) 29->131 133 Tries to harvest and steal browser information (history, passwords, etc) 29->133 37 GamePall.exe 31->37         started        file11 signatures12 process13 file14 65 C:\Users\user\AppData\...\vulkan-1.dll, PE32 33->65 dropped 67 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32 33->67 dropped 69 C:\Users\user\AppData\...\libGLESv2.dll, PE32 33->69 dropped 71 16 other files (13 malicious) 33->71 dropped 111 Antivirus detection for dropped file 33->111 39 GamePall.exe 33->39         started        signatures15 process16 dnsIp17 95 172.67.221.174 CLOUDFLARENETUS United States 39->95 137 Antivirus detection for dropped file 39->137 139 Machine Learning detection for dropped file 39->139 43 GamePall.exe 39->43         started        45 GamePall.exe 39->45         started        47 GamePall.exe 39->47         started        49 6 other processes 39->49 signatures18 process19 process20 51 GamePall.exe 43->51         started        53 GamePall.exe 43->53         started        55 GamePall.exe 43->55         started        57 10 other processes 43->57 process21 59 GamePall.exe 51->59         started        61 GamePall.exe 51->61         started        63 GamePall.exe 53->63         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
181.52.122.51
 unknown Colombia
10620 TelmexColombiaSACO true
185.166.143.48
 unknown Germany
16509 AMAZON-02US false
141.8.192.126
 unknown Russian Federation
35278 SPRINTHOSTRU true
188.114.96.3
 unknown European Union
13335 CLOUDFLARENETUS true
172.67.221.174
 unknown United States
13335 CLOUDFLARENETUS false
185.68.16.7
 unknown Ukraine
200000 UKRAINE-ASUA true
146.70.169.164
 unknown United Kingdom
2018 TENET-1ZA true

Private

IP
127.0.0.127

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://gebeus.ru/tmp/index.php true
  • Avira URL Cloud: malware
 unknown
http://cx5519.com/tmp/index.php true
  • Avira URL Cloud: malware
 unknown
contintnetksows.shop true
  • Avira URL Cloud: malware
 unknown
http://evilos.cc/tmp/index.php true
  • Avira URL Cloud: malware
 unknown
ellaboratepwsz.xyz true
  • Avira URL Cloud: malware
 unknown
swellfrrgwwos.xyz true
  • Avira URL Cloud: malware
 unknown
foodypannyjsud.shop true
  • Avira URL Cloud: malware
 unknown
pedestriankodwu.xyz true
  • Avira URL Cloud: malware
 unknown