Windows Analysis Report
SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe

Overview

General Information

Sample name: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe
Analysis ID: 1466524
MD5: 17cb739c8fd07235fd29fbaab85e7777
SHA1: bb8b921acb8cce657068485c5d55f411318b7955
SHA256: dd6f8daddb7da0e8b9be526fc3aa9c5f0808fe6926ca7a9648464f9b4f8140e1
Tags: exe
Infos:

Detection

LummaC, Poverty Stealer, SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected LummaC Stealer
Yara detected Poverty Stealer
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
SmokeLoader The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
 https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Avira: detection malicious, Label: HEUR/AGEN.1313486
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Avira: detection malicious, Label: HEUR/AGEN.1352426
Source: C:\Users\user\AppData\Local\Temp\7719.exe Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat Avira: detection malicious, Label: HEUR/AGEN.1359405
Found malware configuration
Source: 00000000.00000002.2123517246.0000000004350000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}
Source: 9.2.96C7.exe.da83c0.1.raw.unpack Malware Configuration Extractor: Poverty Stealer {"C2 url": "146.70.169.164:2227"}
Source: 53FF.exe.3176.5.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "potterryisiw.shop"], "Build id": "bOKHNM--"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\53FF.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\7719.exe ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\96C7.exe ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Roaming\svgbeht ReversingLabs: Detection: 42%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe ReversingLabs: Detection: 42%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GamePall\Del.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_036E1C94 CryptUnprotectData,CryptProtectData, 9_2_036E1C94
Uses 32bit PE files
Source: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\setup.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: Newtonsoft.Json.dll.11.dr
Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exeePallll source: setup.exe, 0000000B.00000002.3864436780.000000000040A000.00000004.00000001.01000000.0000000D.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: 96C7.exe, 00000009.00000002.3616324754.000000000A8F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.11.dr
Source: Binary string: libEGL.dll.pdb source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbx source: 96C7.exe, 00000009.00000002.3616324754.000000000A8F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb source: 96C7.exe, 00000009.00000002.3616324754.000000000A8FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000C.00000000.3686415820.00000000007D2000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 00000010.00000002.3898198006.0000000005E6A000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 00000010.00000002.3898198006.0000000005E6A000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000016.00000002.3844221920.0000000004E92000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 00000016.00000002.3844221920.0000000004E92000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: \Desktop\projects\Release\BigProject.pdb source: 96C7.exe, 00000009.00000000.2583634857.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmp, 96C7.exe, 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3865128619.000000000075A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3865128619.000000000075A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: libGLESv2.dll.pdb source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Desktop\projects\Release\BigProject.pdb. source: 96C7.exe, 00000009.00000000.2583634857.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmp, 96C7.exe, 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmp
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Directory queried: number of queries: 1660
Source: C:\Users\user\AppData\Local\Temp\7719.exe Code function: 8_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 8_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\7719.exe Code function: 8_2_004066FF FindFirstFileA,FindClose, 8_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\7719.exe Code function: 8_2_004027AA FindFirstFileA, 8_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_00EB24BD FindFirstFileExW, 9_2_00EB24BD
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_036E1000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection, 9_2_036E1000
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_036E4E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW, 9_2_036E4E27
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_036E1D3C FindFirstFileW,FindNextFileW, 9_2_036E1D3C
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_036E40BA FindFirstFileW,FindNextFileW, 9_2_036E40BA
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_036E3EFC FindFirstFileW,FindNextFileW, 9_2_036E3EFC
Source: C:\Users\user\AppData\Local\Temp\96C7.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe File opened: C:\Users\user\AppData\Local\Adobe\ Jump to behavior

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 190.159.30.35 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 141.8.192.126 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.68.16.7 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 127.0.0.127 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 188.114.96.3 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: pedestriankodwu.xyz
Source: Malware configuration extractor URLs: towerxxuytwi.xyz
Source: Malware configuration extractor URLs: ellaboratepwsz.xyz
Source: Malware configuration extractor URLs: penetratedpoopp.xyz
Source: Malware configuration extractor URLs: swellfrrgwwos.xyz
Source: Malware configuration extractor URLs: contintnetksows.shop
Source: Malware configuration extractor URLs: foodypannyjsud.shop
Source: Malware configuration extractor URLs: potterryisiw.shop
Source: Malware configuration extractor URLs: potterryisiw.shop
Source: Malware configuration extractor URLs: http://evilos.cc/tmp/index.php
Source: Malware configuration extractor URLs: http://gebeus.ru/tmp/index.php
Source: Malware configuration extractor URLs: http://office-techs.biz/tmp/index.php
Source: Malware configuration extractor URLs: http://cx5519.com/tmp/index.php
Source: Malware configuration extractor URLs: 146.70.169.164:2227
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_00E45B80 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,task,InternetReadFile,FreeLibrary,task, 9_2_00E45B80
Source: GamePall.exe, 00000015.00000002.3813403329.0000000002501000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.install-stat.debug.world/clients/activity
Source: GamePall.exe, 00000013.00000002.3814333984.0000000003151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.install-stat.debug.world/clients/activity8
Source: GamePall.exe, 00000015.00000002.3813403329.0000000002501000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.install-stat.debug.world/clients/installs
Source: GamePall.exe, 00000015.00000002.3813403329.0000000002501000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bageyou.xyz
Source: GamePall.exe, 0000000C.00000002.4120205235.0000000002D07000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bageyou.xyz/c/g
Source: GamePall.exe, 0000000C.00000002.4120205235.0000000002D07000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bageyou.xyz/c/g4
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: explorer.exe, 00000002.00000000.2115963975.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2115963975.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: http://crbug.com/1352358
Source: GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: http://crbug.com/275944
Source: GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: http://crbug.com/378067
Source: GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: http://crbug.com/437891.
Source: GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: http://crbug.com/456214
Source: GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: http://crbug.com/510270
Source: GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: http://crbug.com/642141
Source: GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: http://crbug.com/672186).
Source: GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: http://crbug.com/819404
Source: GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: http://crbug.com/957772
Source: 53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: explorer.exe, 00000002.00000000.2113028471.0000000000F13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000002.00000000.2115963975.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2115963975.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: explorer.exe, 00000002.00000000.2115963975.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2115963975.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://james.newtonking.com/projects/json
Source: log4net.xml.11.dr String found in binary or memory: http://logging.apache.org/log4j
Source: GamePall.exe, 00000016.00000002.3844221920.0000000004E92000.00000002.00000001.01000000.00000011.sdmp, log4net.xml.11.dr String found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
Source: log4net.xml.11.dr String found in binary or memory: http://logging.apache.org/log4net/schemas/log4net-events-1.2&gt;
Source: 7719.exe, 7719.exe, 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmp, 7719.exe, 00000008.00000000.2523574701.000000000040A000.00000008.00000001.01000000.00000007.sdmp, setup.exe, 0000000B.00000002.3864436780.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, setup.exe, 0000000B.00000000.3366645637.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, setup.exe, 0000000B.00000003.3686521042.00000000007BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 7719.exe, 00000008.00000002.3874005916.000000000040A000.00000004.00000001.01000000.00000007.sdmp, 7719.exe, 00000008.00000000.2523574701.000000000040A000.00000008.00000001.01000000.00000007.sdmp, setup.exe, 0000000B.00000002.3864436780.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, setup.exe, 0000000B.00000000.3366645637.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, setup.exe, 0000000B.00000003.3686521042.00000000007BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000002.00000000.2115963975.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2115963975.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://ocsp.digicert.com0K
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 00000002.00000000.2115963975.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: 53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: explorer.exe, 00000002.00000000.2115543053.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2115565652.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2115142712.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: GamePall.exe, 0000000C.00000002.4120205235.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: GamePall.exe, 00000016.00000002.3844221920.0000000004E92000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: http://www.apache.org/).
Source: GamePall.exe, 00000016.00000002.3844221920.0000000004E92000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: http://www.apache.org/licenses/
Source: GamePall.exe, 00000016.00000002.3844221920.0000000004E92000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.2118423388.000000000C81C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: log4net.xml.11.dr String found in binary or memory: http://www.connectionstrings.com/
Source: log4net.xml.11.dr String found in binary or memory: http://www.faqs.org/rfcs/rfc3164.html.
Source: log4net.xml.11.dr String found in binary or memory: http://www.iana.org/assignments/multicast-addresses
Source: GamePall.exe, 00000013.00000002.4085407935.0000000006BFF000.00000002.00000001.00040000.0000001A.sdmp String found in binary or memory: http://www.unicode.org/copyright.html
Source: 53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: 53FF.exe, 00000005.00000003.2486747696.0000000003650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: 7719.exe, 00000008.00000002.3876675879.000000000085E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xiexie.wf/22_551/huge.dat
Source: 7719.exe, 00000008.00000002.3874005916.0000000000434000.00000004.00000001.01000000.00000007.sdmp String found in binary or memory: http://xiexie.wf/22_551/huge.datmCGBZvyfGQlwd
Source: 53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000002.00000000.2118031324.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000002.00000000.2114531614.00000000076F8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.2115963975.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.2114531614.0000000007637000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.2113719983.00000000035FA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.coml
Source: 96C7.exe, 00000009.00000002.3435692996.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aui-cdn.atlassian.com/
Source: 96C7.exe, 00000009.00000002.3435692996.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/
Source: 96C7.exe, 00000009.00000002.3435692996.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/1
Source: 96C7.exe, 00000009.00000002.3435692996.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 96C7.exe, 00000009.00000002.3435692996.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee
Source: 53FF.exe, 00000005.00000003.2488157667.0000000000710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: 53FF.exe, 00000005.00000003.2488157667.0000000000710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: 96C7.exe, 00000009.00000002.3435692996.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cookielaw.org/
Source: 53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: GamePall.exe, 00000013.00000002.4547043059.000000003C270000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=ukCtrl$1
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=urCtrl$2
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=viCtrl$1
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CNCtrl$1
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TWCtrl$1
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: GamePall.exe, 00000013.00000002.4547043059.000000003C270000.00000004.00001000.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://chromewebstore.google.com/
Source: GamePall.exe, 00000013.00000002.4547043059.000000003C270000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/declarativeNetRequestWithHostAccessds=2-1719957786566967id5app.win
Source: GamePall.exe, 00000013.00000002.4546897572.000000003C25C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: GamePall.exe, 00000013.00000002.4546897572.000000003C25C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxle
Source: 53FF.exe, 00000005.00000003.2488157667.0000000000710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 53FF.exe, 00000005.00000003.2488157667.0000000000710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: GamePall.exe, 00000013.00000002.4213815797.00000000072A4000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://crbug.com/1201800
Source: 96C7.exe, 00000009.00000002.3435692996.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
Source: 96C7.exe, 00000009.00000002.3435692996.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
Source: 53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: 53FF.exe, 00000005.00000003.2464232974.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2573234047.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2453795663.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2464347244.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000002.2574942485.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2464028346.0000000000672000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000002.2574819824.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2572799429.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2540650954.0000000000704000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/
Source: 53FF.exe, 00000005.00000003.2464232974.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2453795663.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2464347244.00000000006B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/-%
Source: 53FF.exe, 00000005.00000003.2573234047.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000002.2574942485.000000000071C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/D
Source: 53FF.exe, 00000005.00000002.2574819824.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2572799429.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2540650954.0000000000704000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/O
Source: 53FF.exe, 00000005.00000003.2464347244.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2453884126.0000000000691000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000002.2574819824.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2572799429.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2540650954.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2516528553.0000000000700000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/api
Source: 53FF.exe, 00000005.00000002.2574430878.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2573425240.000000000069C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/apiP
Source: 53FF.exe, 00000005.00000003.2516528553.0000000000700000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/apif
Source: 53FF.exe, 00000005.00000002.2574819824.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2572799429.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2540650954.0000000000704000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/apit
Source: 53FF.exe, 00000005.00000003.2516528553.0000000000700000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/g
Source: 53FF.exe, 00000005.00000003.2464232974.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2453795663.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2464347244.00000000006B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/h
Source: 53FF.exe, 00000005.00000002.2574819824.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2572799429.0000000000704000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/m
Source: 53FF.exe, 00000005.00000003.2516528553.0000000000700000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/op
Source: 53FF.exe, 00000005.00000002.2574819824.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2572799429.0000000000704000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2540650954.0000000000704000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/pi
Source: 53FF.exe, 00000005.00000003.2540650954.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2516350013.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2573234047.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000002.2574942485.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2529482964.000000000071C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/q
Source: 53FF.exe, 00000005.00000003.2516350013.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2498697771.0000000000719000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2498890451.000000000071C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/qD
Source: 53FF.exe, 00000005.00000003.2516528553.0000000000700000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/s
Source: 53FF.exe, 00000005.00000003.2516528553.0000000000700000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/sN
Source: 53FF.exe, 00000005.00000003.2516528553.0000000000700000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/t
Source: GamePall.exe, 0000000C.00000002.4120205235.0000000003005000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.protekt2day.com/go/1c68c94b-6319-4e81-a7cf-3041c0161b9b?cost=0.180000
Source: GamePall.exe, 0000000C.00000002.4120205235.0000000003005000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.protekt2day.com/go/1c68c94b-6319-4e81-a7cf-3041c0161b9b?cost=0.180000&visitor_id=83180631
Source: 53FF.exe, 00000005.00000003.2488157667.0000000000710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://myactivity.google.com/
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://passwords.google.com
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://passwords.google.comGoogle
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://passwords.google.comT
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://policies.google.com/
Source: explorer.exe, 00000002.00000000.2118031324.000000000C460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: 96C7.exe, 00000009.00000002.3435692996.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: 96C7.exe, 00000009.00000002.3435692996.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: 53FF.exe, 00000005.00000003.2487805179.000000000375A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 53FF.exe, 00000005.00000003.2487805179.000000000375A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: GamePall.exe, 00000016.00000002.3844470978.0000000004ED6000.00000002.00000001.01000000.00000011.sdmp, GamePall.exe, 00000016.00000002.3844221920.0000000004E92000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1
Source: 96C7.exe, 00000009.00000002.3435692996.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: explorer.exe, 00000002.00000000.2115963975.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000002.00000000.2115963975.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comon
Source: 53FF.exe, 00000005.00000003.2488157667.0000000000710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: 53FF.exe, 00000005.00000003.2488157667.0000000000710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&
Source: GamePall.exe, 00000013.00000002.4204288341.0000000006E30000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&r
Source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlYar&d
Source: 53FF.exe, 00000005.00000003.2465238419.0000000003668000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 53FF.exe, 00000005.00000003.2487805179.000000000375A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: 53FF.exe, 00000005.00000003.2487805179.000000000375A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: 53FF.exe, 00000005.00000003.2487805179.000000000375A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 53FF.exe, 00000005.00000003.2487805179.000000000375A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 53FF.exe, 00000005.00000003.2487805179.000000000375A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 53FF.exe, 00000005.00000003.2487805179.000000000375A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: Newtonsoft.Json.dll.11.dr String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 0000000A.00000002.2975757928.0000000004271000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2123557960.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2123517246.0000000004350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2417127304.00000000027E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2975710135.0000000004250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2417303583.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\7719.exe Code function: 8_2_004055E7 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 8_2_004055E7
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_036E4BA2 GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,DeleteObject,DeleteDC,ReleaseDC, 9_2_036E4BA2
Too many similar processes found
Source: GamePall.exe Process created: 52

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0000000A.00000002.2975757928.0000000004271000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2417216706.000000000281B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.2975329617.0000000002790000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2123557960.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2123517246.0000000004350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2417107422.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.2417127304.00000000027E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000A.00000002.2975710135.0000000004250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2123328963.0000000002960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000A.00000002.2975486855.00000000027AF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.2417303583.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2123406759.000000000298C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Abnormal high CPU Usage
Source: C:\Windows\explorer.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Code function: 0_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401538
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Code function: 0_2_00402FE9 RtlCreateUserThread,NtTerminateProcess, 0_2_00402FE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Code function: 0_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004014DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Code function: 0_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401496
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Code function: 0_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401543
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Code function: 0_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401565
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Code function: 0_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401579
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Code function: 0_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_0040157C
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 4_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_00401538
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 4_2_00402FE9 RtlCreateUserThread,NtTerminateProcess, 4_2_00402FE9
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 4_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_004014DE
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 4_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_00401496
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 4_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_00401543
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 4_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_00401565
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 4_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_00401579
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 4_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_0040157C
Source: C:\Users\user\AppData\Local\Temp\7719.exe Code function: 8_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary, 8_2_100010D0
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 10_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 10_2_00401538
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 10_2_00402FE9 RtlCreateUserThread,NtTerminateProcess, 10_2_00402FE9
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 10_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 10_2_004014DE
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 10_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 10_2_00401496
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 10_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 10_2_00401543
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 10_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 10_2_00401565
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 10_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 10_2_00401579
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 10_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 10_2_0040157C
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\7719.exe Code function: 8_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 8_2_004034CC
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\7719.exe Code function: 8_2_00406A88 8_2_00406A88
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_00EA1490 9_2_00EA1490
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_00EAD515 9_2_00EAD515
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_00EB4775 9_2_00EB4775
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_00EABE09 9_2_00EABE09
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: String function: 00EA0310 appears 51 times
Uses 32bit PE files
Source: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0000000A.00000002.2975757928.0000000004271000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2417216706.000000000281B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.2975329617.0000000002790000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2123557960.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2123517246.0000000004350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2417107422.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.2417127304.00000000027E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000A.00000002.2975710135.0000000004250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2123328963.0000000002960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000A.00000002.2975486855.00000000027AF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.2417303583.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2123406759.000000000298C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: svgbeht.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.cs Cryptographic APIs: 'TransformBlock'
Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.cs Cryptographic APIs: 'TransformFinalBlock'
Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.cs Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: GamePall.exe.11.dr, Program.cs Base64 encoded string: 'pizR9uKkcZIkMW+F1cRjYV0LMt6eYXmLuiNCndESDPkTO3eY1Mjv7Hs2Qvo+t26G', 'ZTDMzZVpdA1FSa2RiY6ZCl2QGyLDtQ3OBRa/N40wO2xxcvcDsATtLRGwKtaEB36dqPJnDF8qXNs92JbMBlsOyg==', 'nYQvMVlU2Asj2rNkmi7xBNqGCkGzSnaP0raCPfB8A9hSwWFTIjPcsKgDrCVAEwSQ1lHf/WOhnKR59a5JjrkJVUOFvV43wO8MM1FKgjYuj7ZzvvuGve+okViUQx+oGN+llGnjS4Fm9o1MUn7p+qcPVIDZRcvMal1ARjQNk+bFvT5vC4J8slkhLZYtvBYmOybvSK90G7/f/U8GPBdM7WBmfFdHzzGxw6WFcHlkdySP8Nvmzff08RdOn8QOu8FlABEqqEjQ0W84v+/lU0lmhvzugpodd8fIp2kb2/twZPg9/Jsy5viOC65K8bs1ES63SA2d62f5cJYpFf1f0WBQbCBcSzfwiDlBCWVIW9vFXW1awyEMdm3q36+BViyETC5tnyHuoLRgf3bXoQAwqE0OIII5DROfW+LmqqHY82rVXHAqhVjdA2wZRWcSI1zxV7+qTfhmp9qbIQAWSuuXTzhbIvI3gjvtPCdz9uBv8rjyg1XZNxfdgYdtF+klyGgKdefnu5G2pgjfT3Kb/VbjgkFvLlqtWNr5K7iC080FVeHsZazMHUrrDtsmNdChtvnX8Zj77rIGVxi9RfvHhhIhBj+WSos+lJ2nuvQkUpqVEa1mrZSwPezG/uoh0qvs+BAHbNFNjv99WS6tgWIkvcQVCi2h3cfxTGQiZDetQZqB+N/mnvgC6WdrcRKGHBE4mp6bpgTY9+nt3lPiH6OZnlxC8rdHbuGtY6R/FgNFYkw49JWXYeZ1VV3KnjSrFMvDlkyMCAW1X9/1VoC+f73WVYMLwXafDKtGO2lfr9vwKms+8HoEgs7bj0aroIPdmLK/z/djAsFZO8Vp', 'T7BWwqrn4yISEECEAnARpwE8R+3lDHSc+RlcJT90an1SNsS27lGBQjOx4RmDHlrj7oJnnzx1IWXOkbTfLzBeCfU6UJhOIoQKhcWidAxAKIxvqZnoB6AujIU0F7dEj65vahyTdEvkIxzFaV2+akbl53KcDi5RPBOP16iXVi0WJdHV5AbSCI9WCEcSX/fUpmukBh4bjVF/T/P/B6TFVtNZintCOSO2Ha+2va2CJMOnJ020zYskwuvcH9d1rGD3Zf9RBC2obzrhRNK2LXTEIYnifs6L2UdqFhw5aANXILziQtzKvsTQKvc15hvHCCoeXJCyyK7/WgA/oRu7bdrTs2DwCQ==', 'ZY0WCEgzqiLEU8ZUVJwGTpbkuL9KoMwYVloBqJXjur8rfBZEXTysQNKRQ1H7/vn7o0wyHAux60SVy06r4v6So5WWxddei09LXvL6ZwK/tyY=', 's7iS2XfzyI+IBoARaZQlTINg1kEy7qT7EopaSHQzpqktZBtc7UiOYrPdv/6f4cNI', 'o2ZleBui4P9C2ZjnB98Vuesy1C+WucHiXjQJ8RANoX6TheGfnLYAWDsXRfSeNCDHWdkBP2RBrkWPBy/nuM2NFLMETMUsPFeG3JHWafvGKzaNEjYO3Up9m61SnaY5tINvLCYJ/TKITszJ9H1YSm2chnmQGLUzbz4pwvWvvKfH8m7z585W73/QZrtw3l/30vcZaVocgwemYusDJYsOTgeWc0okiDahD7qtJcBYZ0aOzxZZmHDMBYigkRVf8GTJ/xucA/i7EHBFpaWoLVZVcuGFMA==', 'T7BWwqrn4yISEECEAnARp+JyVgG3cZc2/9+3VbyOjc4PuRSCU7ZfXuXpIIH8uj2roUU+W7nSmXHqTuxLhe6DBfNVh8PFZrhNX/YhIexDxrk=', 'G4TxOgdwfNBdU+6bscw2hqt3kZYZMfoEuKZtmCxRLrF8xJCK1+L0ocd8eSQjty7d', 'PcG64iM3U1vDIVDm7HuwTSvKhuz45f/WPqYoWZvzLHcapbEfkynZkUjmDgg30eof', 'XGcq7Js3+2f2oGHGFzxJPiYsrodwK+bTw/0lKjiUd0tSWMHEjdVqzAclD1/nPksq3sGhVTN8oFeHMRE7wAt3mCLVCEXKF9JLnNeWw9vvCbs=', 'T7BWwqrn4yISEECEAnARp8UQ6kvfa8mDiwe39obQZ+Rxfj5bbo//kf+4mlTsZUEg0QM/4QBKb6sUDMsk9OTdYg==', 'T7BWwqrn4yISEECEAnARp/U1NCwfjpQ4K5UKuMbDqXSrjfU6Tf/pOCpHlHXtYnU5', 'Gg/rFkGmnFrfPAny9sQ3qerPGxlC7+cuu92x2tgXrCRkqABwTbbIR8+hJN0krbBD9OJX8s2JqeR+xICuD2u17N7KjlWCZwpg4+c7mG1xAahALfXXbu/EvJy+KsAzQlzR9bu8P4wbyuM6r6/7kdf+VQ==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLT3pudJg4gGhcEax3IHwBI0R5vZR7J9mjUQ8R9MdKz/Fw==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLTcCwJrbTmNGWmZutw1Di2FSZ+3JxFtC00BiemuQuq2+A=='
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@299/115@0/8
Source: C:\Users\user\AppData\Local\Temp\7719.exe Code function: 8_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 8_2_004034CC
Source: C:\Users\user\AppData\Local\Temp\7719.exe Code function: 8_2_00404897 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 8_2_00404897
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Code function: 0_2_0298F452 CreateToolhelp32Snapshot,Module32First, 0_2_0298F452
Source: C:\Users\user\AppData\Local\Temp\7719.exe Code function: 8_2_00402173 CoCreateInstance,MultiByteToWideChar, 8_2_00402173
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\svgbeht Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_mainLog.txt
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Mutant created: \Sessions\1\BaseNamedObjects\1e7f31ac-1494-47cc-9633-054c20e7432e
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_rendLog.txt
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\53FF.tmp Jump to behavior
Source: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: 53FF.exe, 00000005.00000003.2465105201.0000000003656000.00000004.00000800.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2465369909.0000000003638000.00000004.00000800.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2475350447.0000000003658000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe ReversingLabs: Detection: 42%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\svgbeht C:\Users\user\AppData\Roaming\svgbeht
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\53FF.exe C:\Users\user\AppData\Local\Temp\53FF.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\7719.exe C:\Users\user\AppData\Local\Temp\7719.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\96C7.exe C:\Users\user\AppData\Local\Temp\96C7.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\svgbeht C:\Users\user\AppData\Roaming\svgbeht
Source: C:\Users\user\AppData\Local\Temp\7719.exe Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"
Source: C:\Users\user\AppData\Local\Temp\setup.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3924 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=2972 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=2260 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521213265 --mojo-platform-channel-handle=4044 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521380179 --mojo-platform-channel-handle=4056 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\53FF.exe C:\Users\user\AppData\Local\Temp\53FF.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\7719.exe C:\Users\user\AppData\Local\Temp\7719.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\96C7.exe C:\Users\user\AppData\Local\Temp\96C7.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3924 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=2972 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=2260 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521213265 --mojo-platform-channel-handle=4044 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521380179 --mojo-platform-channel-handle=4056 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cdprt.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: firewallapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: fwbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mmdevapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: audioses.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.ui.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winsta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mdmregistration.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mdmregistration.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: omadmapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dmcmnutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iri.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dsreg.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscms.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: coloradapterclient.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\setup.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: Newtonsoft.Json.dll.11.dr
Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exeePallll source: setup.exe, 0000000B.00000002.3864436780.000000000040A000.00000004.00000001.01000000.0000000D.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: 96C7.exe, 00000009.00000002.3616324754.000000000A8F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.11.dr
Source: Binary string: libEGL.dll.pdb source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbx source: 96C7.exe, 00000009.00000002.3616324754.000000000A8F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb source: 96C7.exe, 00000009.00000002.3616324754.000000000A8FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000C.00000000.3686415820.00000000007D2000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 00000010.00000002.3898198006.0000000005E6A000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 00000010.00000002.3898198006.0000000005E6A000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000016.00000002.3844221920.0000000004E92000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 00000016.00000002.3844221920.0000000004E92000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: \Desktop\projects\Release\BigProject.pdb source: 96C7.exe, 00000009.00000000.2583634857.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmp, 96C7.exe, 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3865128619.000000000075A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3865128619.000000000075A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: libGLESv2.dll.pdb source: setup.exe, 0000000B.00000002.3866084513.0000000002839000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Desktop\projects\Release\BigProject.pdb. source: 96C7.exe, 00000009.00000000.2583634857.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmp, 96C7.exe, 00000009.00000002.3439368060.0000000000EB9000.00000002.00000001.01000000.0000000B.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Unpacked PE file: 0.2.SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\svgbeht Unpacked PE file: 4.2.svgbeht.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\svgbeht Unpacked PE file: 10.2.svgbeht.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Binary contains a suspicious time stamp
Source: Newtonsoft.Json.dll.11.dr Static PE information: 0xF68F744F [Mon Jan 31 06:35:59 2101 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\7719.exe Code function: 8_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary, 8_2_100010D0
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmpLp
PE file contains sections with non-standard names
Source: 53FF.exe.2.dr Static PE information: section name: .vmpLp
Source: 53FF.exe.2.dr Static PE information: section name: .vmpLp
Source: 53FF.exe.2.dr Static PE information: section name: .vmpLp
Source: libEGL.dll.11.dr Static PE information: section name: .00cfg
Source: libEGL.dll.11.dr Static PE information: section name: .voltbl
Source: libGLESv2.dll.11.dr Static PE information: section name: .00cfg
Source: libGLESv2.dll.11.dr Static PE information: section name: .voltbl
Source: chrome_elf.dll.11.dr Static PE information: section name: .00cfg
Source: chrome_elf.dll.11.dr Static PE information: section name: .crthunk
Source: chrome_elf.dll.11.dr Static PE information: section name: CPADinfo
Source: chrome_elf.dll.11.dr Static PE information: section name: malloc_h
Source: libEGL.dll0.11.dr Static PE information: section name: .00cfg
Source: libGLESv2.dll0.11.dr Static PE information: section name: .00cfg
Source: libcef.dll.11.dr Static PE information: section name: .00cfg
Source: libcef.dll.11.dr Static PE information: section name: .rodata
Source: libcef.dll.11.dr Static PE information: section name: CPADinfo
Source: libcef.dll.11.dr Static PE information: section name: malloc_h
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Code function: 0_2_00401CD1 push ecx; ret 0_2_00401CD2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Code function: 0_2_00401C91 push 00000076h; iretd 0_2_00401C93
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Code function: 0_2_00402E96 push B92A2F4Ch; retf 0_2_00402E9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Code function: 0_2_02962EFD push B92A2F4Ch; retf 0_2_02962F02
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Code function: 0_2_02961CF8 push 00000076h; iretd 0_2_02961CFA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Code function: 0_2_02961D38 push ecx; ret 0_2_02961D39
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Code function: 0_2_02996F22 push FFFFFFFBh; iretd 0_2_02996F38
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Code function: 0_2_02994EA4 push edx; ret 0_2_02994EA5
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 4_2_00401CD1 push ecx; ret 4_2_00401CD2
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 4_2_00401C91 push 00000076h; iretd 4_2_00401C93
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 4_2_00402E96 push B92A2F4Ch; retf 4_2_00402E9B
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 4_2_027D1D38 push ecx; ret 4_2_027D1D39
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 4_2_027D2EFD push B92A2F4Ch; retf 4_2_027D2F02
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 4_2_027D1CF8 push 00000076h; iretd 4_2_027D1CFA
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 4_2_02826552 push FFFFFFFBh; iretd 4_2_02826568
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 4_2_028244D4 push edx; ret 4_2_028244D5
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_00EA004B push ecx; ret 9_2_00EA005E
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 10_2_00401CD1 push ecx; ret 10_2_00401CD2
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 10_2_00401C91 push 00000076h; iretd 10_2_00401C93
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 10_2_00402E96 push B92A2F4Ch; retf 10_2_00402E9B
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 10_2_02791D38 push ecx; ret 10_2_02791D39
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 10_2_02791CF8 push 00000076h; iretd 10_2_02791CFA
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 10_2_02792EFD push B92A2F4Ch; retf 10_2_02792F02
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 10_2_027B99FA push FFFFFFFBh; iretd 10_2_027B9A10
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 10_2_027B797C push edx; ret 10_2_027B797D
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 10_2_027BC7B8 push 28027BC8h; retf 10_2_027BC7BD
Source: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Static PE information: section name: .text entropy: 7.5001533145273696
Source: svgbeht.2.dr Static PE information: section name: .text entropy: 7.5001533145273696
Source: Ionic.Zip.dll.11.dr Static PE information: section name: .text entropy: 6.821349263259562
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\libcef.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\7719.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\libEGL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\log4net.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\Del.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7719.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7719.exe File created: C:\Users\user\AppData\Local\Temp\nsz7739.tmp\blowfish.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\svgbeht Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\53FF.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7719.exe File created: C:\Users\user\AppData\Local\Temp\setup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7719.exe File created: C:\Users\user\AppData\Local\Temp\nsz7739.tmp\INetC.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7719.exe File created: C:\Users\user\AppData\Local\Temp\nsz7739.tmp\nsProcess.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\96C7.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Local\Temp\nsn3C59.tmp\liteFirewall.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\svgbeht Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall
Source: C:\Users\user\AppData\Local\Temp\setup.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\securiteinfo.com.w32.trojan.fwf.gen.eldorado.2850.19434.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\svgbeht:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7719.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\53FF.exe System information queried: FirmwareTableInformation Jump to behavior
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe API/Special instruction interceptor: Address: 7FF8C88ED584
Source: C:\Users\user\AppData\Roaming\svgbeht API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\AppData\Roaming\svgbeht API/Special instruction interceptor: Address: 7FF8C88ED584
Source: C:\Users\user\AppData\Local\Temp\53FF.exe API/Special instruction interceptor: Address: 10476F5
Source: C:\Users\user\AppData\Local\Temp\53FF.exe API/Special instruction interceptor: Address: 1255B80
Source: C:\Users\user\AppData\Local\Temp\53FF.exe API/Special instruction interceptor: Address: 15020B2
Source: C:\Users\user\AppData\Local\Temp\53FF.exe API/Special instruction interceptor: Address: 1527E15
Source: C:\Users\user\AppData\Local\Temp\53FF.exe API/Special instruction interceptor: Address: 11A91D7
Source: C:\Users\user\AppData\Local\Temp\53FF.exe API/Special instruction interceptor: Address: 15A4DE8
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe, svgbeht Binary or memory string: ASWHOOK
Source: svgbeht, 0000000A.00000002.2975436288.00000000027A7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK<
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2A60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2CB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2A60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 960000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 24A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 23B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 850000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 25D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 45D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2A70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2C50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2A70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1450000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2F00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1810000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 16F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 3150000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 16F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 26E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2770000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4770000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: A00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2500000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4500000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: C40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2B00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: CA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 12B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2DD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2D00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 14C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2EB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4EB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2D40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2EC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4EC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 8F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2210000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4210000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2960000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2BD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2AF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2960000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2B90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 29D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1050000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2B50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 10E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1520000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 31C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 51C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: AE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2860000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: DD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1420000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2E40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2C10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: C30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2730000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2550000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1430000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2D20000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4D20000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: E50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2A00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4A00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 17F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 32A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 52A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: A70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2590000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: BD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 910000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2300000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 970000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: B70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2560000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 22B0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Thread delayed: delay time: 600000
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 433 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 4706 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1037 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 870 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 879 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libcef.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libEGL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\log4net.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7719.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsz7739.tmp\INetC.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7719.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsz7739.tmp\nsProcess.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Del.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7719.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsz7739.tmp\blowfish.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn3C59.tmp\liteFirewall.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5908 Thread sleep time: -470600s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6604 Thread sleep time: -103700s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4788 Thread sleep time: -32500s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6848 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe TID: 6008 Thread sleep time: -210000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 6100 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 2132 Thread sleep count: 33 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\7719.exe Code function: 8_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 8_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\7719.exe Code function: 8_2_004066FF FindFirstFileA,FindClose, 8_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\7719.exe Code function: 8_2_004027AA FindFirstFileA, 8_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_00EB24BD FindFirstFileExW, 9_2_00EB24BD
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_036E1000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection, 9_2_036E1000
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_036E4E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW, 9_2_036E4E27
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_036E1D3C FindFirstFileW,FindNextFileW, 9_2_036E1D3C
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_036E40BA FindFirstFileW,FindNextFileW, 9_2_036E40BA
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_036E3EFC FindFirstFileW,FindNextFileW, 9_2_036E3EFC
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_036E2054 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA, 9_2_036E2054
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\96C7.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe File opened: C:\Users\user\AppData\Local\Adobe\ Jump to behavior
Source: explorer.exe, 00000002.00000000.2115963975.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2113028471.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: 53FF.exe, 00000005.00000003.2475592601.000000000367E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696428655p
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2464232974.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2516578900.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2530387995.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2453884126.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000002.2574430878.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2573425240.000000000069C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000002.2574211817.000000000064E000.00000004.00000020.00020000.00000000.sdmp, 7719.exe, 00000008.00000002.3876439042.0000000000838000.00000004.00000020.00020000.00000000.sdmp, 7719.exe, 00000008.00000003.3872830202.000000000086F000.00000004.00000020.00020000.00000000.sdmp, 7719.exe, 00000008.00000003.3873000462.0000000000837000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 96C7.exe, 00000009.00000002.3435692996.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW^
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 7719.exe, 00000008.00000003.3872463864.0000000000856000.00000004.00000020.00020000.00000000.sdmp, 7719.exe, 00000008.00000003.3872830202.000000000085B000.00000004.00000020.00020000.00000000.sdmp, 7719.exe, 00000008.00000002.3876675879.000000000085E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWUe~
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2114531614.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: 53FF.exe, 00000005.00000003.2475592601.000000000367E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: YNVMware
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: explorer.exe, 00000002.00000000.2113719983.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2114531614.000000000769A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2114531614.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2113719983.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: GamePall.exe, 0000000C.00000002.3966691310.0000000000E92000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: explorer.exe, 00000002.00000000.2113719983.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2113719983.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware,p
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: 53FF.exe, 00000005.00000003.2475592601.0000000003679000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: explorer.exe, 00000002.00000000.2113028471.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Users\user\AppData\Local\Temp\7719.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht System information queried: CodeIntegrityInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_00EA4383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_00EA4383
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\7719.exe Code function: 8_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary, 8_2_100010D0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Code function: 0_2_02960D90 mov eax, dword ptr fs:[00000030h] 0_2_02960D90
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Code function: 0_2_0296092B mov eax, dword ptr fs:[00000030h] 0_2_0296092B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Code function: 0_2_0298ED2F push dword ptr fs:[00000030h] 0_2_0298ED2F
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 4_2_027D092B mov eax, dword ptr fs:[00000030h] 4_2_027D092B
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 4_2_027D0D90 mov eax, dword ptr fs:[00000030h] 4_2_027D0D90
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 4_2_0281E35F push dword ptr fs:[00000030h] 4_2_0281E35F
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 10_2_0279092B mov eax, dword ptr fs:[00000030h] 10_2_0279092B
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 10_2_02790D90 mov eax, dword ptr fs:[00000030h] 10_2_02790D90
Source: C:\Users\user\AppData\Roaming\svgbeht Code function: 10_2_027B1807 push dword ptr fs:[00000030h] 10_2_027B1807
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_00EB5891 GetProcessHeap, 9_2_00EB5891
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_00EA4383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_00EA4383
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_00EA0495 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_00EA0495
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_00EA06F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_00EA06F0
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_00EA0622 SetUnhandledExceptionFilter, 9_2_00EA0622
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: 7719.exe.2.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 190.159.30.35 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 141.8.192.126 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.68.16.7 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 127.0.0.127 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 188.114.96.3 80 Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Thread created: C:\Windows\explorer.exe EIP: 33419D0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Thread created: unknown EIP: 83819D0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Thread created: unknown EIP: 33719D0 Jump to behavior
LummaC encrypted strings found
Source: 53FF.exe, 00000005.00000002.2575274982.0000000000CFD000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: pedestriankodwu.xyz
Source: 53FF.exe, 00000005.00000002.2575274982.0000000000CFD000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: towerxxuytwi.xyz
Source: 53FF.exe, 00000005.00000002.2575274982.0000000000CFD000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: ellaboratepwsz.xyz
Source: 53FF.exe, 00000005.00000002.2575274982.0000000000CFD000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: penetratedpoopp.xyz
Source: 53FF.exe, 00000005.00000002.2575274982.0000000000CFD000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: swellfrrgwwos.xyz
Source: 53FF.exe, 00000005.00000002.2575274982.0000000000CFD000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: contintnetksows.shop
Source: 53FF.exe, 00000005.00000002.2575274982.0000000000CFD000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: foodypannyjsud.shop
Source: 53FF.exe, 00000005.00000002.2575274982.0000000000CFD000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: potterryisiw.shop
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\svgbeht Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3924 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=2972 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=2260 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521213265 --mojo-platform-channel-handle=4044 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521380179 --mojo-platform-channel-handle=4056 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3924 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=2972 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=2260 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521213265 --mojo-platform-channel-handle=4044 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521380179 --mojo-platform-channel-handle=4056 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3924 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=2972 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=2260 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521213265 --mojo-platform-channel-handle=4044 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.127 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719957786566967 --launch-time-ticks=6521380179 --mojo-platform-channel-handle=4056 --field-trial-handle=3932,i,15479230681103079642,970092008260029416,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: explorer.exe, 00000002.00000000.2115963975.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000002.00000000.2113398791.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.2114396314.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2113398791.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.2113398791.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.2113398791.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.2113028471.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PProgman
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_00EA013C cpuid 9_2_00EA013C
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 9_2_00EB50DC
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: GetLocaleInfoW, 9_2_00EAE096
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: EnumSystemLocalesW, 9_2_00EB5051
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: GetLocaleInfoW, 9_2_00EB532F
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 9_2_00EB5458
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: GetLocaleInfoW, 9_2_00EB555E
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 9_2_00EB5634
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: EnumSystemLocalesW, 9_2_00EADBC7
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 9_2_00EB4CBF
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: EnumSystemLocalesW, 9_2_00EB4FB6
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: EnumSystemLocalesW, 9_2_00EB4F6B
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\96C7.exe Code function: 9_2_00EA038F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 9_2_00EA038F
Source: C:\Users\user\AppData\Local\Temp\7719.exe Code function: 8_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 8_2_004034CC
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: 53FF.exe, 00000005.00000003.2529482964.000000000071C000.00000004.00000020.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2529686920.0000000000678000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: 53FF.exe, 00000005.00000003.2529624782.000000000363A000.00000004.00000800.00020000.00000000.sdmp, 53FF.exe, 00000005.00000003.2533808667.000000000363B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ws Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\53FF.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 53FF.exe PID: 3176, type: MEMORYSTR
Yara detected Poverty Stealer
Source: Yara match File source: 9.2.96C7.exe.36e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.96C7.exe.dfff80.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.96C7.exe.da83c0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.96C7.exe.36e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.96C7.exe.dfff80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.96C7.exe.da83c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.3435692996.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 96C7.exe PID: 5952, type: MEMORYSTR
Yara detected SmokeLoader
Source: Yara match File source: 0000000A.00000002.2975757928.0000000004271000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2123557960.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2123517246.0000000004350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2417127304.00000000027E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2975710135.0000000004250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2417303583.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 53FF.exe, 00000005.00000003.2516578900.000000000069C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Electrum-LTC\wallets
Source: 53FF.exe, 00000005.00000003.2516578900.000000000069C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\ElectronCash\wallets
Source: 53FF.exe, 00000005.00000003.2516578900.000000000069C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Liberty
Source: 53FF.exe, 00000005.00000003.2516578900.000000000069C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: 53FF.exe, 00000005.00000003.2516578900.000000000069C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 53FF.exe, 00000005.00000003.2516578900.000000000069C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3mp2
Source: 53FF.exe, 00000005.00000003.2516578900.000000000069C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum
Source: 53FF.exe, 00000005.00000003.2516578900.000000000069C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets=
Source: 53FF.exe, 00000005.00000003.2516578900.000000000068D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\96C7.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Directory queried: C:\Users\user\Documents\DUUDTUBZFW Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Directory queried: C:\Users\user\Documents\DUUDTUBZFW Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Directory queried: C:\Users\user\Documents\SQSJKEBWDT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Directory queried: C:\Users\user\Documents\SQSJKEBWDT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Directory queried: C:\Users\user\Documents\TQDFJHPUIU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\53FF.exe Directory queried: C:\Users\user\Documents\TQDFJHPUIU Jump to behavior
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Directory queried: number of queries: 1660
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000003.2516578900.000000000069C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2516799082.000000000069C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2516945580.000000000069C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 53FF.exe PID: 3176, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 53FF.exe PID: 3176, type: MEMORYSTR
Yara detected Poverty Stealer
Source: Yara match File source: 9.2.96C7.exe.36e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.96C7.exe.dfff80.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.96C7.exe.da83c0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.96C7.exe.36e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.96C7.exe.dfff80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.96C7.exe.da83c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.3435692996.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3449305586.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 96C7.exe PID: 5952, type: MEMORYSTR
Yara detected SmokeLoader
Source: Yara match File source: 0000000A.00000002.2975757928.0000000004271000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2123557960.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2123517246.0000000004350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2417127304.00000000027E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2975710135.0000000004250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2417303583.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1466524 Sample: SecuriteInfo.com.W32.Trojan... Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 99 Found malware configuration 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 Antivirus detection for dropped file 2->103 105 10 other signatures 2->105 12 SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe 2->12         started        15 svgbeht 2->15         started        17 svgbeht 2->17         started        process3 signatures4 137 Detected unpacking (changes PE section rights) 12->137 139 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->139 141 Maps a DLL or memory area into another process 12->141 143 Switches to a custom stack to bypass stack traces 12->143 19 explorer.exe 87 10 12->19 injected 145 Multi AV Scanner detection for dropped file 15->145 147 Checks if the current machine is a virtual machine (disk enumeration) 15->147 149 Creates a thread in another existing process (thread injection) 15->149 151 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->151 process5 dnsIp6 85 185.68.16.7 UKRAINE-ASUA Ukraine 19->85 87 190.159.30.35 TelmexColombiaSACO Colombia 19->87 89 2 other IPs or domains 19->89 69 C:\Users\user\AppData\Roaming\svgbeht, PE32 19->69 dropped 71 C:\Users\user\AppData\Local\Temp\96C7.exe, PE32 19->71 dropped 73 C:\Users\user\AppData\Local\Temp\7719.exe, PE32 19->73 dropped 75 2 other malicious files 19->75 dropped 109 System process connects to network (likely due to code injection or exploit) 19->109 111 Benign windows process drops PE files 19->111 113 Deletes itself after installation 19->113 115 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->115 24 7719.exe 3 35 19->24         started        28 53FF.exe 19->28         started        31 96C7.exe 12 19->31         started        33 GamePall.exe 19->33         started        file7 signatures8 process9 dnsIp10 77 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 24->77 dropped 79 C:\Users\user\AppData\Local\...\blowfish.dll, PE32 24->79 dropped 81 C:\Users\user\AppData\Local\...\huge[1].dat, PE32 24->81 dropped 83 2 other files (none is malicious) 24->83 dropped 121 Antivirus detection for dropped file 24->121 123 Multi AV Scanner detection for dropped file 24->123 35 setup.exe 24->35         started        93 188.114.96.3 CLOUDFLARENETUS European Union 28->93 125 Query firmware table information (likely to detect VMs) 28->125 127 Machine Learning detection for dropped file 28->127 129 Found many strings related to Crypto-Wallets (likely being stolen) 28->129 135 3 other signatures 28->135 95 146.70.169.164 TENET-1ZA United Kingdom 31->95 97 104.192.141.1 AMAZON-02US United States 31->97 131 Found evasive API chain (may stop execution after checking mutex) 31->131 133 Tries to harvest and steal browser information (history, passwords, etc) 31->133 file11 signatures12 process13 file14 61 C:\Users\user\AppData\...\vulkan-1.dll, PE32 35->61 dropped 63 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32 35->63 dropped 65 C:\Users\user\AppData\...\libGLESv2.dll, PE32 35->65 dropped 67 16 other files (13 malicious) 35->67 dropped 107 Antivirus detection for dropped file 35->107 39 GamePall.exe 35->39         started        signatures15 process16 dnsIp17 91 104.21.45.251 CLOUDFLARENETUS United States 39->91 117 Antivirus detection for dropped file 39->117 119 Machine Learning detection for dropped file 39->119 43 GamePall.exe 39->43         started        45 GamePall.exe 39->45         started        47 GamePall.exe 39->47         started        49 6 other processes 39->49 signatures18 process19 process20 51 GamePall.exe 43->51         started        53 GamePall.exe 43->53         started        55 GamePall.exe 43->55         started        57 12 other processes 43->57 process21 59 GamePall.exe 51->59         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
190.159.30.35
 unknown Colombia
10620 TelmexColombiaSACO true
104.192.141.1
 unknown United States
16509 AMAZON-02US false
141.8.192.126
 unknown Russian Federation
35278 SPRINTHOSTRU true
188.114.96.3
 unknown European Union
13335 CLOUDFLARENETUS true
104.21.45.251
 unknown United States
13335 CLOUDFLARENETUS false
185.68.16.7
 unknown Ukraine
200000 UKRAINE-ASUA true
146.70.169.164
 unknown United Kingdom
2018 TENET-1ZA true

Private

IP
127.0.0.127

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://gebeus.ru/tmp/index.php true
    http://cx5519.com/tmp/index.php true
      contintnetksows.shop true
        http://evilos.cc/tmp/index.php true
          ellaboratepwsz.xyz true
            swellfrrgwwos.xyz true
              foodypannyjsud.shop true
                pedestriankodwu.xyz true
                  towerxxuytwi.xyz true