Windows Analysis Report
6IMo1kM9CC.exe

Overview

General Information

Sample name:	6IMo1kM9CC.exe renamed because original name is a hash value
Original sample name:	811a28d373d02ae481e4858dfb8b1d15.exe
Analysis ID:	1466591
MD5:	811a28d373d02ae481e4858dfb8b1d15
SHA1:	74ca1efcd4d1f41691f0cd005662cc56537b04a8
SHA256:	7e92a078f6f875b189bc4b2bca87f4f737eb2048356a51a1962f359b645d1b0f
Tags:	exe
Infos:

Detection

LummaC, Poverty Stealer, SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected LummaC Stealer

Yara detected Poverty Stealer

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Found evasive API chain (may stop execution after checking mutex)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Query firmware table information (likely to detect VMs)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Too many similar processes found

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://foodypannyjsud.shop/api3	Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/ta	Avira URL Cloud: Label: malware
Source: http://cx5519.com/tmp/index.php	Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/piL4	Avira URL Cloud: Label: malware
Source: http://evilos.cc/tmp/index.php	Avira URL Cloud: Label: malware
Source: ellaboratepwsz.xyz	Avira URL Cloud: Label: malware
Source: swellfrrgwwos.xyz	Avira URL Cloud: Label: malware
Source: foodypannyjsud.shop	Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/apiX	Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/HH	Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/api##	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Avira: detection malicious, Label: HEUR/AGEN.1313486
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Avira: detection malicious, Label: HEUR/AGEN.1352426
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat	Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Avira: detection malicious, Label: HEUR/AGEN.1359405

Found malware configuration

Source: 00000005.00000002.2053247298.0000000004360000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}
Source: 9.2.500D.exe.130dd40.1.raw.unpack	Malware Configuration Extractor: Poverty Stealer {"C2 url": "146.70.169.164:2227"}
Source: F817.exe.4168.6.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "potterryisiw.shop"], "Build id": "bOKHNM--"}

Multi AV Scanner detection for domain / URL

Source: http://cx5519.com/tmp/index.php	Virustotal: Detection: 11%	Perma Link
Source: http://evilos.cc/tmp/index.php	Virustotal: Detection: 12%	Perma Link
Source: ellaboratepwsz.xyz	Virustotal: Detection: 13%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\218A.exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\500D.exe	ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Local\Temp\F817.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\feuiuvb	ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: 6IMo1kM9CC.exe	ReversingLabs: Detection: 65%
Source: 6IMo1kM9CC.exe	Virustotal: Detection: 38%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\F817.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GamePall\Del.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 6IMo1kM9CC.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\500D.exe

Code function: 9_2_03951C94 CryptUnprotectData,CryptProtectData,

9_2_03951C94

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Local\Temp\500D.exe

Unpacked PE file: 9.2.500D.exe.3950000.3.unpack

Uses 32bit PE files

Source: 6IMo1kM9CC.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\setup.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: ntkrnlmp.pdbx, source: 500D.exe, 00000009.00000002.3201827147.000000000A96B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: Newtonsoft.Json.dll.11.dr
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdb source: widevinecdmadapter.dll.11.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.11.dr
Source:	Binary string: libEGL.dll.pdb source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb6 source: 500D.exe, 00000009.00000002.3201827147.000000000A96B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\* source: 500D.exe, 00000009.00000002.3030907075.00000000012BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000C.00000000.3356056040.0000000000102000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 00000014.00000002.3467073879.0000000005E22000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb3 source: 500D.exe, 00000009.00000002.3201827147.000000000A96B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 00000014.00000002.3467073879.0000000005E22000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000015.00000002.3458150672.00000000051C2000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdbGCTL source: widevinecdmadapter.dll.11.dr
Source:	Binary string: *?\|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exemePalll source: setup.exe, 0000000B.00000002.3671509644.000000000040A000.00000004.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 00000015.00000002.3458150672.00000000051C2000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: 500D.exe, 00000009.00000002.3030907075.00000000012BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Desktop\projects\Release\BigProject.pdb source: 500D.exe, 00000009.00000000.2259206208.0000000000489000.00000002.00000001.01000000.0000000C.sdmp, 500D.exe, 00000009.00000002.3027026601.0000000000489000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb5 source: 500D.exe, 00000009.00000002.3201827147.000000000A96B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3672231762.00000000006C9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3672231762.00000000006C9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: libGLESv2.dll.pdb source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Desktop\projects\Release\BigProject.pdb. source: 500D.exe, 00000009.00000000.2259206208.0000000000489000.00000002.00000001.01000000.0000000C.sdmp, 500D.exe, 00000009.00000002.3027026601.0000000000489000.00000002.00000001.01000000.0000000C.sdmp

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Directory queried: number of queries: 1460

Source: C:\Users\user\AppData\Local\Temp\218A.exe	Code function: 8_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	8_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Code function: 8_2_004066FF FindFirstFileA,FindClose,	8_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Code function: 8_2_004027AA FindFirstFileA,	8_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_0048256E FindFirstFileExW,FindNextFileW,FindClose,FindClose,	9_2_0048256E
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_03951000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,	9_2_03951000
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_03954E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,	9_2_03954E27
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_03951D3C FindFirstFileW,FindNextFileW,	9_2_03951D3C
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_039540BA FindFirstFileW,FindNextFileW,	9_2_039540BA
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_03953EFC FindFirstFileW,FindNextFileW,	9_2_03953EFC

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe

Code function: 0_2_00417563 GetLogicalDriveStringsW,lstrcatW,InterlockedExchangeAdd,WriteConsoleA,lstrcpynW,GetAtomNameA,AreFileApisANSI,ReadConsoleOutputA,SetVolumeMountPointW,GetModuleFileNameW,EnumCalendarInfoExW,GetBoundsRect,EnumDependentServicesA,GlobalAlloc,AddAtomA,GetCommProperties,GetTickCount,GetLastError,ZombifyActCtx,GetConsoleAliasesW,FoldStringA,LoadLibraryA,

0_2_00417563

Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 190.98.23.157 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 141.8.192.126 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.68.16.7 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 127.0.0.127 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.3 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: pedestriankodwu.xyz
Source: Malware configuration extractor	URLs: towerxxuytwi.xyz
Source: Malware configuration extractor	URLs: ellaboratepwsz.xyz
Source: Malware configuration extractor	URLs: penetratedpoopp.xyz
Source: Malware configuration extractor	URLs: swellfrrgwwos.xyz
Source: Malware configuration extractor	URLs: contintnetksows.shop
Source: Malware configuration extractor	URLs: foodypannyjsud.shop
Source: Malware configuration extractor	URLs: potterryisiw.shop
Source: Malware configuration extractor	URLs: potterryisiw.shop
Source: Malware configuration extractor	URLs: http://evilos.cc/tmp/index.php
Source: Malware configuration extractor	URLs: http://gebeus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://office-techs.biz/tmp/index.php
Source: Malware configuration extractor	URLs: http://cx5519.com/tmp/index.php
Source: Malware configuration extractor	URLs: 146.70.169.164:2227

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.192.141.1 104.192.141.1
Source: Joe Sandbox View	IP Address: 104.192.141.1 104.192.141.1
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: TelecommunicationcompanySuriname-TeleSurSR TelecommunicationcompanySuriname-TeleSurSR
Source: Joe Sandbox View	ASN Name: SPRINTHOSTRU SPRINTHOSTRU

Source: C:\Users\user\AppData\Local\Temp\500D.exe

Code function: 9_2_00415B80 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,task,InternetReadFile,FreeLibrary,task,

9_2_00415B80

Source: GamePall.exe, 00000014.00000002.3437085284.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/activity
Source: GamePall.exe, 0000001A.00000002.3761658883.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/activity.0
Source: GamePall.exe, 00000014.00000002.3437085284.0000000003261000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001A.00000002.3761658883.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/installs
Source: GamePall.exe, 00000014.00000002.3437085284.0000000003261000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001A.00000002.3761658883.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bageyou.xyz
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: F817.exe, 00000006.00000003.2140881074.000000000355F000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.3017498794.000000000AA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: F817.exe, 00000006.00000003.2140881074.000000000355F000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.3017498794.000000000AA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: explorer.exe, 00000001.00000000.1758639287.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1760250620.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/1352358
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/275944
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/378067
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/437891.
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/456214
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/497301
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/510270
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/514696
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/642141
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/672186).
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/717501
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/775961
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/819404
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/839189
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/957772
Source: F817.exe, 00000006.00000003.2140881074.000000000355F000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.3017498794.000000000AA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: F817.exe, 00000006.00000003.2140881074.000000000355F000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.3017498794.000000000AA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: F817.exe, 00000006.00000003.2140881074.000000000355F000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.3017498794.000000000AA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000001.00000000.1758639287.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1760250620.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: F817.exe, 00000006.00000003.2140881074.000000000355F000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.3017498794.000000000AA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: explorer.exe, 00000001.00000000.1758639287.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1760250620.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: F817.exe, 00000006.00000003.2140881074.000000000355F000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.3017498794.000000000AA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: log4net.xml.11.dr	String found in binary or memory: http://logging.apache.org/log4j
Source: GamePall.exe, 00000015.00000002.3458150672.00000000051C2000.00000002.00000001.01000000.00000012.sdmp, log4net.xml.11.dr	String found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
Source: log4net.xml.11.dr	String found in binary or memory: http://logging.apache.org/log4net/schemas/log4net-events-1.2>
Source: 218A.exe, 218A.exe, 00000008.00000000.2187003469.000000000040A000.00000008.00000001.01000000.00000008.sdmp, 218A.exe, 00000008.00000002.3689962249.000000000040A000.00000004.00000001.01000000.00000008.sdmp, setup.exe, 0000000B.00000003.3356152523.0000000000726000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000B.00000002.3671509644.000000000040A000.00000004.00000001.01000000.0000000E.sdmp, setup.exe, 0000000B.00000000.3042548770.000000000040A000.00000008.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 218A.exe, 00000008.00000000.2187003469.000000000040A000.00000008.00000001.01000000.00000008.sdmp, 218A.exe, 00000008.00000002.3689962249.000000000040A000.00000004.00000001.01000000.00000008.sdmp, setup.exe, 0000000B.00000003.3356152523.0000000000726000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000B.00000002.3671509644.000000000040A000.00000004.00000001.01000000.0000000E.sdmp, setup.exe, 0000000B.00000000.3042548770.000000000040A000.00000008.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000001.00000000.1758639287.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1760250620.000000000982D000.00000004.00000001.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2140881074.000000000355F000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.3017498794.000000000AA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 00000001.00000000.1758639287.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: F817.exe, 00000006.00000003.2140881074.000000000355F000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.3017498794.000000000AA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: explorer.exe, 00000001.00000000.1763786428.000000000CA42000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000001.00000000.1763786428.000000000CA42000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000001.00000000.1759504745.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1760851188.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1759863974.0000000008720000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: GamePall.exe, 00000015.00000002.3458150672.00000000051C2000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.apache.org/).
Source: GamePall.exe, 00000015.00000002.3458150672.00000000051C2000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: GamePall.exe, 00000015.00000002.3458150672.00000000051C2000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000001.00000000.1762348499.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: log4net.xml.11.dr	String found in binary or memory: http://www.connectionstrings.com/
Source: log4net.xml.11.dr	String found in binary or memory: http://www.faqs.org/rfcs/rfc3164.html.
Source: log4net.xml.11.dr	String found in binary or memory: http://www.iana.org/assignments/multicast-addresses
Source: GamePall.exe, 00000010.00000002.3528948654.00000000062C0000.00000002.00000001.00040000.00000022.sdmp, GamePall.exe, 00000010.00000002.3528948654.0000000006763000.00000002.00000001.00040000.00000022.sdmp, GamePall.exe, 00000010.00000002.3528948654.0000000006585000.00000002.00000001.00040000.00000022.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: F817.exe, 00000006.00000003.2140881074.000000000355F000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.3017498794.000000000AA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: F817.exe, 00000006.00000003.2140881074.000000000355F000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.3017498794.000000000AA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 218A.exe, 00000008.00000002.3692884368.000000000067C000.00000004.00000020.00020000.00000000.sdmp, 218A.exe, 00000008.00000003.3681961444.000000000067A000.00000004.00000020.00020000.00000000.sdmp, 218A.exe, 00000008.00000002.3692808692.0000000000675000.00000004.00000020.00020000.00000000.sdmp, 218A.exe, 00000008.00000003.3682044502.0000000000675000.00000004.00000020.00020000.00000000.sdmp, 218A.exe, 00000008.00000003.3681754297.0000000000675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xiexie.wf/
Source: 218A.exe, 00000008.00000002.3692458413.00000000005F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xiexie.wf/22_551/huge.dat
Source: 218A.exe, 00000008.00000002.3692458413.00000000005F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xiexie.wf/22_551/huge.date
Source: 218A.exe, 00000008.00000002.3692458413.00000000005F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xiexie.wf/22_551/huge.datl
Source: 218A.exe, 00000008.00000002.3692458413.00000000005F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xiexie.wf/22_551/huge.datlEq
Source: 218A.exe, 00000008.00000002.3689962249.0000000000434000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://xiexie.wf/22_551/huge.datmCGBZvyfGQlwd
Source: 218A.exe, 00000008.00000002.3692458413.00000000005F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xiexie.wf/22_551/huge.datyq
Source: 218A.exe, 00000008.00000002.3692808692.0000000000675000.00000004.00000020.00020000.00000000.sdmp, 218A.exe, 00000008.00000003.3682044502.0000000000675000.00000004.00000020.00020000.00000000.sdmp, 218A.exe, 00000008.00000003.3681754297.0000000000675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xiexie.wf/b6e4-4079-b30a-7368302a1ad4
Source: F817.exe, 00000006.00000003.2119970825.0000000003578000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119728485.000000000357A000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119805294.0000000003578000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000002.3050703788.000000000A169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000001.00000000.1762348499.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1758639287.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1758639287.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1762348499.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1760250620.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1760250620.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000001.00000000.1757887093.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1757276311.0000000001248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1760250620.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1760250620.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1760250620.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: 500D.exe, 00000009.00000002.3030907075.000000000129D000.00000004.00000020.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.2803440508.00000000012B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/
Source: 500D.exe, 00000009.00000002.3030907075.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee
Source: 500D.exe, 00000009.00000002.3030907075.000000000129D000.00000004.00000020.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.2803440508.00000000012B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupeetP
Source: 500D.exe, 00000009.00000002.3030907075.000000000129D000.00000004.00000020.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.2803440508.00000000012B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupeewP
Source: F817.exe, 00000006.00000003.2142413842.00000000011A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: F817.exe, 00000006.00000003.2119970825.0000000003578000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119728485.000000000357A000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119805294.0000000003578000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000002.3050703788.000000000A169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1758639287.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1758639287.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: F817.exe, 00000006.00000003.2119970825.0000000003578000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119728485.000000000357A000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119805294.0000000003578000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000002.3050703788.000000000A169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: F817.exe, 00000006.00000003.2119970825.0000000003578000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119728485.000000000357A000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119805294.0000000003578000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000002.3050703788.000000000A169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: resources.pak.11.dr	String found in binary or memory: https://chrome.google.com/webstore
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: bg.pak.11.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=bg&category=theme81https://myactivity.google.com/myactivity/?u
Source: bg.pak.11.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=bgCtrl$1
Source: GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
Source: hi.pak.11.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=hi&category=theme81https://myactivity.google.com/myactivity/?u
Source: hi.pak.11.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=hiCtrl$1
Source: it.pak.11.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=it&category=theme81https://myactivity.google.com/myactivity/?u
Source: it.pak.11.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=itCtrl$1
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ukCtrl$1
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=urCtrl$2
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=viCtrl$1
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CNCtrl$1
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TWCtrl$1
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: resources.pak.11.dr	String found in binary or memory: https://chromewebstore.google.com/
Source: resources.pak.11.dr	String found in binary or memory: https://codereview.chromium.org/25305002).
Source: F817.exe, 00000006.00000003.2142413842.00000000011A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: F817.exe, 00000006.00000003.2142413842.00000000011A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: resources.pak.11.dr	String found in binary or memory: https://crbug.com/1201800
Source: resources.pak.11.dr	String found in binary or memory: https://crbug.com/1245093):
Source: resources.pak.11.dr	String found in binary or memory: https://crbug.com/1446731
Source: 500D.exe, 00000009.00000003.2803440508.00000000012B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
Source: 500D.exe, 00000009.00000003.2803440508.00000000012B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
Source: F817.exe, 00000006.00000003.2119970825.0000000003578000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119728485.000000000357A000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119805294.0000000003578000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000002.3050703788.000000000A169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: F817.exe, 00000006.00000003.2119970825.0000000003578000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119728485.000000000357A000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119805294.0000000003578000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: F817.exe, 00000006.00000003.2119970825.0000000003578000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119728485.000000000357A000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119805294.0000000003578000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000002.3050703788.000000000A169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000001.00000000.1762348499.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: F817.exe, 00000006.00000002.2218701659.0000000001123000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2171241114.00000000011A1000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2118943069.0000000001121000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2157103537.00000000011A3000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119084013.000000000113D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2215782574.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2170576082.0000000003547000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2153986587.00000000011A3000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2118709626.000000000112B000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2172078849.00000000011A2000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2215674715.0000000001121000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2153223179.00000000011A1000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173956861.0000000003548000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2159125091.00000000011A3000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000002.2218781942.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2174224504.00000000011A2000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2216285725.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2118709626.000000000111F000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2153364555.00000000011A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/
Source: F817.exe, 00000006.00000003.2119084013.000000000113D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2118709626.000000000112B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/2
Source: F817.exe, 00000006.00000003.2141086583.0000000003540000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2140276053.0000000003540000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/33
Source: F817.exe, 00000006.00000003.2215782574.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000002.2218781942.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2216285725.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/F9W4
Source: F817.exe, 00000006.00000003.2130297912.000000000353E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/HH
Source: F817.exe, 00000006.00000003.2118709626.000000000112B000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173126785.000000000118A000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2184556180.0000000001179000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000002.2218781942.0000000001182000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173199372.0000000001180000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173732761.0000000001182000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2215782574.0000000001182000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173732761.000000000112B000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2174040064.0000000001138000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/api
Source: F817.exe, 00000006.00000003.2173227406.000000000112B000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2174163041.000000000113D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173732761.000000000112B000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2174040064.0000000001138000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/api##
Source: F817.exe, 00000006.00000003.2119084013.000000000113D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2118709626.000000000112B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/api3
Source: F817.exe, 00000006.00000003.2118943069.0000000001121000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173732761.000000000111F000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173227406.000000000111F000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2118709626.000000000111F000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2174106668.0000000001121000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/apiX
Source: F817.exe, 00000006.00000003.2119084013.000000000113D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2118709626.000000000112B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/c
Source: F817.exe, 00000006.00000003.2215782574.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000002.2218781942.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2216285725.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/pi
Source: F817.exe, 00000006.00000003.2215782574.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000002.2218781942.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2216285725.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/piL4
Source: F817.exe, 00000006.00000003.2173705453.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173126785.000000000118A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/s75
Source: F817.exe, 00000006.00000003.2173705453.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173126785.000000000118A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/sv5
Source: F817.exe, 00000006.00000003.2173705453.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173126785.000000000118A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/ta
Source: F817.exe, 00000006.00000003.2119084013.000000000113D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2118709626.000000000112B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/u
Source: F817.exe, 00000006.00000003.2173227406.0000000001102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop:443/api
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1758639287.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: F817.exe, 00000006.00000003.2142413842.00000000011A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://myactivity.google.com/
Source: explorer.exe, 00000001.00000000.1762348499.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, bg.pak.11.dr	String found in binary or memory: https://passwords.google.com
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://passwords.google.comGoogle
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comT
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://policies.google.com/
Source: explorer.exe, 00000001.00000000.1762348499.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: F817.exe, 00000006.00000003.2119337544.000000000358F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: F817.exe, 00000006.00000003.2142108209.0000000003652000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: F817.exe, 00000006.00000003.2142108209.0000000003652000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: F817.exe, 00000006.00000003.2119337544.000000000358D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: F817.exe, 00000006.00000003.2119337544.000000000358D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: GamePall.exe, 00000015.00000002.3460007644.0000000005206000.00000002.00000001.01000000.00000012.sdmp, GamePall.exe, 00000015.00000002.3458150672.00000000051C2000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1
Source: 500D.exe, 00000009.00000003.2803440508.00000000012B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1762348499.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1762348499.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: F817.exe, 00000006.00000003.2119970825.0000000003578000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119728485.000000000357A000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119805294.0000000003578000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000002.3050703788.000000000A169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: F817.exe, 00000006.00000003.2142413842.00000000011A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: resources.pak.11.dr	String found in binary or memory: https://www.google.com/
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, hi.pak.11.dr, bg.pak.11.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&
Source: it.pak.11.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlG&uidaGestito
Source: GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&r
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlYar&d
Source: F817.exe, 00000006.00000003.2119970825.0000000003578000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119728485.000000000357A000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119805294.0000000003578000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: F817.exe, 00000006.00000003.2142108209.0000000003652000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: F817.exe, 00000006.00000003.2142108209.0000000003652000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: F817.exe, 00000006.00000003.2142108209.0000000003652000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: F817.exe, 00000006.00000003.2142108209.0000000003652000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: F817.exe, 00000006.00000003.2142108209.0000000003652000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1758639287.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1758639287.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1769827734.0000000004381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2053247298.0000000004360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1769149234.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2053302883.0000000004381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\218A.exe

Code function: 8_2_004055E7 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

8_2_004055E7

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Local\Temp\500D.exe

Code function: 9_2_03954BA2 GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,DeleteObject,DeleteDC,ReleaseDC,

9_2_03954BA2

Too many similar processes found

Source: GamePall.exe

Process created: 54

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1769827734.0000000004381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1769019739.0000000002780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.2053247298.0000000004360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2052896799.0000000002740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1769690648.0000000002902000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.2053174181.00000000028E0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1769149234.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2053302883.0000000004381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

Abnormal high CPU Usage

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401538
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_00402FE9 RtlCreateUserThread,NtTerminateProcess,	0_2_00402FE9
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014DE
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401496
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401543
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401565
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401579
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040157C
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401538
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_00402FE9 RtlCreateUserThread,NtTerminateProcess,	5_2_00402FE9
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_004014DE
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401496
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401543
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401565
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401579
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_0040157C
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Code function: 8_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,	8_2_100010D0

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\218A.exe

Code function: 8_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

8_2_004034CC

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\218A.exe	Code function: 8_2_00406A88	8_2_00406A88
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_00471490	9_2_00471490
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_0047D515	9_2_0047D515
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_0047BE09	9_2_0047BE09

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\500D.exe

Code function: String function: 00470310 appears 51 times

Uses 32bit PE files

Source: 6IMo1kM9CC.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000000.00000002.1769827734.0000000004381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1769019739.0000000002780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.2053247298.0000000004360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2052896799.0000000002740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1769690648.0000000002902000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.2053174181.00000000028E0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1769149234.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2053302883.0000000004381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: 6IMo1kM9CC.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: feuiuvb.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformBlock'
Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: GamePall.exe.11.dr, Program.cs

Base64 encoded string: 'pizR9uKkcZIkMW+F1cRjYV0LMt6eYXmLuiNCndESDPkTO3eY1Mjv7Hs2Qvo+t26G', 'ZTDMzZVpdA1FSa2RiY6ZCl2QGyLDtQ3OBRa/N40wO2xxcvcDsATtLRGwKtaEB36dqPJnDF8qXNs92JbMBlsOyg==', 'nYQvMVlU2Asj2rNkmi7xBNqGCkGzSnaP0raCPfB8A9hSwWFTIjPcsKgDrCVAEwSQ1lHf/WOhnKR59a5JjrkJVUOFvV43wO8MM1FKgjYuj7ZzvvuGve+okViUQx+oGN+llGnjS4Fm9o1MUn7p+qcPVIDZRcvMal1ARjQNk+bFvT5vC4J8slkhLZYtvBYmOybvSK90G7/f/U8GPBdM7WBmfFdHzzGxw6WFcHlkdySP8Nvmzff08RdOn8QOu8FlABEqqEjQ0W84v+/lU0lmhvzugpodd8fIp2kb2/twZPg9/Jsy5viOC65K8bs1ES63SA2d62f5cJYpFf1f0WBQbCBcSzfwiDlBCWVIW9vFXW1awyEMdm3q36+BViyETC5tnyHuoLRgf3bXoQAwqE0OIII5DROfW+LmqqHY82rVXHAqhVjdA2wZRWcSI1zxV7+qTfhmp9qbIQAWSuuXTzhbIvI3gjvtPCdz9uBv8rjyg1XZNxfdgYdtF+klyGgKdefnu5G2pgjfT3Kb/VbjgkFvLlqtWNr5K7iC080FVeHsZazMHUrrDtsmNdChtvnX8Zj77rIGVxi9RfvHhhIhBj+WSos+lJ2nuvQkUpqVEa1mrZSwPezG/uoh0qvs+BAHbNFNjv99WS6tgWIkvcQVCi2h3cfxTGQiZDetQZqB+N/mnvgC6WdrcRKGHBE4mp6bpgTY9+nt3lPiH6OZnlxC8rdHbuGtY6R/FgNFYkw49JWXYeZ1VV3KnjSrFMvDlkyMCAW1X9/1VoC+f73WVYMLwXafDKtGO2lfr9vwKms+8HoEgs7bj0aroIPdmLK/z/djAsFZO8Vp', 'T7BWwqrn4yISEECEAnARpwE8R+3lDHSc+RlcJT90an1SNsS27lGBQjOx4RmDHlrj7oJnnzx1IWXOkbTfLzBeCfU6UJhOIoQKhcWidAxAKIxvqZnoB6AujIU0F7dEj65vahyTdEvkIxzFaV2+akbl53KcDi5RPBOP16iXVi0WJdHV5AbSCI9WCEcSX/fUpmukBh4bjVF/T/P/B6TFVtNZintCOSO2Ha+2va2CJMOnJ020zYskwuvcH9d1rGD3Zf9RBC2obzrhRNK2LXTEIYnifs6L2UdqFhw5aANXILziQtzKvsTQKvc15hvHCCoeXJCyyK7/WgA/oRu7bdrTs2DwCQ==', 'ZY0WCEgzqiLEU8ZUVJwGTpbkuL9KoMwYVloBqJXjur8rfBZEXTysQNKRQ1H7/vn7o0wyHAux60SVy06r4v6So5WWxddei09LXvL6ZwK/tyY=', 's7iS2XfzyI+IBoARaZQlTINg1kEy7qT7EopaSHQzpqktZBtc7UiOYrPdv/6f4cNI', 'o2ZleBui4P9C2ZjnB98Vuesy1C+WucHiXjQJ8RANoX6TheGfnLYAWDsXRfSeNCDHWdkBP2RBrkWPBy/nuM2NFLMETMUsPFeG3JHWafvGKzaNEjYO3Up9m61SnaY5tINvLCYJ/TKITszJ9H1YSm2chnmQGLUzbz4pwvWvvKfH8m7z585W73/QZrtw3l/30vcZaVocgwemYusDJYsOTgeWc0okiDahD7qtJcBYZ0aOzxZZmHDMBYigkRVf8GTJ/xucA/i7EHBFpaWoLVZVcuGFMA==', 'T7BWwqrn4yISEECEAnARp+JyVgG3cZc2/9+3VbyOjc4PuRSCU7ZfXuXpIIH8uj2roUU+W7nSmXHqTuxLhe6DBfNVh8PFZrhNX/YhIexDxrk=', 'G4TxOgdwfNBdU+6bscw2hqt3kZYZMfoEuKZtmCxRLrF8xJCK1+L0ocd8eSQjty7d', 'PcG64iM3U1vDIVDm7HuwTSvKhuz45f/WPqYoWZvzLHcapbEfkynZkUjmDgg30eof', 'XGcq7Js3+2f2oGHGFzxJPiYsrodwK+bTw/0lKjiUd0tSWMHEjdVqzAclD1/nPksq3sGhVTN8oFeHMRE7wAt3mCLVCEXKF9JLnNeWw9vvCbs=', 'T7BWwqrn4yISEECEAnARp8UQ6kvfa8mDiwe39obQZ+Rxfj5bbo//kf+4mlTsZUEg0QM/4QBKb6sUDMsk9OTdYg==', 'T7BWwqrn4yISEECEAnARp/U1NCwfjpQ4K5UKuMbDqXSrjfU6Tf/pOCpHlHXtYnU5', 'Gg/rFkGmnFrfPAny9sQ3qerPGxlC7+cuu92x2tgXrCRkqABwTbbIR8+hJN0krbBD9OJX8s2JqeR+xICuD2u17N7KjlWCZwpg4+c7mG1xAahALfXXbu/EvJy+KsAzQlzR9bu8P4wbyuM6r6/7kdf+VQ==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLT3pudJg4gGhcEax3IHwBI0R5vZR7J9mjUQ8R9MdKz/Fw==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLTcCwJrbTmNGWmZutw1Di2FSZ+3JxFtC00BiemuQuq2+A=='

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@268/115@0/9

Source: C:\Users\user\AppData\Local\Temp\218A.exe

8_2_004034CC

Source: C:\Users\user\AppData\Local\Temp\218A.exe

Code function: 8_2_00404897 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

8_2_00404897

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe

Code function: 0_2_029053F3 CreateToolhelp32Snapshot,Module32First,

0_2_029053F3

Source: C:\Users\user\AppData\Local\Temp\218A.exe

Code function: 8_2_00402173 CoCreateInstance,MultiByteToWideChar,

8_2_00402173

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\feuiuvb

Jump to behavior

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_rendLog.txt
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Mutant created: \Sessions\1\BaseNamedObjects\1e7f31ac-1494-47cc-9633-054c20e7432e
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_mainLog.txt

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\F817.tmp

Jump to behavior

Source: 6IMo1kM9CC.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

File read: C:\Windows\System32\drivers\etc\hosts

Source: F817.exe, 00000006.00000003.2119457470.0000000003565000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119597922.0000000003549000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 6IMo1kM9CC.exe	ReversingLabs: Detection: 65%
Source: 6IMo1kM9CC.exe	Virustotal: Detection: 38%

Source: unknown	Process created: C:\Users\user\Desktop\6IMo1kM9CC.exe "C:\Users\user\Desktop\6IMo1kM9CC.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\feuiuvb C:\Users\user\AppData\Roaming\feuiuvb
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\F817.exe C:\Users\user\AppData\Local\Temp\F817.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\218A.exe C:\Users\user\AppData\Local\Temp\218A.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\500D.exe C:\Users\user\AppData\Local\Temp\500D.exe
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3388 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3548 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3692 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719981540330969 --launch-time-ticks=4728010167 --mojo-platform-channel-handle=4152 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719981540330969 --launch-time-ticks=4728172431 --mojo-platform-channel-handle=4208 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\F817.exe C:\Users\user\AppData\Local\Temp\F817.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\218A.exe C:\Users\user\AppData\Local\Temp\218A.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\500D.exe C:\Users\user\AppData\Local\Temp\500D.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3388 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3548 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3692 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719981540330969 --launch-time-ticks=4728010167 --mojo-platform-channel-handle=4152 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719981540330969 --launch-time-ticks=4728172431 --mojo-platform-channel-handle=4208 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: firewallapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: fwbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mmdevapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: audioses.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.ui.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mdmregistration.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mdmregistration.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: omadmapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dmcmnutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iri.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dsreg.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscms.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coloradapterclient.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mfplat.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rtworkq.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\setup.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: ntkrnlmp.pdbx, source: 500D.exe, 00000009.00000002.3201827147.000000000A96B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: Newtonsoft.Json.dll.11.dr
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdb source: widevinecdmadapter.dll.11.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.11.dr
Source:	Binary string: libEGL.dll.pdb source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb6 source: 500D.exe, 00000009.00000002.3201827147.000000000A96B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\* source: 500D.exe, 00000009.00000002.3030907075.00000000012BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000C.00000000.3356056040.0000000000102000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 00000014.00000002.3467073879.0000000005E22000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb3 source: 500D.exe, 00000009.00000002.3201827147.000000000A96B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 00000014.00000002.3467073879.0000000005E22000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000015.00000002.3458150672.00000000051C2000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdbGCTL source: widevinecdmadapter.dll.11.dr
Source:	Binary string: *?\|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exemePalll source: setup.exe, 0000000B.00000002.3671509644.000000000040A000.00000004.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 00000015.00000002.3458150672.00000000051C2000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: 500D.exe, 00000009.00000002.3030907075.00000000012BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Desktop\projects\Release\BigProject.pdb source: 500D.exe, 00000009.00000000.2259206208.0000000000489000.00000002.00000001.01000000.0000000C.sdmp, 500D.exe, 00000009.00000002.3027026601.0000000000489000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb5 source: 500D.exe, 00000009.00000002.3201827147.000000000A96B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3672231762.00000000006C9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3672231762.00000000006C9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: libGLESv2.dll.pdb source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Desktop\projects\Release\BigProject.pdb. source: 500D.exe, 00000009.00000000.2259206208.0000000000489000.00000002.00000001.01000000.0000000C.sdmp, 500D.exe, 00000009.00000002.3027026601.0000000000489000.00000002.00000001.01000000.0000000C.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Unpacked PE file: 0.2.6IMo1kM9CC.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\feuiuvb	Unpacked PE file: 5.2.feuiuvb.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Local\Temp\500D.exe

Unpacked PE file: 9.2.500D.exe.3950000.3.unpack

Binary contains a suspicious time stamp

Source: Newtonsoft.Json.dll.11.dr

Static PE information: 0xF68F744F [Mon Jan 31 06:35:59 2101 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\218A.exe

Code function: 8_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,

8_2_100010D0

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .vmpLp

PE file contains sections with non-standard names

Source: F817.exe.1.dr	Static PE information: section name: .vmpLp
Source: F817.exe.1.dr	Static PE information: section name: .vmpLp
Source: F817.exe.1.dr	Static PE information: section name: .vmpLp
Source: libEGL.dll.11.dr	Static PE information: section name: .00cfg
Source: libEGL.dll.11.dr	Static PE information: section name: .voltbl
Source: libGLESv2.dll.11.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll.11.dr	Static PE information: section name: .voltbl
Source: chrome_elf.dll.11.dr	Static PE information: section name: .00cfg
Source: chrome_elf.dll.11.dr	Static PE information: section name: .crthunk
Source: chrome_elf.dll.11.dr	Static PE information: section name: CPADinfo
Source: chrome_elf.dll.11.dr	Static PE information: section name: malloc_h
Source: libEGL.dll0.11.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll0.11.dr	Static PE information: section name: .00cfg
Source: libcef.dll.11.dr	Static PE information: section name: .00cfg
Source: libcef.dll.11.dr	Static PE information: section name: .rodata
Source: libcef.dll.11.dr	Static PE information: section name: CPADinfo
Source: libcef.dll.11.dr	Static PE information: section name: malloc_h

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_00408616 push eax; retf 0000h	0_2_00408619
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_00401CD1 push ecx; ret	0_2_00401CD2
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_004084E6 push FFFFFFFBh; iretd	0_2_004084FC
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_00401C91 push 00000076h; iretd	0_2_00401C93
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_00402E96 push B92A2F4Ch; retf	0_2_00402E9B
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_0278867D push eax; retf 0000h	0_2_02788680
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_02781CF8 push 00000076h; iretd	0_2_02781CFA
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_02782EFD push B92A2F4Ch; retf	0_2_02782F02
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_0278854D push FFFFFFFBh; iretd	0_2_02788563
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_02781D38 push ecx; ret	0_2_02781D39
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_0290CEC3 push FFFFFFFBh; iretd	0_2_0290CED9
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_0290AE45 push edx; ret	0_2_0290AE46
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_00408616 push eax; retf 0000h	5_2_00408619
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_00401CD1 push ecx; ret	5_2_00401CD2
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_004084E6 push FFFFFFFBh; iretd	5_2_004084FC
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_00401C91 push 00000076h; iretd	5_2_00401C93
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_00402E96 push B92A2F4Ch; retf	5_2_00402E9B
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_0274867D push eax; retf 0000h	5_2_02748680
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_02742EFD push B92A2F4Ch; retf	5_2_02742F02
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_02741CF8 push 00000076h; iretd	5_2_02741CFA
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_0274854D push FFFFFFFBh; iretd	5_2_02748563
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_02741D38 push ecx; ret	5_2_02741D39
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_028EDB88 push 2895EEC3h; ret	5_2_028EDB8F
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_028EB2D3 push FFFFFFFBh; iretd	5_2_028EB2E9
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_028E9255 push edx; ret	5_2_028E9256
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_0047004B push ecx; ret	9_2_0047005E
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_004789AD push cs; ret	9_2_004789AE

Source: 6IMo1kM9CC.exe	Static PE information: section name: .text entropy: 7.491897638969264
Source: feuiuvb.1.dr	Static PE information: section name: .text entropy: 7.491897638969264
Source: Ionic.Zip.dll.11.dr	Static PE information: section name: .text entropy: 6.821349263259562

Drops PE files

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\F817.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\log4net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\218A.exe	File created: C:\Users\user\AppData\Local\Temp\nsn1FE5.tmp\nsProcess.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\feuiuvb	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\218A.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Local\Temp\nshE60F.tmp\liteFirewall.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Del.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\218A.exe	File created: C:\Users\user\AppData\Local\Temp\nsn1FE5.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\218A.exe	File created: C:\Users\user\AppData\Local\Temp\nsn1FE5.tmp\blowfish.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\libcef.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\500D.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\218A.exe	File created: C:\Users\user\AppData\Local\Temp\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\218A.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\feuiuvb

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\6imo1km9cc.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\feuiuvb:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\500D.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\F817.exe

System information queried: FirmwareTableInformation

Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\feuiuvb	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\feuiuvb	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Local\Temp\F817.exe	API/Special instruction interceptor: Address: 56AA71
Source: C:\Users\user\AppData\Local\Temp\F817.exe	API/Special instruction interceptor: Address: 646310
Source: C:\Users\user\AppData\Local\Temp\F817.exe	API/Special instruction interceptor: Address: 69522F
Source: C:\Users\user\AppData\Local\Temp\F817.exe	API/Special instruction interceptor: Address: 5776F5
Source: C:\Users\user\AppData\Local\Temp\F817.exe	API/Special instruction interceptor: Address: A57E15
Source: C:\Users\user\AppData\Local\Temp\F817.exe	API/Special instruction interceptor: Address: 694080
Source: C:\Users\user\AppData\Local\Temp\F817.exe	API/Special instruction interceptor: Address: AD4DE8
Source: C:\Users\user\AppData\Local\Temp\F817.exe	API/Special instruction interceptor: Address: 654E89

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: feuiuvb, 00000005.00000002.2053064169.00000000028CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK
Source: 6IMo1kM9CC.exe, 00000000.00000002.1769547128.00000000028EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK4

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 23B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 25A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 45A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 13E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3000000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1340000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2E30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4E30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1490000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 30C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3010000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2A30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2A30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 16E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3260000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3010000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 10A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2AC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: B60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 27A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 24E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: B40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 26D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: BB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1210000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2C40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2B60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2F70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 30C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 50C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1880000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 33D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3230000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1260000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2C70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4C70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1110000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2C30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4C30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1210000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2BB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2B30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2B30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 880000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 21B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 41B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1070000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2A40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4A40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: BD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 27D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2620000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 28A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 21B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 23A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 43A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 17E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3300000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3160000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2800000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 28D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2800000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1270000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2C20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4C20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: D20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2800000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2600000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1650000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3170000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 5170000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Thread delayed: delay time: 600000

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 433	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4712	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 965	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 878	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 871	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\log4net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshE60F.tmp\liteFirewall.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn1FE5.tmp\nsProcess.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Del.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn1FE5.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn1FE5.tmp\blowfish.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libcef.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 6320	Thread sleep time: -471200s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6304	Thread sleep time: -96500s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1028	Thread sleep time: -31800s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe TID: 4904	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe TID: 4904	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 796	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 6764	Thread sleep count: 34 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\218A.exe	Code function: 8_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	8_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Code function: 8_2_004066FF FindFirstFileA,FindClose,	8_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Code function: 8_2_004027AA FindFirstFileA,	8_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_0048256E FindFirstFileExW,FindNextFileW,FindClose,FindClose,	9_2_0048256E
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_03951000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,	9_2_03951000
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_03954E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,	9_2_03954E27
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_03951D3C FindFirstFileW,FindNextFileW,	9_2_03951D3C
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_039540BA FindFirstFileW,FindNextFileW,	9_2_039540BA
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_03953EFC FindFirstFileW,FindNextFileW,	9_2_03953EFC

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe

0_2_00417563

Source: C:\Users\user\AppData\Local\Temp\500D.exe

Code function: 9_2_03952054 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,

9_2_03952054

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Thread delayed: delay time: 600000

Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\	Jump to behavior

Source: explorer.exe, 00000001.00000000.1760695301.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: F817.exe, 00000006.00000002.2218701659.0000000001123000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2118943069.0000000001121000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173732761.000000000111F000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2215674715.0000000001121000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173227406.000000000111F000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2118709626.000000000111F000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2184396052.000000000111F000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2184556180.0000000001121000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2174106668.0000000001121000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW'f
Source: explorer.exe, 00000001.00000000.1760250620.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1760250620.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: 500D.exe, 00000009.00000002.3030907075.000000000125E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(F+
Source: explorer.exe, 00000001.00000000.1758639287.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000001.00000000.1760695301.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1757276311.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000001.00000000.1758639287.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.1760695301.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1758639287.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000001.00000000.1760250620.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000001.00000000.1760250620.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1760250620.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, F817.exe, 00000006.00000002.2218701659.000000000112B000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173227406.000000000112B000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2118709626.000000000112B000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2215674715.000000000112B000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000002.2218495807.00000000010DE000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2184396052.000000000112B000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2174106668.000000000112B000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173732761.000000000112B000.00000004.00000020.00020000.00000000.sdmp, 218A.exe, 00000008.00000003.3682044502.0000000000662000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.1760695301.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: 500D.exe, 00000009.00000002.3030907075.000000000129D000.00000004.00000020.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.2803440508.00000000012B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: 218A.exe, 00000008.00000002.3692884368.000000000067C000.00000004.00000020.00020000.00000000.sdmp, 218A.exe, 00000008.00000003.3681961444.000000000067A000.00000004.00000020.00020000.00000000.sdmp, 218A.exe, 00000008.00000003.3681754297.0000000000675000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW}
Source: explorer.exe, 00000001.00000000.1758639287.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000001.00000000.1760250620.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000001.00000000.1757276311.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000001.00000000.1757276311.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Local\Temp\218A.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	System information queried: CodeIntegrityInformation			Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\500D.exe

Code function: 9_2_00474383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

9_2_00474383

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\218A.exe

8_2_100010D0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_0278092B mov eax, dword ptr fs:[00000030h]	0_2_0278092B
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_02780D90 mov eax, dword ptr fs:[00000030h]	0_2_02780D90
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_02904CD0 push dword ptr fs:[00000030h]	0_2_02904CD0
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_0274092B mov eax, dword ptr fs:[00000030h]	5_2_0274092B
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_02740D90 mov eax, dword ptr fs:[00000030h]	5_2_02740D90
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_028E30E0 push dword ptr fs:[00000030h]	5_2_028E30E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\500D.exe

Code function: 9_2_00485891 GetProcessHeap,

9_2_00485891

Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_00474383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00474383
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_00470495 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00470495
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_00470622 SetUnhandledExceptionFilter,	9_2_00470622
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_004706F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_004706F0

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: 500D.exe.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 190.98.23.157 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 141.8.192.126 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.68.16.7 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 127.0.0.127 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.3 80	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Thread created: C:\Windows\explorer.exe EIP: 11F19D0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Thread created: unknown EIP: 87E19D0			Jump to behavior

LummaC encrypted strings found

Source: F817.exe, 00000006.00000002.2216933024.000000000022D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: pedestriankodwu.xyz
Source: F817.exe, 00000006.00000002.2216933024.000000000022D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: towerxxuytwi.xyz
Source: F817.exe, 00000006.00000002.2216933024.000000000022D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: ellaboratepwsz.xyz
Source: F817.exe, 00000006.00000002.2216933024.000000000022D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: penetratedpoopp.xyz
Source: F817.exe, 00000006.00000002.2216933024.000000000022D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: swellfrrgwwos.xyz
Source: F817.exe, 00000006.00000002.2216933024.000000000022D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: contintnetksows.shop
Source: F817.exe, 00000006.00000002.2216933024.000000000022D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: foodypannyjsud.shop
Source: F817.exe, 00000006.00000002.2216933024.000000000022D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: potterryisiw.shop

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3388 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3548 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3692 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719981540330969 --launch-time-ticks=4728010167 --mojo-platform-channel-handle=4152 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719981540330969 --launch-time-ticks=4728172431 --mojo-platform-channel-handle=4208 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 16_4 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.0 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3388 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 16_4 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.0 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3548 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 16_4 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.0 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3692 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 16_4 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.0 mobile/15e148 safari/604.1" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719981540330969 --launch-time-ticks=4728010167 --mojo-platform-channel-handle=4152 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 16_4 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.0 mobile/15e148 safari/604.1" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719981540330969 --launch-time-ticks=4728172431 --mojo-platform-channel-handle=4208 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 16_4 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.0 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3388 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 16_4 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.0 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3548 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 16_4 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.0 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3692 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 16_4 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.0 mobile/15e148 safari/604.1" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719981540330969 --launch-time-ticks=4728010167 --mojo-platform-channel-handle=4152 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 16_4 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.0 mobile/15e148 safari/604.1" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719981540330969 --launch-time-ticks=4728172431 --mojo-platform-channel-handle=4208 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1

Source: explorer.exe, 00000001.00000000.1757542799.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1758487871.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1760250620.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1757542799.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1757276311.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1757542799.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1757542799.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\500D.exe

Code function: 9_2_0047013C cpuid

9_2_0047013C

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: EnumSystemLocalesW,	9_2_00485051
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	9_2_004850DC
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: GetLocaleInfoW,	9_2_0047E096
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: GetLocaleInfoW,	9_2_0048532F
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_00485458
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: GetLocaleInfoW,	9_2_0048555E
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_00485634
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: EnumSystemLocalesW,	9_2_0047DBC7
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: EnumSystemLocalesW,	9_2_00484F69
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: EnumSystemLocalesW,	9_2_00484F6B
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: EnumSystemLocalesW,	9_2_00484FB6

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\F817.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\500D.exe

Code function: 9_2_0047038F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

9_2_0047038F

Source: C:\Users\user\AppData\Local\Temp\218A.exe

8_2_004034CC

Source: C:\Users\user\AppData\Local\Temp\F817.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: F817.exe, 00000006.00000003.2184396052.000000000112B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\F817.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: F817.exe PID: 4168, type: MEMORYSTR

Yara detected Poverty Stealer

Source: Yara match	File source: 9.2.500D.exe.130dd40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.500D.exe.3950000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.500D.exe.12c72e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.500D.exe.3950000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.500D.exe.130dd40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.500D.exe.12c72e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3030907075.00000000012BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3040838981.0000000003950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 500D.exe PID: 3684, type: MEMORYSTR

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1769827734.0000000004381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2053247298.0000000004360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1769149234.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2053302883.0000000004381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: F817.exe, 00000006.00000002.2218701659.000000000112B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: F817.exe, 00000006.00000002.2218701659.000000000112B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: F817.exe, 00000006.00000002.2218701659.000000000112B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: F817.exe, 00000006.00000003.2173227406.000000000112B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: F817.exe, 00000006.00000003.2173227406.000000000112B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: F817.exe, 00000006.00000002.2218701659.000000000112B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: F817.exe, 00000006.00000002.2218701659.000000000112B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: F817.exe, 00000006.00000003.2173227406.0000000001102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: F817.exe, 00000006.00000003.2118679811.0000000001180000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "m": ["keystore"],

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla\Notes9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Directory queried: number of queries: 1460

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: F817.exe PID: 4168, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: F817.exe PID: 4168, type: MEMORYSTR

Yara detected Poverty Stealer

Source: Yara match	File source: 9.2.500D.exe.130dd40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.500D.exe.3950000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.500D.exe.12c72e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.500D.exe.3950000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.500D.exe.130dd40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.500D.exe.12c72e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3030907075.00000000012BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3040838981.0000000003950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 500D.exe PID: 3684, type: MEMORYSTR

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1769827734.0000000004381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2053247298.0000000004360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1769149234.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2053302883.0000000004381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.192.141.1	unknown	United States	16509	AMAZON-02US	false
188.114.97.3	unknown	European Union	13335	CLOUDFLARENETUS	true
190.98.23.157	unknown	Suriname	27775	TelecommunicationcompanySuriname-TeleSurSR	true
141.8.192.126	unknown	Russian Federation	35278	SPRINTHOSTRU	true
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	false
172.67.221.174	unknown	United States	13335	CLOUDFLARENETUS	false
185.68.16.7	unknown	Ukraine	200000	UKRAINE-ASUA	true
146.70.169.164	unknown	United Kingdom	2018	TENET-1ZA	true

Private

IP
127.0.0.127

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://cx5519.com/tmp/index.php	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://evilos.cc/tmp/index.php	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
ellaboratepwsz.xyz	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
swellfrrgwwos.xyz	true	Avira URL Cloud: malware	unknown
foodypannyjsud.shop	true	Avira URL Cloud: malware	unknown
146.70.169.164:2227	true	Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for URL or domain

Source: https://foodypannyjsud.shop/api3	Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/ta	Avira URL Cloud: Label: malware
Source: http://cx5519.com/tmp/index.php	Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/piL4	Avira URL Cloud: Label: malware
Source: http://evilos.cc/tmp/index.php	Avira URL Cloud: Label: malware
Source: ellaboratepwsz.xyz	Avira URL Cloud: Label: malware
Source: swellfrrgwwos.xyz	Avira URL Cloud: Label: malware
Source: foodypannyjsud.shop	Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/apiX	Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/HH	Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/api##	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Avira: detection malicious, Label: HEUR/AGEN.1313486
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Avira: detection malicious, Label: HEUR/AGEN.1352426
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat	Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Avira: detection malicious, Label: HEUR/AGEN.1359405

Found malware configuration

Source: 00000005.00000002.2053247298.0000000004360000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}
Source: 9.2.500D.exe.130dd40.1.raw.unpack	Malware Configuration Extractor: Poverty Stealer {"C2 url": "146.70.169.164:2227"}
Source: F817.exe.4168.6.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "potterryisiw.shop"], "Build id": "bOKHNM--"}

Multi AV Scanner detection for domain / URL

Source: http://cx5519.com/tmp/index.php	Virustotal: Detection: 11%	Perma Link
Source: http://evilos.cc/tmp/index.php	Virustotal: Detection: 12%	Perma Link
Source: ellaboratepwsz.xyz	Virustotal: Detection: 13%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\218A.exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\500D.exe	ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Local\Temp\F817.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\feuiuvb	ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: 6IMo1kM9CC.exe	ReversingLabs: Detection: 65%
Source: 6IMo1kM9CC.exe	Virustotal: Detection: 38%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\F817.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GamePall\Del.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 6IMo1kM9CC.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\500D.exe

Code function: 9_2_03951C94 CryptUnprotectData,CryptProtectData,

9_2_03951C94

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Local\Temp\500D.exe

Unpacked PE file: 9.2.500D.exe.3950000.3.unpack

Uses 32bit PE files

Source: 6IMo1kM9CC.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\setup.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: ntkrnlmp.pdbx, source: 500D.exe, 00000009.00000002.3201827147.000000000A96B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: Newtonsoft.Json.dll.11.dr
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdb source: widevinecdmadapter.dll.11.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.11.dr
Source:	Binary string: libEGL.dll.pdb source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb6 source: 500D.exe, 00000009.00000002.3201827147.000000000A96B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\* source: 500D.exe, 00000009.00000002.3030907075.00000000012BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000C.00000000.3356056040.0000000000102000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 00000014.00000002.3467073879.0000000005E22000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb3 source: 500D.exe, 00000009.00000002.3201827147.000000000A96B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 00000014.00000002.3467073879.0000000005E22000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000015.00000002.3458150672.00000000051C2000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdbGCTL source: widevinecdmadapter.dll.11.dr
Source:	Binary string: *?\|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exemePalll source: setup.exe, 0000000B.00000002.3671509644.000000000040A000.00000004.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 00000015.00000002.3458150672.00000000051C2000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: 500D.exe, 00000009.00000002.3030907075.00000000012BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Desktop\projects\Release\BigProject.pdb source: 500D.exe, 00000009.00000000.2259206208.0000000000489000.00000002.00000001.01000000.0000000C.sdmp, 500D.exe, 00000009.00000002.3027026601.0000000000489000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb5 source: 500D.exe, 00000009.00000002.3201827147.000000000A96B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3672231762.00000000006C9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3672231762.00000000006C9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: libGLESv2.dll.pdb source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Desktop\projects\Release\BigProject.pdb. source: 500D.exe, 00000009.00000000.2259206208.0000000000489000.00000002.00000001.01000000.0000000C.sdmp, 500D.exe, 00000009.00000002.3027026601.0000000000489000.00000002.00000001.01000000.0000000C.sdmp

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Directory queried: number of queries: 1460

Source: C:\Users\user\AppData\Local\Temp\218A.exe	Code function: 8_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	8_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Code function: 8_2_004066FF FindFirstFileA,FindClose,	8_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Code function: 8_2_004027AA FindFirstFileA,	8_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_0048256E FindFirstFileExW,FindNextFileW,FindClose,FindClose,	9_2_0048256E
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_03951000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,	9_2_03951000
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_03954E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,	9_2_03954E27
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_03951D3C FindFirstFileW,FindNextFileW,	9_2_03951D3C
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_039540BA FindFirstFileW,FindNextFileW,	9_2_039540BA
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_03953EFC FindFirstFileW,FindNextFileW,	9_2_03953EFC

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe

0_2_00417563

Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 190.98.23.157 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 141.8.192.126 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.68.16.7 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 127.0.0.127 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.3 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: pedestriankodwu.xyz
Source: Malware configuration extractor	URLs: towerxxuytwi.xyz
Source: Malware configuration extractor	URLs: ellaboratepwsz.xyz
Source: Malware configuration extractor	URLs: penetratedpoopp.xyz
Source: Malware configuration extractor	URLs: swellfrrgwwos.xyz
Source: Malware configuration extractor	URLs: contintnetksows.shop
Source: Malware configuration extractor	URLs: foodypannyjsud.shop
Source: Malware configuration extractor	URLs: potterryisiw.shop
Source: Malware configuration extractor	URLs: potterryisiw.shop
Source: Malware configuration extractor	URLs: http://evilos.cc/tmp/index.php
Source: Malware configuration extractor	URLs: http://gebeus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://office-techs.biz/tmp/index.php
Source: Malware configuration extractor	URLs: http://cx5519.com/tmp/index.php
Source: Malware configuration extractor	URLs: 146.70.169.164:2227

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.192.141.1 104.192.141.1
Source: Joe Sandbox View	IP Address: 104.192.141.1 104.192.141.1
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: TelecommunicationcompanySuriname-TeleSurSR TelecommunicationcompanySuriname-TeleSurSR
Source: Joe Sandbox View	ASN Name: SPRINTHOSTRU SPRINTHOSTRU

Source: C:\Users\user\AppData\Local\Temp\500D.exe

9_2_00415B80

Source: GamePall.exe, 00000014.00000002.3437085284.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/activity
Source: GamePall.exe, 0000001A.00000002.3761658883.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/activity.0
Source: GamePall.exe, 00000014.00000002.3437085284.0000000003261000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001A.00000002.3761658883.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/installs
Source: GamePall.exe, 00000014.00000002.3437085284.0000000003261000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000001A.00000002.3761658883.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bageyou.xyz
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: F817.exe, 00000006.00000003.2140881074.000000000355F000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.3017498794.000000000AA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: F817.exe, 00000006.00000003.2140881074.000000000355F000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.3017498794.000000000AA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: explorer.exe, 00000001.00000000.1758639287.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1760250620.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/1352358
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/275944
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/378067
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/437891.
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/456214
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/497301
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/510270
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/514696
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/642141
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/672186).
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/717501
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/775961
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/819404
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/839189
Source: resources.pak.11.dr	String found in binary or memory: http://crbug.com/957772
Source: F817.exe, 00000006.00000003.2140881074.000000000355F000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.3017498794.000000000AA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: F817.exe, 00000006.00000003.2140881074.000000000355F000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.3017498794.000000000AA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: F817.exe, 00000006.00000003.2140881074.000000000355F000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.3017498794.000000000AA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000001.00000000.1758639287.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1760250620.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: F817.exe, 00000006.00000003.2140881074.000000000355F000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.3017498794.000000000AA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: explorer.exe, 00000001.00000000.1758639287.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1760250620.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: F817.exe, 00000006.00000003.2140881074.000000000355F000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.3017498794.000000000AA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: log4net.xml.11.dr	String found in binary or memory: http://logging.apache.org/log4j
Source: GamePall.exe, 00000015.00000002.3458150672.00000000051C2000.00000002.00000001.01000000.00000012.sdmp, log4net.xml.11.dr	String found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
Source: log4net.xml.11.dr	String found in binary or memory: http://logging.apache.org/log4net/schemas/log4net-events-1.2>
Source: 218A.exe, 218A.exe, 00000008.00000000.2187003469.000000000040A000.00000008.00000001.01000000.00000008.sdmp, 218A.exe, 00000008.00000002.3689962249.000000000040A000.00000004.00000001.01000000.00000008.sdmp, setup.exe, 0000000B.00000003.3356152523.0000000000726000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000B.00000002.3671509644.000000000040A000.00000004.00000001.01000000.0000000E.sdmp, setup.exe, 0000000B.00000000.3042548770.000000000040A000.00000008.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 218A.exe, 00000008.00000000.2187003469.000000000040A000.00000008.00000001.01000000.00000008.sdmp, 218A.exe, 00000008.00000002.3689962249.000000000040A000.00000004.00000001.01000000.00000008.sdmp, setup.exe, 0000000B.00000003.3356152523.0000000000726000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000B.00000002.3671509644.000000000040A000.00000004.00000001.01000000.0000000E.sdmp, setup.exe, 0000000B.00000000.3042548770.000000000040A000.00000008.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000001.00000000.1758639287.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1760250620.000000000982D000.00000004.00000001.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2140881074.000000000355F000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.3017498794.000000000AA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 00000001.00000000.1758639287.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: F817.exe, 00000006.00000003.2140881074.000000000355F000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.3017498794.000000000AA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: explorer.exe, 00000001.00000000.1763786428.000000000CA42000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000001.00000000.1763786428.000000000CA42000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000001.00000000.1759504745.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1760851188.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1759863974.0000000008720000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: GamePall.exe, 00000015.00000002.3458150672.00000000051C2000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.apache.org/).
Source: GamePall.exe, 00000015.00000002.3458150672.00000000051C2000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: GamePall.exe, 00000015.00000002.3458150672.00000000051C2000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000001.00000000.1762348499.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: log4net.xml.11.dr	String found in binary or memory: http://www.connectionstrings.com/
Source: log4net.xml.11.dr	String found in binary or memory: http://www.faqs.org/rfcs/rfc3164.html.
Source: log4net.xml.11.dr	String found in binary or memory: http://www.iana.org/assignments/multicast-addresses
Source: GamePall.exe, 00000010.00000002.3528948654.00000000062C0000.00000002.00000001.00040000.00000022.sdmp, GamePall.exe, 00000010.00000002.3528948654.0000000006763000.00000002.00000001.00040000.00000022.sdmp, GamePall.exe, 00000010.00000002.3528948654.0000000006585000.00000002.00000001.00040000.00000022.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: F817.exe, 00000006.00000003.2140881074.000000000355F000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.3017498794.000000000AA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: F817.exe, 00000006.00000003.2140881074.000000000355F000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.3017498794.000000000AA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 218A.exe, 00000008.00000002.3692884368.000000000067C000.00000004.00000020.00020000.00000000.sdmp, 218A.exe, 00000008.00000003.3681961444.000000000067A000.00000004.00000020.00020000.00000000.sdmp, 218A.exe, 00000008.00000002.3692808692.0000000000675000.00000004.00000020.00020000.00000000.sdmp, 218A.exe, 00000008.00000003.3682044502.0000000000675000.00000004.00000020.00020000.00000000.sdmp, 218A.exe, 00000008.00000003.3681754297.0000000000675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xiexie.wf/
Source: 218A.exe, 00000008.00000002.3692458413.00000000005F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xiexie.wf/22_551/huge.dat
Source: 218A.exe, 00000008.00000002.3692458413.00000000005F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xiexie.wf/22_551/huge.date
Source: 218A.exe, 00000008.00000002.3692458413.00000000005F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xiexie.wf/22_551/huge.datl
Source: 218A.exe, 00000008.00000002.3692458413.00000000005F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xiexie.wf/22_551/huge.datlEq
Source: 218A.exe, 00000008.00000002.3689962249.0000000000434000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://xiexie.wf/22_551/huge.datmCGBZvyfGQlwd
Source: 218A.exe, 00000008.00000002.3692458413.00000000005F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xiexie.wf/22_551/huge.datyq
Source: 218A.exe, 00000008.00000002.3692808692.0000000000675000.00000004.00000020.00020000.00000000.sdmp, 218A.exe, 00000008.00000003.3682044502.0000000000675000.00000004.00000020.00020000.00000000.sdmp, 218A.exe, 00000008.00000003.3681754297.0000000000675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xiexie.wf/b6e4-4079-b30a-7368302a1ad4
Source: F817.exe, 00000006.00000003.2119970825.0000000003578000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119728485.000000000357A000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119805294.0000000003578000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000002.3050703788.000000000A169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000001.00000000.1762348499.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1758639287.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1758639287.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1762348499.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1760250620.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1760250620.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000001.00000000.1757887093.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1757276311.0000000001248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1760250620.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1760250620.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1760250620.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: 500D.exe, 00000009.00000002.3030907075.000000000129D000.00000004.00000020.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.2803440508.00000000012B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/
Source: 500D.exe, 00000009.00000002.3030907075.0000000001250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee
Source: 500D.exe, 00000009.00000002.3030907075.000000000129D000.00000004.00000020.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.2803440508.00000000012B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupeetP
Source: 500D.exe, 00000009.00000002.3030907075.000000000129D000.00000004.00000020.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.2803440508.00000000012B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupeewP
Source: F817.exe, 00000006.00000003.2142413842.00000000011A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: F817.exe, 00000006.00000003.2119970825.0000000003578000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119728485.000000000357A000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119805294.0000000003578000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000002.3050703788.000000000A169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1758639287.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1758639287.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: F817.exe, 00000006.00000003.2119970825.0000000003578000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119728485.000000000357A000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119805294.0000000003578000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000002.3050703788.000000000A169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: F817.exe, 00000006.00000003.2119970825.0000000003578000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119728485.000000000357A000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119805294.0000000003578000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000002.3050703788.000000000A169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: resources.pak.11.dr	String found in binary or memory: https://chrome.google.com/webstore
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: bg.pak.11.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=bg&category=theme81https://myactivity.google.com/myactivity/?u
Source: bg.pak.11.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=bgCtrl$1
Source: GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
Source: hi.pak.11.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=hi&category=theme81https://myactivity.google.com/myactivity/?u
Source: hi.pak.11.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=hiCtrl$1
Source: it.pak.11.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=it&category=theme81https://myactivity.google.com/myactivity/?u
Source: it.pak.11.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=itCtrl$1
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ukCtrl$1
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=urCtrl$2
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=viCtrl$1
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CNCtrl$1
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TWCtrl$1
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: resources.pak.11.dr	String found in binary or memory: https://chromewebstore.google.com/
Source: resources.pak.11.dr	String found in binary or memory: https://codereview.chromium.org/25305002).
Source: F817.exe, 00000006.00000003.2142413842.00000000011A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: F817.exe, 00000006.00000003.2142413842.00000000011A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: resources.pak.11.dr	String found in binary or memory: https://crbug.com/1201800
Source: resources.pak.11.dr	String found in binary or memory: https://crbug.com/1245093):
Source: resources.pak.11.dr	String found in binary or memory: https://crbug.com/1446731
Source: 500D.exe, 00000009.00000003.2803440508.00000000012B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
Source: 500D.exe, 00000009.00000003.2803440508.00000000012B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
Source: F817.exe, 00000006.00000003.2119970825.0000000003578000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119728485.000000000357A000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119805294.0000000003578000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000002.3050703788.000000000A169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: F817.exe, 00000006.00000003.2119970825.0000000003578000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119728485.000000000357A000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119805294.0000000003578000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: F817.exe, 00000006.00000003.2119970825.0000000003578000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119728485.000000000357A000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119805294.0000000003578000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000002.3050703788.000000000A169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000001.00000000.1762348499.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: F817.exe, 00000006.00000002.2218701659.0000000001123000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2171241114.00000000011A1000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2118943069.0000000001121000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2157103537.00000000011A3000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119084013.000000000113D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2215782574.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2170576082.0000000003547000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2153986587.00000000011A3000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2118709626.000000000112B000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2172078849.00000000011A2000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2215674715.0000000001121000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2153223179.00000000011A1000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173956861.0000000003548000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2159125091.00000000011A3000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000002.2218781942.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2174224504.00000000011A2000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2216285725.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2118709626.000000000111F000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2153364555.00000000011A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/
Source: F817.exe, 00000006.00000003.2119084013.000000000113D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2118709626.000000000112B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/2
Source: F817.exe, 00000006.00000003.2141086583.0000000003540000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2140276053.0000000003540000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/33
Source: F817.exe, 00000006.00000003.2215782574.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000002.2218781942.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2216285725.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/F9W4
Source: F817.exe, 00000006.00000003.2130297912.000000000353E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/HH
Source: F817.exe, 00000006.00000003.2118709626.000000000112B000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173126785.000000000118A000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2184556180.0000000001179000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000002.2218781942.0000000001182000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173199372.0000000001180000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173732761.0000000001182000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2215782574.0000000001182000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173732761.000000000112B000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2174040064.0000000001138000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/api
Source: F817.exe, 00000006.00000003.2173227406.000000000112B000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2174163041.000000000113D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173732761.000000000112B000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2174040064.0000000001138000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/api##
Source: F817.exe, 00000006.00000003.2119084013.000000000113D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2118709626.000000000112B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/api3
Source: F817.exe, 00000006.00000003.2118943069.0000000001121000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173732761.000000000111F000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173227406.000000000111F000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2118709626.000000000111F000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2174106668.0000000001121000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/apiX
Source: F817.exe, 00000006.00000003.2119084013.000000000113D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2118709626.000000000112B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/c
Source: F817.exe, 00000006.00000003.2215782574.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000002.2218781942.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2216285725.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/pi
Source: F817.exe, 00000006.00000003.2215782574.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000002.2218781942.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2216285725.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/piL4
Source: F817.exe, 00000006.00000003.2173705453.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173126785.000000000118A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/s75
Source: F817.exe, 00000006.00000003.2173705453.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173126785.000000000118A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/sv5
Source: F817.exe, 00000006.00000003.2173705453.000000000118D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173126785.000000000118A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/ta
Source: F817.exe, 00000006.00000003.2119084013.000000000113D000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2118709626.000000000112B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/u
Source: F817.exe, 00000006.00000003.2173227406.0000000001102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop:443/api
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1758639287.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: F817.exe, 00000006.00000003.2142413842.00000000011A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://myactivity.google.com/
Source: explorer.exe, 00000001.00000000.1762348499.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, bg.pak.11.dr	String found in binary or memory: https://passwords.google.com
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://passwords.google.comGoogle
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comT
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://policies.google.com/
Source: explorer.exe, 00000001.00000000.1762348499.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.dr	String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: F817.exe, 00000006.00000003.2119337544.000000000358F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: F817.exe, 00000006.00000003.2142108209.0000000003652000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: F817.exe, 00000006.00000003.2142108209.0000000003652000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: F817.exe, 00000006.00000003.2119337544.000000000358D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: F817.exe, 00000006.00000003.2119337544.000000000358D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: GamePall.exe, 00000015.00000002.3460007644.0000000005206000.00000002.00000001.01000000.00000012.sdmp, GamePall.exe, 00000015.00000002.3458150672.00000000051C2000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1
Source: 500D.exe, 00000009.00000003.2803440508.00000000012B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1762348499.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1762348499.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: F817.exe, 00000006.00000003.2119970825.0000000003578000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119728485.000000000357A000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119805294.0000000003578000.00000004.00000800.00020000.00000000.sdmp, 500D.exe, 00000009.00000002.3050703788.000000000A169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: F817.exe, 00000006.00000003.2142413842.00000000011A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: resources.pak.11.dr	String found in binary or memory: https://www.google.com/
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp, hi.pak.11.dr, bg.pak.11.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&
Source: it.pak.11.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlG&uidaGestito
Source: GamePall.exe, 0000000F.00000002.3582265044.00000000059D0000.00000002.00000001.00040000.00000023.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&r
Source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlYar&d
Source: F817.exe, 00000006.00000003.2119970825.0000000003578000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119728485.000000000357A000.00000004.00000800.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2119805294.0000000003578000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: F817.exe, 00000006.00000003.2142108209.0000000003652000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: F817.exe, 00000006.00000003.2142108209.0000000003652000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: F817.exe, 00000006.00000003.2142108209.0000000003652000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: F817.exe, 00000006.00000003.2142108209.0000000003652000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: F817.exe, 00000006.00000003.2142108209.0000000003652000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1758639287.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1758639287.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1758639287.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1769827734.0000000004381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2053247298.0000000004360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1769149234.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2053302883.0000000004381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\218A.exe

8_2_004055E7

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Local\Temp\500D.exe

9_2_03954BA2

Too many similar processes found

Source: GamePall.exe

Process created: 54

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1769827734.0000000004381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1769019739.0000000002780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.2053247298.0000000004360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2052896799.0000000002740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1769690648.0000000002902000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.2053174181.00000000028E0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1769149234.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2053302883.0000000004381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

Abnormal high CPU Usage

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401538
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_00402FE9 RtlCreateUserThread,NtTerminateProcess,	0_2_00402FE9
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014DE
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401496
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401543
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401565
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401579
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040157C
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401538
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_00402FE9 RtlCreateUserThread,NtTerminateProcess,	5_2_00402FE9
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_004014DE
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401496
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401543
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401565
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401579
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_0040157C
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Code function: 8_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,	8_2_100010D0

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\218A.exe

8_2_004034CC

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\218A.exe	Code function: 8_2_00406A88	8_2_00406A88
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_00471490	9_2_00471490
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_0047D515	9_2_0047D515
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_0047BE09	9_2_0047BE09

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\500D.exe

Code function: String function: 00470310 appears 51 times

Uses 32bit PE files

Source: 6IMo1kM9CC.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000000.00000002.1769827734.0000000004381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1769019739.0000000002780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.2053247298.0000000004360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2052896799.0000000002740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1769690648.0000000002902000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.2053174181.00000000028E0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1769149234.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2053302883.0000000004381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: 6IMo1kM9CC.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: feuiuvb.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformBlock'
Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: GamePall.exe.11.dr, Program.cs

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@268/115@0/9

Source: C:\Users\user\AppData\Local\Temp\218A.exe

8_2_004034CC

Source: C:\Users\user\AppData\Local\Temp\218A.exe

Code function: 8_2_00404897 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

8_2_00404897

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe

Code function: 0_2_029053F3 CreateToolhelp32Snapshot,Module32First,

0_2_029053F3

Source: C:\Users\user\AppData\Local\Temp\218A.exe

Code function: 8_2_00402173 CoCreateInstance,MultiByteToWideChar,

8_2_00402173

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\feuiuvb

Jump to behavior

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_rendLog.txt
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Mutant created: \Sessions\1\BaseNamedObjects\1e7f31ac-1494-47cc-9633-054c20e7432e
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_mainLog.txt

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\F817.tmp

Jump to behavior

Source: 6IMo1kM9CC.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

File read: C:\Windows\System32\drivers\etc\hosts

Source: 6IMo1kM9CC.exe	ReversingLabs: Detection: 65%
Source: 6IMo1kM9CC.exe	Virustotal: Detection: 38%

Source: unknown	Process created: C:\Users\user\Desktop\6IMo1kM9CC.exe "C:\Users\user\Desktop\6IMo1kM9CC.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\feuiuvb C:\Users\user\AppData\Roaming\feuiuvb
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\F817.exe C:\Users\user\AppData\Local\Temp\F817.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\218A.exe C:\Users\user\AppData\Local\Temp\218A.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\500D.exe C:\Users\user\AppData\Local\Temp\500D.exe
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3388 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3548 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3692 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719981540330969 --launch-time-ticks=4728010167 --mojo-platform-channel-handle=4152 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719981540330969 --launch-time-ticks=4728172431 --mojo-platform-channel-handle=4208 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\F817.exe C:\Users\user\AppData\Local\Temp\F817.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\218A.exe C:\Users\user\AppData\Local\Temp\218A.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\500D.exe C:\Users\user\AppData\Local\Temp\500D.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3388 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3548 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3692 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719981540330969 --launch-time-ticks=4728010167 --mojo-platform-channel-handle=4152 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719981540330969 --launch-time-ticks=4728172431 --mojo-platform-channel-handle=4208 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: firewallapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: fwbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mmdevapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: audioses.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.ui.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mdmregistration.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mdmregistration.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: omadmapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dmcmnutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iri.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dsreg.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscms.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coloradapterclient.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mfplat.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rtworkq.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\setup.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: ntkrnlmp.pdbx, source: 500D.exe, 00000009.00000002.3201827147.000000000A96B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: Newtonsoft.Json.dll.11.dr
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdb source: widevinecdmadapter.dll.11.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.11.dr
Source:	Binary string: libEGL.dll.pdb source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb6 source: 500D.exe, 00000009.00000002.3201827147.000000000A96B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\* source: 500D.exe, 00000009.00000002.3030907075.00000000012BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000C.00000000.3356056040.0000000000102000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 00000014.00000002.3467073879.0000000005E22000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb3 source: 500D.exe, 00000009.00000002.3201827147.000000000A96B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 00000014.00000002.3467073879.0000000005E22000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000015.00000002.3458150672.00000000051C2000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdbGCTL source: widevinecdmadapter.dll.11.dr
Source:	Binary string: *?\|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exemePalll source: setup.exe, 0000000B.00000002.3671509644.000000000040A000.00000004.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 00000015.00000002.3458150672.00000000051C2000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: 500D.exe, 00000009.00000002.3030907075.00000000012BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Desktop\projects\Release\BigProject.pdb source: 500D.exe, 00000009.00000000.2259206208.0000000000489000.00000002.00000001.01000000.0000000C.sdmp, 500D.exe, 00000009.00000002.3027026601.0000000000489000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb5 source: 500D.exe, 00000009.00000002.3201827147.000000000A96B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3672231762.00000000006C9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3672231762.00000000006C9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: libGLESv2.dll.pdb source: setup.exe, 0000000B.00000002.3672736118.000000000282F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Desktop\projects\Release\BigProject.pdb. source: 500D.exe, 00000009.00000000.2259206208.0000000000489000.00000002.00000001.01000000.0000000C.sdmp, 500D.exe, 00000009.00000002.3027026601.0000000000489000.00000002.00000001.01000000.0000000C.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Unpacked PE file: 0.2.6IMo1kM9CC.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\feuiuvb	Unpacked PE file: 5.2.feuiuvb.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Local\Temp\500D.exe

Unpacked PE file: 9.2.500D.exe.3950000.3.unpack

Binary contains a suspicious time stamp

Source: Newtonsoft.Json.dll.11.dr

Static PE information: 0xF68F744F [Mon Jan 31 06:35:59 2101 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\218A.exe

8_2_100010D0

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .vmpLp

PE file contains sections with non-standard names

Source: F817.exe.1.dr	Static PE information: section name: .vmpLp
Source: F817.exe.1.dr	Static PE information: section name: .vmpLp
Source: F817.exe.1.dr	Static PE information: section name: .vmpLp
Source: libEGL.dll.11.dr	Static PE information: section name: .00cfg
Source: libEGL.dll.11.dr	Static PE information: section name: .voltbl
Source: libGLESv2.dll.11.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll.11.dr	Static PE information: section name: .voltbl
Source: chrome_elf.dll.11.dr	Static PE information: section name: .00cfg
Source: chrome_elf.dll.11.dr	Static PE information: section name: .crthunk
Source: chrome_elf.dll.11.dr	Static PE information: section name: CPADinfo
Source: chrome_elf.dll.11.dr	Static PE information: section name: malloc_h
Source: libEGL.dll0.11.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll0.11.dr	Static PE information: section name: .00cfg
Source: libcef.dll.11.dr	Static PE information: section name: .00cfg
Source: libcef.dll.11.dr	Static PE information: section name: .rodata
Source: libcef.dll.11.dr	Static PE information: section name: CPADinfo
Source: libcef.dll.11.dr	Static PE information: section name: malloc_h

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_00408616 push eax; retf 0000h	0_2_00408619
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_00401CD1 push ecx; ret	0_2_00401CD2
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_004084E6 push FFFFFFFBh; iretd	0_2_004084FC
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_00401C91 push 00000076h; iretd	0_2_00401C93
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_00402E96 push B92A2F4Ch; retf	0_2_00402E9B
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_0278867D push eax; retf 0000h	0_2_02788680
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_02781CF8 push 00000076h; iretd	0_2_02781CFA
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_02782EFD push B92A2F4Ch; retf	0_2_02782F02
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_0278854D push FFFFFFFBh; iretd	0_2_02788563
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_02781D38 push ecx; ret	0_2_02781D39
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_0290CEC3 push FFFFFFFBh; iretd	0_2_0290CED9
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_0290AE45 push edx; ret	0_2_0290AE46
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_00408616 push eax; retf 0000h	5_2_00408619
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_00401CD1 push ecx; ret	5_2_00401CD2
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_004084E6 push FFFFFFFBh; iretd	5_2_004084FC
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_00401C91 push 00000076h; iretd	5_2_00401C93
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_00402E96 push B92A2F4Ch; retf	5_2_00402E9B
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_0274867D push eax; retf 0000h	5_2_02748680
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_02742EFD push B92A2F4Ch; retf	5_2_02742F02
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_02741CF8 push 00000076h; iretd	5_2_02741CFA
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_0274854D push FFFFFFFBh; iretd	5_2_02748563
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_02741D38 push ecx; ret	5_2_02741D39
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_028EDB88 push 2895EEC3h; ret	5_2_028EDB8F
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_028EB2D3 push FFFFFFFBh; iretd	5_2_028EB2E9
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_028E9255 push edx; ret	5_2_028E9256
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_0047004B push ecx; ret	9_2_0047005E
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_004789AD push cs; ret	9_2_004789AE

Source: 6IMo1kM9CC.exe	Static PE information: section name: .text entropy: 7.491897638969264
Source: feuiuvb.1.dr	Static PE information: section name: .text entropy: 7.491897638969264
Source: Ionic.Zip.dll.11.dr	Static PE information: section name: .text entropy: 6.821349263259562

Drops PE files

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\F817.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\log4net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\218A.exe	File created: C:\Users\user\AppData\Local\Temp\nsn1FE5.tmp\nsProcess.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\feuiuvb	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\218A.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Local\Temp\nshE60F.tmp\liteFirewall.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Del.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\218A.exe	File created: C:\Users\user\AppData\Local\Temp\nsn1FE5.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\218A.exe	File created: C:\Users\user\AppData\Local\Temp\nsn1FE5.tmp\blowfish.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\libcef.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\500D.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\218A.exe	File created: C:\Users\user\AppData\Local\Temp\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\218A.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\feuiuvb

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\6imo1km9cc.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\feuiuvb:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\500D.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\F817.exe

System information queried: FirmwareTableInformation

Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\feuiuvb	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\feuiuvb	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Local\Temp\F817.exe	API/Special instruction interceptor: Address: 56AA71
Source: C:\Users\user\AppData\Local\Temp\F817.exe	API/Special instruction interceptor: Address: 646310
Source: C:\Users\user\AppData\Local\Temp\F817.exe	API/Special instruction interceptor: Address: 69522F
Source: C:\Users\user\AppData\Local\Temp\F817.exe	API/Special instruction interceptor: Address: 5776F5
Source: C:\Users\user\AppData\Local\Temp\F817.exe	API/Special instruction interceptor: Address: A57E15
Source: C:\Users\user\AppData\Local\Temp\F817.exe	API/Special instruction interceptor: Address: 694080
Source: C:\Users\user\AppData\Local\Temp\F817.exe	API/Special instruction interceptor: Address: AD4DE8
Source: C:\Users\user\AppData\Local\Temp\F817.exe	API/Special instruction interceptor: Address: 654E89

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: feuiuvb, 00000005.00000002.2053064169.00000000028CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK
Source: 6IMo1kM9CC.exe, 00000000.00000002.1769547128.00000000028EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK4

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 23B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 25A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 45A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 13E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3000000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1340000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2E30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4E30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1490000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 30C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3010000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2A30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2A30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 16E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3260000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3010000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 10A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2AC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: B60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 27A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 24E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: B40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 26D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: BB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1210000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2C40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2B60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2F70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 30C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 50C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1880000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 33D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3230000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1260000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2C70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4C70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1110000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2C30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4C30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1210000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2BB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2B30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2B30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 880000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 21B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 41B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1070000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2A40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4A40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: BD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 27D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2620000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 28A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 21B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 23A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 43A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 17E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3300000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3160000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2800000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 28D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2800000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1270000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2C20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4C20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: D20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2800000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2600000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1650000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3170000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 5170000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Thread delayed: delay time: 600000

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 433	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4712	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 965	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 878	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 871	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\log4net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshE60F.tmp\liteFirewall.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn1FE5.tmp\nsProcess.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Del.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn1FE5.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn1FE5.tmp\blowfish.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libcef.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 6320	Thread sleep time: -471200s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6304	Thread sleep time: -96500s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1028	Thread sleep time: -31800s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe TID: 4904	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe TID: 4904	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 796	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 6764	Thread sleep count: 34 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\218A.exe	Code function: 8_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	8_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Code function: 8_2_004066FF FindFirstFileA,FindClose,	8_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\218A.exe	Code function: 8_2_004027AA FindFirstFileA,	8_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_0048256E FindFirstFileExW,FindNextFileW,FindClose,FindClose,	9_2_0048256E
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_03951000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,	9_2_03951000
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_03954E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,	9_2_03954E27
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_03951D3C FindFirstFileW,FindNextFileW,	9_2_03951D3C
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_039540BA FindFirstFileW,FindNextFileW,	9_2_039540BA
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_03953EFC FindFirstFileW,FindNextFileW,	9_2_03953EFC

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe

0_2_00417563

Source: C:\Users\user\AppData\Local\Temp\500D.exe

Code function: 9_2_03952054 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,

9_2_03952054

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Thread delayed: delay time: 600000

Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\	Jump to behavior

Source: explorer.exe, 00000001.00000000.1760695301.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: F817.exe, 00000006.00000002.2218701659.0000000001123000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2118943069.0000000001121000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173732761.000000000111F000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2215674715.0000000001121000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173227406.000000000111F000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2118709626.000000000111F000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2184396052.000000000111F000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2184556180.0000000001121000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2174106668.0000000001121000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW'f
Source: explorer.exe, 00000001.00000000.1760250620.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1760250620.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: 500D.exe, 00000009.00000002.3030907075.000000000125E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(F+
Source: explorer.exe, 00000001.00000000.1758639287.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000001.00000000.1760695301.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1757276311.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000001.00000000.1758639287.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.1760695301.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1758639287.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000001.00000000.1760250620.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000001.00000000.1760250620.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1760250620.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, F817.exe, 00000006.00000002.2218701659.000000000112B000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173227406.000000000112B000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2118709626.000000000112B000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2215674715.000000000112B000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000002.2218495807.00000000010DE000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2184396052.000000000112B000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2174106668.000000000112B000.00000004.00000020.00020000.00000000.sdmp, F817.exe, 00000006.00000003.2173732761.000000000112B000.00000004.00000020.00020000.00000000.sdmp, 218A.exe, 00000008.00000003.3682044502.0000000000662000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.1760695301.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: 500D.exe, 00000009.00000002.3030907075.000000000129D000.00000004.00000020.00020000.00000000.sdmp, 500D.exe, 00000009.00000003.2803440508.00000000012B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: 218A.exe, 00000008.00000002.3692884368.000000000067C000.00000004.00000020.00020000.00000000.sdmp, 218A.exe, 00000008.00000003.3681961444.000000000067A000.00000004.00000020.00020000.00000000.sdmp, 218A.exe, 00000008.00000003.3681754297.0000000000675000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW}
Source: explorer.exe, 00000001.00000000.1758639287.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000001.00000000.1760250620.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000001.00000000.1757276311.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000001.00000000.1757276311.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Local\Temp\218A.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	System information queried: CodeIntegrityInformation			Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\500D.exe

Code function: 9_2_00474383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

9_2_00474383

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\218A.exe

8_2_100010D0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_0278092B mov eax, dword ptr fs:[00000030h]	0_2_0278092B
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_02780D90 mov eax, dword ptr fs:[00000030h]	0_2_02780D90
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Code function: 0_2_02904CD0 push dword ptr fs:[00000030h]	0_2_02904CD0
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_0274092B mov eax, dword ptr fs:[00000030h]	5_2_0274092B
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_02740D90 mov eax, dword ptr fs:[00000030h]	5_2_02740D90
Source: C:\Users\user\AppData\Roaming\feuiuvb	Code function: 5_2_028E30E0 push dword ptr fs:[00000030h]	5_2_028E30E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\500D.exe

Code function: 9_2_00485891 GetProcessHeap,

9_2_00485891

Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_00474383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00474383
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_00470495 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00470495
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_00470622 SetUnhandledExceptionFilter,	9_2_00470622
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: 9_2_004706F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_004706F0

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: 500D.exe.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 190.98.23.157 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 141.8.192.126 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.68.16.7 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 127.0.0.127 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.3 80	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Thread created: C:\Windows\explorer.exe EIP: 11F19D0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Thread created: unknown EIP: 87E19D0			Jump to behavior

LummaC encrypted strings found

Source: F817.exe, 00000006.00000002.2216933024.000000000022D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: pedestriankodwu.xyz
Source: F817.exe, 00000006.00000002.2216933024.000000000022D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: towerxxuytwi.xyz
Source: F817.exe, 00000006.00000002.2216933024.000000000022D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: ellaboratepwsz.xyz
Source: F817.exe, 00000006.00000002.2216933024.000000000022D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: penetratedpoopp.xyz
Source: F817.exe, 00000006.00000002.2216933024.000000000022D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: swellfrrgwwos.xyz
Source: F817.exe, 00000006.00000002.2216933024.000000000022D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: contintnetksows.shop
Source: F817.exe, 00000006.00000002.2216933024.000000000022D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: foodypannyjsud.shop
Source: F817.exe, 00000006.00000002.2216933024.000000000022D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: potterryisiw.shop

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\6IMo1kM9CC.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\feuiuvb	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3388 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3548 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3692 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719981540330969 --launch-time-ticks=4728010167 --mojo-platform-channel-handle=4152 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719981540330969 --launch-time-ticks=4728172431 --mojo-platform-channel-handle=4208 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 16_4 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.0 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3388 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 16_4 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.0 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3548 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 16_4 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.0 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3692 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 16_4 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.0 mobile/15e148 safari/604.1" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719981540330969 --launch-time-ticks=4728010167 --mojo-platform-channel-handle=4152 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 16_4 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.0 mobile/15e148 safari/604.1" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719981540330969 --launch-time-ticks=4728172431 --mojo-platform-channel-handle=4208 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 16_4 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.0 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3388 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 16_4 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.0 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3548 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 16_4 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.0 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3692 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 16_4 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.0 mobile/15e148 safari/604.1" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719981540330969 --launch-time-ticks=4728010167 --mojo-platform-channel-handle=4152 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 16_4 like mac os x) applewebkit/605.1.15 (khtml, like gecko) version/17.0 mobile/15e148 safari/604.1" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719981540330969 --launch-time-ticks=4728172431 --mojo-platform-channel-handle=4208 --field-trial-handle=3392,i,3288241207481235149,17663016533976522537,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1

Source: explorer.exe, 00000001.00000000.1757542799.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1758487871.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1760250620.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1757542799.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1757276311.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1757542799.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1757542799.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\500D.exe

Code function: 9_2_0047013C cpuid

9_2_0047013C

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: EnumSystemLocalesW,	9_2_00485051
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	9_2_004850DC
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: GetLocaleInfoW,	9_2_0047E096
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: GetLocaleInfoW,	9_2_0048532F
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_00485458
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: GetLocaleInfoW,	9_2_0048555E
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_00485634
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: EnumSystemLocalesW,	9_2_0047DBC7
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: EnumSystemLocalesW,	9_2_00484F69
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: EnumSystemLocalesW,	9_2_00484F6B
Source: C:\Users\user\AppData\Local\Temp\500D.exe	Code function: EnumSystemLocalesW,	9_2_00484FB6

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\F817.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\500D.exe

Code function: 9_2_0047038F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

9_2_0047038F

Source: C:\Users\user\AppData\Local\Temp\218A.exe

8_2_004034CC

Source: C:\Users\user\AppData\Local\Temp\F817.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: F817.exe, 00000006.00000003.2184396052.000000000112B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\F817.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: F817.exe PID: 4168, type: MEMORYSTR

Yara detected Poverty Stealer

Source: Yara match	File source: 9.2.500D.exe.130dd40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.500D.exe.3950000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.500D.exe.12c72e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.500D.exe.3950000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.500D.exe.130dd40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.500D.exe.12c72e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3030907075.00000000012BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3040838981.0000000003950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 500D.exe PID: 3684, type: MEMORYSTR

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1769827734.0000000004381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2053247298.0000000004360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1769149234.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2053302883.0000000004381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: F817.exe, 00000006.00000002.2218701659.000000000112B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: F817.exe, 00000006.00000002.2218701659.000000000112B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: F817.exe, 00000006.00000002.2218701659.000000000112B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: F817.exe, 00000006.00000003.2173227406.000000000112B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: F817.exe, 00000006.00000003.2173227406.000000000112B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: F817.exe, 00000006.00000002.2218701659.000000000112B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: F817.exe, 00000006.00000002.2218701659.000000000112B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: F817.exe, 00000006.00000003.2173227406.0000000001102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: F817.exe, 00000006.00000003.2118679811.0000000001180000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "m": ["keystore"],

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\500D.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla\Notes9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F817.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Directory queried: number of queries: 1460

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: F817.exe PID: 4168, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: F817.exe PID: 4168, type: MEMORYSTR

Yara detected Poverty Stealer

Source: Yara match	File source: 9.2.500D.exe.130dd40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.500D.exe.3950000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.500D.exe.12c72e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.500D.exe.3950000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.500D.exe.130dd40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.500D.exe.12c72e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3030907075.00000000012BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3040838981.0000000003950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 500D.exe PID: 3684, type: MEMORYSTR

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1769827734.0000000004381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2053247298.0000000004360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1769149234.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2053302883.0000000004381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Windows Analysis Report
6IMo1kM9CC.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

ID:	1466591
Product:	CloudBasic
Start time:	07:44:03
Start date:	03.07.2024
Sample:	6IMo1kM9CC.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	811a28d373d02ae481e4858dfb8b1d15
SHA1:	74ca1efcd4d1f41691f0cd005662cc56537b04a8
SHA256:	7e92a078f6f875b189bc4b2bca87f4f737eb2048356a51a1962f359b645d1b0f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report 6IMo1kM9CC.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

Windows Analysis Report
6IMo1kM9CC.exe

Malware Threat Intel
Provided by