Windows Analysis Report
EiPVv5yELP.exe

AV Detection

Source: EiPVv5yELP.exe

Avira: detected

Source: https://foodypannyjsud.shop/api.	Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/s	Avira URL Cloud: Label: malware
Source: http://gebeus.ru/tmp/index.php	Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/a	Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/Q	Avira URL Cloud: Label: malware
Source: http://cx5519.com/tmp/index.php	Avira URL Cloud: Label: malware
Source: contintnetksows.shop	Avira URL Cloud: Label: malware
Source: http://evilos.cc/tmp/index.php	Avira URL Cloud: Label: malware
Source: ellaboratepwsz.xyz	Avira URL Cloud: Label: malware
Source: swellfrrgwwos.xyz	Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/)	Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/apig	Avira URL Cloud: Label: malware
Source: foodypannyjsud.shop	Avira URL Cloud: Label: malware
Source: pedestriankodwu.xyz	Avira URL Cloud: Label: malware

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\huge[1].dat	Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Avira: detection malicious, Label: HEUR/AGEN.1313486
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Avira: detection malicious, Label: HEUR/AGEN.1352426
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Avira: detection malicious, Label: HEUR/AGEN.1359405

Source: 00000000.00000002.2273150285.00000000028B0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}
Source: 11.2.62FC.exe.979a60.2.unpack	Malware Configuration Extractor: Poverty Stealer {"C2 url": "146.70.169.164:2227"}
Source: 2499.exe.2616.8.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "potterryisiw.shop"], "Build id": "bOKHNM--"}

Source: C:\Users\user\AppData\Local\Temp\2499.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Roaming\whhsvcw	ReversingLabs: Detection: 60%

Source: EiPVv5yELP.exe	Virustotal: Detection: 41%			Perma Link
Source: EiPVv5yELP.exe	ReversingLabs: Detection: 60%

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Local\Temp\2499.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GamePall\Del.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Joe Sandbox ML: detected

Source: EiPVv5yELP.exe

Joe Sandbox ML: detected

Cryptography

Source: C:\Users\user\AppData\Local\Temp\62FC.exe

Code function: 11_2_03241C94 CryptUnprotectData,CryptProtectData,

11_2_03241C94

Compliance

Source: C:\Users\user\AppData\Local\Temp\62FC.exe

Unpacked PE file: 11.2.62FC.exe.3240000.3.unpack

Source: EiPVv5yELP.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\setup.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall

Source: C:\Users\user\Desktop\EiPVv5yELP.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: nsv9958.tmp.14.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: nsv9958.tmp.14.dr
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbP2Ks& source: 62FC.exe, 0000000B.00000002.3658241175.000000000A400000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: h:\work\newContent\secondBranch\DeleteProgram\DeleteProgram\obj\Release\KlMain.pdb source: nsv9958.tmp.14.dr
Source:	Binary string: ntkrnlmp.pdbx source: 62FC.exe, 0000000B.00000002.3658241175.000000000A400000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000F.00000000.3812506612.0000000000772000.00000002.00000001.01000000.00000010.sdmp, nsv9958.tmp.14.dr
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 00000011.00000002.3962952101.0000000005A52000.00000002.00000001.01000000.00000013.sdmp, nsv9958.tmp.14.dr
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000011.00000002.3958936963.0000000005582000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: ntkrnlmp.pdbR6Mo( source: 62FC.exe, 0000000B.00000002.3658241175.000000000A400000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D3DCompiler_43.pdb` source: d3dcompiler_43.dll.14.dr
Source:	Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000E.00000002.3964292603.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, nsv9958.tmp.14.dr
Source:	Binary string: libGLESv2.dll.pdb source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb source: nsv9958.tmp.14.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\** source: 62FC.exe, 0000000B.00000002.3523455444.000000000091D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb$# source: nsv9958.tmp.14.dr
Source:	Binary string: D3DCompiler_43.pdb source: d3dcompiler_43.dll.14.dr
Source:	Binary string: libEGL.dll.pdb source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbM4Nm) source: 62FC.exe, 0000000B.00000002.3658241175.000000000A400000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 00000011.00000002.3962952101.0000000005A52000.00000002.00000001.01000000.00000013.sdmp, nsv9958.tmp.14.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831a source: 62FC.exe, 0000000B.00000002.3523455444.000000000091D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 00000011.00000002.3958936963.0000000005582000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: \Desktop\projects\Release\BigProject.pdb source: 62FC.exe, 0000000B.00000002.3523082048.0000000000289000.00000002.00000001.01000000.0000000C.sdmp, 62FC.exe, 0000000B.00000000.2713431295.0000000000289000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000E.00000002.3964292603.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, nsv9958.tmp.14.dr
Source:	Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exewall.dlldll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exealldll source: setup.exe, 0000000E.00000002.3963386902.000000000040A000.00000004.00000001.01000000.0000000E.sdmp
Source:	Binary string: \Desktop\projects\Release\BigProject.pdb. source: 62FC.exe, 0000000B.00000002.3523082048.0000000000289000.00000002.00000001.01000000.0000000C.sdmp, 62FC.exe, 0000000B.00000000.2713431295.0000000000289000.00000002.00000001.01000000.0000000C.sdmp

Spreading

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Directory queried: number of queries: 1294

Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Code function: 10_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		10_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Code function: 10_2_004066FF FindFirstFileA,FindClose,		10_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Code function: 10_2_004027AA FindFirstFileA,		10_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: 11_2_002824BD FindFirstFileExW,		11_2_002824BD
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: 11_2_03241000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,		11_2_03241000
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: 11_2_03244E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,		11_2_03244E27
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: 11_2_03241D3C FindFirstFileW,FindNextFileW,		11_2_03241D3C
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: 11_2_032440BA FindFirstFileW,FindNextFileW,		11_2_032440BA
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: 11_2_03243EFC FindFirstFileW,FindNextFileW,		11_2_03243EFC

Source: C:\Users\user\AppData\Local\Temp\62FC.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	File opened: C:\Users\user\AppData\Local\Adobe\			Jump to behavior

Networking

Source: C:\Windows\explorer.exe	Network Connect: 141.8.192.126 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.68.16.7 443			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 127.0.0.127 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.3 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 186.101.193.110 80			Jump to behavior

Source: Malware configuration extractor	URLs: pedestriankodwu.xyz
Source: Malware configuration extractor	URLs: towerxxuytwi.xyz
Source: Malware configuration extractor	URLs: ellaboratepwsz.xyz
Source: Malware configuration extractor	URLs: penetratedpoopp.xyz
Source: Malware configuration extractor	URLs: swellfrrgwwos.xyz
Source: Malware configuration extractor	URLs: contintnetksows.shop
Source: Malware configuration extractor	URLs: foodypannyjsud.shop
Source: Malware configuration extractor	URLs: potterryisiw.shop
Source: Malware configuration extractor	URLs: potterryisiw.shop
Source: Malware configuration extractor	URLs: http://evilos.cc/tmp/index.php
Source: Malware configuration extractor	URLs: http://gebeus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://office-techs.biz/tmp/index.php
Source: Malware configuration extractor	URLs: http://cx5519.com/tmp/index.php
Source: Malware configuration extractor	URLs: 146.70.169.164:2227

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 141.8.192.126 141.8.192.126

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: TelconetSAEC TelconetSAEC
Source: Joe Sandbox View	ASN Name: SPRINTHOSTRU SPRINTHOSTRU

Source: C:\Users\user\AppData\Local\Temp\62FC.exe

Code function: 11_2_00215B80 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,task,InternetReadFile,InternetCloseHandle,FreeLibrary,task,

11_2_00215B80

Source: GamePall.exe, 00000025.00000002.4299577434.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/activity
Source: GamePall.exe, 0000001C.00000002.4413242825.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000020.00000002.4472949813.0000000002D78000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000021.00000002.4425678976.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/activitye
Source: GamePall.exe, 00000025.00000002.4299577434.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/installs
Source: GamePall.exe, 00000025.00000002.4299577434.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bageyou.xyz
Source: GamePall.exe, 0000000F.00000002.4201869459.0000000002CB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bageyou.xyz/c/g
Source: GamePall.exe, 0000000F.00000002.4201869459.0000000002CB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bageyou.xyz/c/g4
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 2499.exe, 00000008.00000003.2623382731.0000000004023000.00000004.00000800.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3513633343.000000000A46F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 2499.exe, 00000008.00000003.2623382731.0000000004023000.00000004.00000800.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3513633343.000000000A46F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: explorer.exe, 00000002.00000000.2261967756.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2261967756.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://crbug.com/275944
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://crbug.com/378067
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://crbug.com/437891.
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://crbug.com/456214
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://crbug.com/497301
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://crbug.com/510270
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://crbug.com/514696
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://crbug.com/642141
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://crbug.com/672186).
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://crbug.com/717501
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://crbug.com/775961
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://crbug.com/819404
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://crbug.com/839189
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://crbug.com/932466
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://crbug.com/957772
Source: 2499.exe, 00000008.00000003.2623382731.0000000004023000.00000004.00000800.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3513633343.000000000A46F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 2499.exe, 00000008.00000003.2623382731.0000000004023000.00000004.00000800.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3513633343.000000000A46F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 2499.exe, 00000008.00000003.2623382731.0000000004023000.00000004.00000800.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3513633343.000000000A46F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000002.00000000.2261967756.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2261967756.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 2499.exe, 00000008.00000003.2623382731.0000000004023000.00000004.00000800.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3513633343.000000000A46F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: explorer.exe, 00000002.00000000.2261967756.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2261967756.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 2499.exe, 00000008.00000003.2623382731.0000000004023000.00000004.00000800.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3513633343.000000000A46F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: GamePall.exe, 00000011.00000002.3958936963.0000000005582000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
Source: 45DE.exe, 45DE.exe, 0000000A.00000002.3970703843.000000000040A000.00000004.00000001.01000000.00000008.sdmp, 45DE.exe, 0000000A.00000000.2651884486.000000000040A000.00000008.00000001.01000000.00000008.sdmp, setup.exe, 0000000E.00000000.3511852437.000000000040A000.00000008.00000001.01000000.0000000E.sdmp, setup.exe, 0000000E.00000002.3963386902.000000000040A000.00000004.00000001.01000000.0000000E.sdmp, setup.exe, 0000000E.00000003.3812625540.0000000000639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 45DE.exe, 0000000A.00000002.3970703843.000000000040A000.00000004.00000001.01000000.00000008.sdmp, 45DE.exe, 0000000A.00000000.2651884486.000000000040A000.00000008.00000001.01000000.00000008.sdmp, setup.exe, 0000000E.00000000.3511852437.000000000040A000.00000008.00000001.01000000.0000000E.sdmp, setup.exe, 0000000E.00000002.3963386902.000000000040A000.00000004.00000001.01000000.0000000E.sdmp, setup.exe, 0000000E.00000003.3812625540.0000000000639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000002.00000000.2261967756.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2261967756.000000000973C000.00000004.00000001.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2623382731.0000000004023000.00000004.00000800.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3513633343.000000000A46F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 00000002.00000000.2261967756.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: 2499.exe, 00000008.00000003.2623382731.0000000004023000.00000004.00000800.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3513633343.000000000A46F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: explorer.exe, 00000002.00000000.2259528590.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2261086779.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2261098906.0000000007B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: GamePall.exe, 0000000F.00000002.4201869459.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: GamePall.exe, 00000011.00000002.3958936963.0000000005582000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.apache.org/).
Source: GamePall.exe, 00000011.00000002.3958936963.0000000005582000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: GamePall.exe, 00000011.00000002.3958936963.0000000005582000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: nsv9958.tmp.14.dr	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: GamePall.exe, 00000013.00000002.4913818250.0000000006280000.00000002.00000001.00040000.0000001D.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: 2499.exe, 00000008.00000003.2623382731.0000000004023000.00000004.00000800.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3513633343.000000000A46F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 2499.exe, 00000008.00000003.2623382731.0000000004023000.00000004.00000800.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3513633343.000000000A46F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 45DE.exe, 0000000A.00000003.3970280892.00000000004F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xiexie.wf/22_551/huge.dat
Source: 45DE.exe, 0000000A.00000002.3971865750.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, 45DE.exe, 0000000A.00000003.3969776646.00000000004F8000.00000004.00000020.00020000.00000000.sdmp, 45DE.exe, 0000000A.00000003.3970280892.00000000004F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xiexie.wf/22_551/huge.dat3KOy
Source: 45DE.exe, 0000000A.00000002.3971865750.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, 45DE.exe, 0000000A.00000003.3969776646.00000000004F8000.00000004.00000020.00020000.00000000.sdmp, 45DE.exe, 0000000A.00000003.3970280892.00000000004F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xiexie.wf/22_551/huge.datOK
Source: 45DE.exe, 0000000A.00000002.3971865750.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, 45DE.exe, 0000000A.00000003.3969776646.00000000004F8000.00000004.00000020.00020000.00000000.sdmp, 45DE.exe, 0000000A.00000003.3970280892.00000000004F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xiexie.wf/22_551/huge.datSH/x&
Source: 45DE.exe, 0000000A.00000002.3971865750.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, 45DE.exe, 0000000A.00000003.3969776646.00000000004F8000.00000004.00000020.00020000.00000000.sdmp, 45DE.exe, 0000000A.00000003.3970280892.00000000004F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xiexie.wf/22_551/huge.datal
Source: 45DE.exe, 0000000A.00000002.3970703843.0000000000434000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://xiexie.wf/22_551/huge.datmCGBZvyfGQlwd
Source: 2499.exe, 00000008.00000003.2599580866.0000000004037000.00000004.00000800.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2599742456.0000000004037000.00000004.00000800.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2599514461.0000000004039000.00000004.00000800.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3475607132.0000000009C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: nsv9958.tmp.14.dr	String found in binary or memory: https://accounts.google.com/
Source: explorer.exe, 00000002.00000000.2262440491.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000002.00000000.2264733443.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.2261967756.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.2261967756.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000002.00000000.2261967756.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.2261967756.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2261967756.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.2261967756.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: 62FC.exe, 0000000B.00000003.3270688961.000000000092A000.00000004.00000020.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000002.3523455444.000000000091D000.00000004.00000020.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3270751204.0000000000934000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: 62FC.exe, 0000000B.00000002.3523455444.00000000008FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/
Source: 62FC.exe, 0000000B.00000002.3523455444.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000002.3523455444.00000000008FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee
Source: 2499.exe, 00000008.00000003.2624826357.0000000001ACA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: 2499.exe, 00000008.00000003.2624826357.0000000001ACA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: 62FC.exe, 0000000B.00000003.3270688961.000000000092A000.00000004.00000020.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000002.3523455444.000000000091D000.00000004.00000020.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3270751204.0000000000934000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: 2499.exe, 00000008.00000003.2599580866.0000000004037000.00000004.00000800.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2599742456.0000000004037000.00000004.00000800.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2599514461.0000000004039000.00000004.00000800.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3475607132.0000000009C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: 2499.exe, 00000008.00000003.2599580866.0000000004037000.00000004.00000800.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2599742456.0000000004037000.00000004.00000800.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2599514461.0000000004039000.00000004.00000800.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3475607132.0000000009C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 2499.exe, 00000008.00000003.2599580866.0000000004037000.00000004.00000800.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2599742456.0000000004037000.00000004.00000800.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2599514461.0000000004039000.00000004.00000800.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3475607132.0000000009C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: nsv9958.tmp.14.dr	String found in binary or memory: https://chrome.google.com/webstore
Source: nsv9958.tmp.14.dr	String found in binary or memory: https://chrome.google.com/webstore/
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4771456418.0000000005B70000.00000002.00000001.00040000.0000001C.sdmp, tr.pak.14.dr	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: GamePall.exe, 00000013.00000002.4771456418.0000000005B70000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: GamePall.exe, 00000013.00000002.4771456418.0000000005B70000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp, tr.pak.14.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u
Source: tr.pak.14.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=trCtrl$1
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ukCtrl$1
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=urCtrl$2
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=viCtrl$1
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CNCtrl$1
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TWCtrl$1
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4771456418.0000000005B70000.00000002.00000001.00040000.0000001C.sdmp, tr.pak.14.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4771456418.0000000005B70000.00000002.00000001.00040000.0000001C.sdmp, tr.pak.14.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4771456418.0000000005B70000.00000002.00000001.00040000.0000001C.sdmp, tr.pak.14.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4771456418.0000000005B70000.00000002.00000001.00040000.0000001C.sdmp, tr.pak.14.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4771456418.0000000005B70000.00000002.00000001.00040000.0000001C.sdmp, tr.pak.14.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4771456418.0000000005B70000.00000002.00000001.00040000.0000001C.sdmp, tr.pak.14.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4771456418.0000000005B70000.00000002.00000001.00040000.0000001C.sdmp, tr.pak.14.dr	String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: nsv9958.tmp.14.dr	String found in binary or memory: https://codereview.chromium.org/25305002).
Source: 2499.exe, 00000008.00000003.2624826357.0000000001ACA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: 2499.exe, 00000008.00000003.2624826357.0000000001ACA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 62FC.exe, 0000000B.00000002.3523455444.00000000008FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
Source: 62FC.exe, 0000000B.00000002.3523455444.00000000008FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
Source: 2499.exe, 00000008.00000003.2599580866.0000000004037000.00000004.00000800.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2599742456.0000000004037000.00000004.00000800.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2599514461.0000000004039000.00000004.00000800.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3475607132.0000000009C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 2499.exe, 00000008.00000003.2599580866.0000000004037000.00000004.00000800.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2599742456.0000000004037000.00000004.00000800.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2599514461.0000000004039000.00000004.00000800.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3475607132.0000000009C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 2499.exe, 00000008.00000003.2599580866.0000000004037000.00000004.00000800.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2599742456.0000000004037000.00000004.00000800.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2599514461.0000000004039000.00000004.00000800.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3475607132.0000000009C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 62FC.exe, 0000000B.00000003.3270688961.0000000000970000.00000004.00000020.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3270688961.000000000092A000.00000004.00000020.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000002.3523455444.000000000091D000.00000004.00000020.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3270751204.0000000000934000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: explorer.exe, 00000002.00000000.2264733443.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: 2499.exe, 00000008.00000003.2697192717.0000000001AB9000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2677985248.0000000001AB6000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2598973511.0000000001A54000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2589398281.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/
Source: 2499.exe, 00000008.00000003.2650072383.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2650281642.0000000001A3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/)
Source: 2499.exe, 00000008.00000002.2698759970.0000000001ABA000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2697192717.0000000001AB9000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2677985248.0000000001AB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/B9
Source: 2499.exe, 00000008.00000003.2650005012.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/Q
Source: 2499.exe, 00000008.00000003.2598973511.0000000001A54000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2589398281.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/a
Source: 2499.exe, 00000008.00000003.2650281642.0000000001A54000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000002.2698759970.0000000001ABA000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000002.2698592212.0000000001A3F000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2650005012.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2697192717.0000000001AB9000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2663336486.0000000001AB9000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2677985248.0000000001AB6000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2598973511.0000000001A54000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2697215630.0000000001A3E000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2589398281.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/api
Source: 2499.exe, 00000008.00000002.2698759970.0000000001ABA000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2697192717.0000000001AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/api.
Source: 2499.exe, 00000008.00000003.2677985248.0000000001AB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/apig
Source: 2499.exe, 00000008.00000003.2598973511.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/apind-p
Source: 2499.exe, 00000008.00000002.2698759970.0000000001ABA000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2650005012.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2697192717.0000000001AB9000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2589398281.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/pi
Source: 2499.exe, 00000008.00000003.2650005012.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/s
Source: 2499.exe, 00000008.00000002.2698759970.0000000001ABA000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2697192717.0000000001AB9000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2677985248.0000000001AB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop/zs
Source: 2499.exe, 00000008.00000003.2650072383.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2677985248.0000000001AB6000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2650281642.0000000001A3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foodypannyjsud.shop:443/api
Source: nsv9958.tmp.14.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json/issues/652
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: 2499.exe, 00000008.00000003.2624826357.0000000001ACA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4771456418.0000000005B70000.00000002.00000001.00040000.0000001C.sdmp, tr.pak.14.dr	String found in binary or memory: https://myactivity.google.com/
Source: explorer.exe, 00000002.00000000.2264733443.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.com
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4771456418.0000000005B70000.00000002.00000001.00040000.0000001C.sdmp, tr.pak.14.dr	String found in binary or memory: https://passwords.google.comGoogle
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comT
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4771456418.0000000005B70000.00000002.00000001.00040000.0000001C.sdmp, tr.pak.14.dr	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4771456418.0000000005B70000.00000002.00000001.00040000.0000001C.sdmp, tr.pak.14.dr	String found in binary or memory: https://policies.google.com/
Source: explorer.exe, 00000002.00000000.2264733443.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: 62FC.exe, 0000000B.00000003.3270688961.000000000092A000.00000004.00000020.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000002.3523455444.000000000091D000.00000004.00000020.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3270751204.0000000000934000.00000004.00000020.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000002.3523455444.00000000008FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: 62FC.exe, 0000000B.00000003.3270688961.000000000092A000.00000004.00000020.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000002.3523455444.000000000091D000.00000004.00000020.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3270751204.0000000000934000.00000004.00000020.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000002.3523455444.00000000008FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: GamePall.exe, 0000000F.00000002.4201869459.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rouonixon.com/4/6150781/?ymid=831901360386478080
Source: GamePall.exe, 0000000F.00000002.4201869459.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rouonixon.com/4/6150781/?ymid=831901360386478080&var=6150780&price=
Source: nsv9958.tmp.14.dr	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp, tr.pak.14.dr	String found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4771456418.0000000005B70000.00000002.00000001.00040000.0000001C.sdmp, tr.pak.14.dr	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: nsv9958.tmp.14.dr	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 00000013.00000002.4771456418.0000000005B70000.00000002.00000001.00040000.0000001C.sdmp, tr.pak.14.dr	String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: 2499.exe, 00000008.00000003.2624460757.0000000004119000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 2499.exe, 00000008.00000003.2624460757.0000000004119000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: GamePall.exe, 00000011.00000002.3958936963.0000000005582000.00000002.00000001.01000000.00000012.sdmp, GamePall.exe, 00000011.00000002.3960299796.00000000055C6000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1
Source: 62FC.exe, 0000000B.00000003.3270688961.000000000092A000.00000004.00000020.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000002.3523455444.000000000091D000.00000004.00000020.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3270751204.0000000000934000.00000004.00000020.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000002.3523455444.00000000008FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.2262440491.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000002.00000000.2264733443.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: 2499.exe, 00000008.00000003.2624826357.0000000001ACA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: nsv9958.tmp.14.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 2499.exe, 00000008.00000003.2599580866.0000000004037000.00000004.00000800.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2599742456.0000000004037000.00000004.00000800.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2599514461.0000000004039000.00000004.00000800.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3475607132.0000000009C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: nsv9958.tmp.14.dr	String found in binary or memory: https://www.google.com/
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&
Source: GamePall.exe, 00000013.00000002.4771456418.0000000005B70000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&r
Source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp, tr.pak.14.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlYar&d
Source: nsv9958.tmp.14.dr	String found in binary or memory: https://www.google.com/cloudprint
Source: nsv9958.tmp.14.dr	String found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connector
Source: 2499.exe, 00000008.00000003.2599580866.0000000004037000.00000004.00000800.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2599742456.0000000004037000.00000004.00000800.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2599514461.0000000004039000.00000004.00000800.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000003.3475607132.0000000009C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 2499.exe, 00000008.00000003.2624370982.000000000401F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: 2499.exe, 00000008.00000003.2624370982.000000000401F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: 2499.exe, 00000008.00000003.2624460757.0000000004119000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: 2499.exe, 00000008.00000003.2624460757.0000000004119000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: 2499.exe, 00000008.00000003.2624460757.0000000004119000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: nsv9958.tmp.14.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: nsv9958.tmp.14.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: nsv9958.tmp.14.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: 2499.exe, 00000008.00000003.2624826357.0000000001ACA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: Yara match	File source: 00000000.00000002.2273459134.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2273150285.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2576511233.00000000029D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2576456147.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\45DE.exe

Code function: 10_2_004055E7 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

10_2_004055E7

Source: C:\Users\user\AppData\Local\Temp\62FC.exe

Code function: 11_2_03244BA2 GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,DeleteObject,DeleteDC,ReleaseDC,

11_2_03244BA2

DDoS

Source: GamePall.exe

Process created: 44

System Summary

Source: 00000000.00000002.2273300535.00000000028EB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.2576624780.0000000002A2D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2273459134.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2273150285.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000006.00000002.2576511233.00000000029D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2273002099.0000000002810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000002.2576456147.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000006.00000002.2576427770.00000000029A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Code function: 0_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,		0_2_00401538
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Code function: 0_2_00402FE9 RtlCreateUserThread,NtTerminateProcess,		0_2_00402FE9
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Code function: 0_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,		0_2_004014DE
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Code function: 0_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,		0_2_00401496
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Code function: 0_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,		0_2_00401543
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Code function: 0_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,		0_2_00401565
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Code function: 0_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,		0_2_00401579
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Code function: 0_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,		0_2_0040157C
Source: C:\Users\user\AppData\Roaming\whhsvcw	Code function: 6_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,		6_2_00401538
Source: C:\Users\user\AppData\Roaming\whhsvcw	Code function: 6_2_00402FE9 RtlCreateUserThread,NtTerminateProcess,		6_2_00402FE9
Source: C:\Users\user\AppData\Roaming\whhsvcw	Code function: 6_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,		6_2_004014DE
Source: C:\Users\user\AppData\Roaming\whhsvcw	Code function: 6_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,		6_2_00401496
Source: C:\Users\user\AppData\Roaming\whhsvcw	Code function: 6_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,		6_2_00401543
Source: C:\Users\user\AppData\Roaming\whhsvcw	Code function: 6_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,		6_2_00401565
Source: C:\Users\user\AppData\Roaming\whhsvcw	Code function: 6_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,		6_2_00401579
Source: C:\Users\user\AppData\Roaming\whhsvcw	Code function: 6_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,		6_2_0040157C
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Code function: 10_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,		10_2_100010D0

Source: C:\Users\user\AppData\Local\Temp\45DE.exe

Code function: 10_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

10_2_004034CC

Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Code function: 10_2_00406A88		10_2_00406A88
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: 11_2_00271490		11_2_00271490
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: 11_2_0027D515		11_2_0027D515
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: 11_2_00284775		11_2_00284775
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: 11_2_0027BE09		11_2_0027BE09

Source: C:\Users\user\AppData\Local\Temp\62FC.exe

Code function: String function: 00270310 appears 51 times

Source: EiPVv5yELP.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2273300535.00000000028EB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.2576624780.0000000002A2D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2273459134.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2273150285.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000006.00000002.2576511233.00000000029D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2273002099.0000000002810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000002.2576456147.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000006.00000002.2576427770.00000000029A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56

Source: EiPVv5yELP.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: whhsvcw.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Ionic.Zip.dll.14.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformBlock'
Source: Ionic.Zip.dll.14.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Ionic.Zip.dll.14.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: GamePall.exe.14.dr, Program.cs

Base64 encoded string: 'pizR9uKkcZIkMW+F1cRjYV0LMt6eYXmLuiNCndESDPkTO3eY1Mjv7Hs2Qvo+t26G', 'ZTDMzZVpdA1FSa2RiY6ZCl2QGyLDtQ3OBRa/N40wO2xxcvcDsATtLRGwKtaEB36dqPJnDF8qXNs92JbMBlsOyg==', 'nYQvMVlU2Asj2rNkmi7xBNqGCkGzSnaP0raCPfB8A9hSwWFTIjPcsKgDrCVAEwSQ1lHf/WOhnKR59a5JjrkJVUOFvV43wO8MM1FKgjYuj7ZzvvuGve+okViUQx+oGN+llGnjS4Fm9o1MUn7p+qcPVIDZRcvMal1ARjQNk+bFvT5vC4J8slkhLZYtvBYmOybvSK90G7/f/U8GPBdM7WBmfFdHzzGxw6WFcHlkdySP8Nvmzff08RdOn8QOu8FlABEqqEjQ0W84v+/lU0lmhvzugpodd8fIp2kb2/twZPg9/Jsy5viOC65K8bs1ES63SA2d62f5cJYpFf1f0WBQbCBcSzfwiDlBCWVIW9vFXW1awyEMdm3q36+BViyETC5tnyHuoLRgf3bXoQAwqE0OIII5DROfW+LmqqHY82rVXHAqhVjdA2wZRWcSI1zxV7+qTfhmp9qbIQAWSuuXTzhbIvI3gjvtPCdz9uBv8rjyg1XZNxfdgYdtF+klyGgKdefnu5G2pgjfT3Kb/VbjgkFvLlqtWNr5K7iC080FVeHsZazMHUrrDtsmNdChtvnX8Zj77rIGVxi9RfvHhhIhBj+WSos+lJ2nuvQkUpqVEa1mrZSwPezG/uoh0qvs+BAHbNFNjv99WS6tgWIkvcQVCi2h3cfxTGQiZDetQZqB+N/mnvgC6WdrcRKGHBE4mp6bpgTY9+nt3lPiH6OZnlxC8rdHbuGtY6R/FgNFYkw49JWXYeZ1VV3KnjSrFMvDlkyMCAW1X9/1VoC+f73WVYMLwXafDKtGO2lfr9vwKms+8HoEgs7bj0aroIPdmLK/z/djAsFZO8Vp', 'T7BWwqrn4yISEECEAnARpwE8R+3lDHSc+RlcJT90an1SNsS27lGBQjOx4RmDHlrj7oJnnzx1IWXOkbTfLzBeCfU6UJhOIoQKhcWidAxAKIxvqZnoB6AujIU0F7dEj65vahyTdEvkIxzFaV2+akbl53KcDi5RPBOP16iXVi0WJdHV5AbSCI9WCEcSX/fUpmukBh4bjVF/T/P/B6TFVtNZintCOSO2Ha+2va2CJMOnJ020zYskwuvcH9d1rGD3Zf9RBC2obzrhRNK2LXTEIYnifs6L2UdqFhw5aANXILziQtzKvsTQKvc15hvHCCoeXJCyyK7/WgA/oRu7bdrTs2DwCQ==', 'ZY0WCEgzqiLEU8ZUVJwGTpbkuL9KoMwYVloBqJXjur8rfBZEXTysQNKRQ1H7/vn7o0wyHAux60SVy06r4v6So5WWxddei09LXvL6ZwK/tyY=', 's7iS2XfzyI+IBoARaZQlTINg1kEy7qT7EopaSHQzpqktZBtc7UiOYrPdv/6f4cNI', 'o2ZleBui4P9C2ZjnB98Vuesy1C+WucHiXjQJ8RANoX6TheGfnLYAWDsXRfSeNCDHWdkBP2RBrkWPBy/nuM2NFLMETMUsPFeG3JHWafvGKzaNEjYO3Up9m61SnaY5tINvLCYJ/TKITszJ9H1YSm2chnmQGLUzbz4pwvWvvKfH8m7z585W73/QZrtw3l/30vcZaVocgwemYusDJYsOTgeWc0okiDahD7qtJcBYZ0aOzxZZmHDMBYigkRVf8GTJ/xucA/i7EHBFpaWoLVZVcuGFMA==', 'T7BWwqrn4yISEECEAnARp+JyVgG3cZc2/9+3VbyOjc4PuRSCU7ZfXuXpIIH8uj2roUU+W7nSmXHqTuxLhe6DBfNVh8PFZrhNX/YhIexDxrk=', 'G4TxOgdwfNBdU+6bscw2hqt3kZYZMfoEuKZtmCxRLrF8xJCK1+L0ocd8eSQjty7d', 'PcG64iM3U1vDIVDm7HuwTSvKhuz45f/WPqYoWZvzLHcapbEfkynZkUjmDgg30eof', 'XGcq7Js3+2f2oGHGFzxJPiYsrodwK+bTw/0lKjiUd0tSWMHEjdVqzAclD1/nPksq3sGhVTN8oFeHMRE7wAt3mCLVCEXKF9JLnNeWw9vvCbs=', 'T7BWwqrn4yISEECEAnARp8UQ6kvfa8mDiwe39obQZ+Rxfj5bbo//kf+4mlTsZUEg0QM/4QBKb6sUDMsk9OTdYg==', 'T7BWwqrn4yISEECEAnARp/U1NCwfjpQ4K5UKuMbDqXSrjfU6Tf/pOCpHlHXtYnU5', 'Gg/rFkGmnFrfPAny9sQ3qerPGxlC7+cuu92x2tgXrCRkqABwTbbIR8+hJN0krbBD9OJX8s2JqeR+xICuD2u17N7KjlWCZwpg4+c7mG1xAahALfXXbu/EvJy+KsAzQlzR9bu8P4wbyuM6r6/7kdf+VQ==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLT3pudJg4gGhcEax3IHwBI0R5vZR7J9mjUQ8R9MdKz/Fw==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLTcCwJrbTmNGWmZutw1Di2FSZ+3JxFtC00BiemuQuq2+A=='

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@251/115@0/8

Source: C:\Users\user\AppData\Local\Temp\45DE.exe

Code function: 10_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

10_2_004034CC

Source: C:\Users\user\AppData\Local\Temp\45DE.exe

Code function: 10_2_00404897 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

10_2_00404897

Source: C:\Users\user\Desktop\EiPVv5yELP.exe

Code function: 0_2_028EE7CE CreateToolhelp32Snapshot,Module32First,

0_2_028EE7CE

Source: C:\Users\user\AppData\Local\Temp\45DE.exe

Code function: 10_2_00402173 CoCreateInstance,MultiByteToWideChar,

10_2_00402173

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\whhsvcw

Jump to behavior

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_mainLog.txt
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Mutant created: \Sessions\1\BaseNamedObjects\1e7f31ac-1494-47cc-9633-054c20e7432e
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_rendLog.txt

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\2499.tmp

Jump to behavior

Source: EiPVv5yELP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\EiPVv5yELP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

File read: C:\Windows\System32\drivers\etc\hosts

Source: 2499.exe, 00000008.00000003.2599683424.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2613799340.0000000001AD5000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2613170201.0000000001AD4000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2613047961.0000000004003000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: EiPVv5yELP.exe	Virustotal: Detection: 41%
Source: EiPVv5yELP.exe	ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\EiPVv5yELP.exe "C:\Users\user\Desktop\EiPVv5yELP.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\whhsvcw C:\Users\user\AppData\Roaming\whhsvcw
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\2499.exe C:\Users\user\AppData\Local\Temp\2499.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\45DE.exe C:\Users\user\AppData\Local\Temp\45DE.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\62FC.exe C:\Users\user\AppData\Local\Temp\62FC.exe
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3728 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=4412 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=4492 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719979751033256 --launch-time-ticks=6642839349 --mojo-platform-channel-handle=4608 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719979751033256 --launch-time-ticks=6642849290 --mojo-platform-channel-handle=4680 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\whhsvcw C:\Users\user\AppData\Roaming\whhsvcw
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\2499.exe C:\Users\user\AppData\Local\Temp\2499.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\45DE.exe C:\Users\user\AppData\Local\Temp\45DE.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\62FC.exe C:\Users\user\AppData\Local\Temp\62FC.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3728 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=4412 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=4492 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719979751033256 --launch-time-ticks=6642839349 --mojo-platform-channel-handle=4608 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719979751033256 --launch-time-ticks=6642849290 --mojo-platform-channel-handle=4680 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Section loaded: msimg32.dll			Jump to behavior
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Section loaded: msvcr100.dll			Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll			Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll			Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll			Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdprt.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\whhsvcw	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\whhsvcw	Section loaded: msimg32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\whhsvcw	Section loaded: msvcr100.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: oleacc.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: shfolder.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: firewallapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: fwbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mmdevapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: audioses.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.ui.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mdmregistration.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mdmregistration.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: omadmapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dmcmnutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iri.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscms.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coloradapterclient.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dsreg.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\setup.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall

Source: C:\Users\user\Desktop\EiPVv5yELP.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: nsv9958.tmp.14.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: nsv9958.tmp.14.dr
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbP2Ks& source: 62FC.exe, 0000000B.00000002.3658241175.000000000A400000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: h:\work\newContent\secondBranch\DeleteProgram\DeleteProgram\obj\Release\KlMain.pdb source: nsv9958.tmp.14.dr
Source:	Binary string: ntkrnlmp.pdbx source: 62FC.exe, 0000000B.00000002.3658241175.000000000A400000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000F.00000000.3812506612.0000000000772000.00000002.00000001.01000000.00000010.sdmp, nsv9958.tmp.14.dr
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 00000011.00000002.3962952101.0000000005A52000.00000002.00000001.01000000.00000013.sdmp, nsv9958.tmp.14.dr
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000011.00000002.3958936963.0000000005582000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: ntkrnlmp.pdbR6Mo( source: 62FC.exe, 0000000B.00000002.3658241175.000000000A400000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D3DCompiler_43.pdb` source: d3dcompiler_43.dll.14.dr
Source:	Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000E.00000002.3964292603.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, nsv9958.tmp.14.dr
Source:	Binary string: libGLESv2.dll.pdb source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb source: nsv9958.tmp.14.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\** source: 62FC.exe, 0000000B.00000002.3523455444.000000000091D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb$# source: nsv9958.tmp.14.dr
Source:	Binary string: D3DCompiler_43.pdb source: d3dcompiler_43.dll.14.dr
Source:	Binary string: libEGL.dll.pdb source: setup.exe, 0000000E.00000002.3967417431.0000000002732000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbM4Nm) source: 62FC.exe, 0000000B.00000002.3658241175.000000000A400000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 00000011.00000002.3962952101.0000000005A52000.00000002.00000001.01000000.00000013.sdmp, nsv9958.tmp.14.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831a source: 62FC.exe, 0000000B.00000002.3523455444.000000000091D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 00000011.00000002.3958936963.0000000005582000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: \Desktop\projects\Release\BigProject.pdb source: 62FC.exe, 0000000B.00000002.3523082048.0000000000289000.00000002.00000001.01000000.0000000C.sdmp, 62FC.exe, 0000000B.00000000.2713431295.0000000000289000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000E.00000002.3964292603.00000000005DA000.00000004.00000020.00020000.00000000.sdmp, nsv9958.tmp.14.dr
Source:	Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exewall.dlldll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exealldll source: setup.exe, 0000000E.00000002.3963386902.000000000040A000.00000004.00000001.01000000.0000000E.sdmp
Source:	Binary string: \Desktop\projects\Release\BigProject.pdb. source: 62FC.exe, 0000000B.00000002.3523082048.0000000000289000.00000002.00000001.01000000.0000000C.sdmp, 62FC.exe, 0000000B.00000000.2713431295.0000000000289000.00000002.00000001.01000000.0000000C.sdmp

Data Obfuscation

Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Unpacked PE file: 0.2.EiPVv5yELP.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\whhsvcw	Unpacked PE file: 6.2.whhsvcw.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;

Source: C:\Users\user\AppData\Local\Temp\62FC.exe

Unpacked PE file: 11.2.62FC.exe.3240000.3.unpack

Source: Newtonsoft.Json.dll.14.dr

Static PE information: 0xF68F744F [Mon Jan 31 06:35:59 2101 UTC]

Source: C:\Users\user\AppData\Local\Temp\45DE.exe

Code function: 10_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,

10_2_100010D0

Source: initial sample

Static PE information: section where entry point is pointing to: .vmpLp

Source: 2499.exe.2.dr	Static PE information: section name: .vmpLp
Source: 2499.exe.2.dr	Static PE information: section name: .vmpLp
Source: 2499.exe.2.dr	Static PE information: section name: .vmpLp
Source: libEGL.dll.14.dr	Static PE information: section name: .00cfg
Source: libEGL.dll.14.dr	Static PE information: section name: .voltbl
Source: libGLESv2.dll.14.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll.14.dr	Static PE information: section name: .voltbl
Source: chrome_elf.dll.14.dr	Static PE information: section name: .00cfg
Source: chrome_elf.dll.14.dr	Static PE information: section name: .crthunk
Source: chrome_elf.dll.14.dr	Static PE information: section name: CPADinfo
Source: chrome_elf.dll.14.dr	Static PE information: section name: malloc_h
Source: libEGL.dll0.14.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll0.14.dr	Static PE information: section name: .00cfg
Source: libcef.dll.14.dr	Static PE information: section name: .00cfg
Source: libcef.dll.14.dr	Static PE information: section name: .rodata
Source: libcef.dll.14.dr	Static PE information: section name: CPADinfo
Source: libcef.dll.14.dr	Static PE information: section name: malloc_h

Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Code function: 0_2_00401CD1 push ecx; ret		0_2_00401CD2
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Code function: 0_2_00401C91 push 00000076h; iretd		0_2_00401C93
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Code function: 0_2_00402E96 push B92A2F4Ch; retf		0_2_00402E9B
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Code function: 0_2_02811CF8 push 00000076h; iretd		0_2_02811CFA
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Code function: 0_2_02812EFD push B92A2F4Ch; retf		0_2_02812F02
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Code function: 0_2_02811D38 push ecx; ret		0_2_02811D39
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Code function: 0_2_028F629E push FFFFFFFBh; iretd		0_2_028F62B4
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Code function: 0_2_028F4220 push edx; ret		0_2_028F4221
Source: C:\Users\user\AppData\Roaming\whhsvcw	Code function: 6_2_00401CD1 push ecx; ret		6_2_00401CD2
Source: C:\Users\user\AppData\Roaming\whhsvcw	Code function: 6_2_00401C91 push 00000076h; iretd		6_2_00401C93
Source: C:\Users\user\AppData\Roaming\whhsvcw	Code function: 6_2_00402E96 push B92A2F4Ch; retf		6_2_00402E9B
Source: C:\Users\user\AppData\Roaming\whhsvcw	Code function: 6_2_029A1CF8 push 00000076h; iretd		6_2_029A1CFA
Source: C:\Users\user\AppData\Roaming\whhsvcw	Code function: 6_2_029A2EFD push B92A2F4Ch; retf		6_2_029A2F02
Source: C:\Users\user\AppData\Roaming\whhsvcw	Code function: 6_2_029A1D38 push ecx; ret		6_2_029A1D39
Source: C:\Users\user\AppData\Roaming\whhsvcw	Code function: 6_2_02A37BE6 push FFFFFFFBh; iretd		6_2_02A37BFC
Source: C:\Users\user\AppData\Roaming\whhsvcw	Code function: 6_2_02A35B68 push edx; ret		6_2_02A35B69
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: 11_2_0027004B push ecx; ret		11_2_0027005E

Source: EiPVv5yELP.exe	Static PE information: section name: .text entropy: 7.509218380839062
Source: whhsvcw.2.dr	Static PE information: section name: .text entropy: 7.509218380839062
Source: Ionic.Zip.dll.14.dr	Static PE information: section name: .text entropy: 6.821349263259562

Persistence and Installation Behavior

Source: C:\Users\user\AppData\Local\Temp\45DE.exe	File created: C:\Users\user\AppData\Local\Temp\setup.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\libcef.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\libEGL.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\62FC.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Del.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	File created: C:\Users\user\AppData\Local\Temp\nsm46E8.tmp\INetC.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\log4net.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	File created: C:\Users\user\AppData\Local\Temp\nsm46E8.tmp\nsProcess.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\huge[1].dat			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	File created: C:\Users\user\AppData\Local\Temp\nsm46E8.tmp\blowfish.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\2499.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\45DE.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsuAB0.tmp\liteFirewall.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\whhsvcw			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll			Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\whhsvcw

Jump to dropped file

Boot Survival

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\eipvv5yelp.exe

Jump to behavior

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\whhsvcw:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\whhsvcw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\whhsvcw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\whhsvcw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\whhsvcw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\whhsvcw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\whhsvcw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\62FC.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Source: C:\Users\user\AppData\Local\Temp\2499.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\EiPVv5yELP.exe	API/Special instruction interceptor: Address: 7FFDB442E814
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	API/Special instruction interceptor: Address: 7FFDB442D584
Source: C:\Users\user\AppData\Local\Temp\2499.exe	API/Special instruction interceptor: Address: 1278181
Source: C:\Users\user\AppData\Local\Temp\2499.exe	API/Special instruction interceptor: Address: 1249E6B
Source: C:\Users\user\AppData\Local\Temp\2499.exe	API/Special instruction interceptor: Address: 10A76F5
Source: C:\Users\user\AppData\Local\Temp\2499.exe	API/Special instruction interceptor: Address: 1184E89
Source: C:\Users\user\AppData\Roaming\whhsvcw	API/Special instruction interceptor: Address: 7FFDB442E814
Source: C:\Users\user\AppData\Roaming\whhsvcw	API/Special instruction interceptor: Address: 7FFDB442D584
Source: C:\Users\user\AppData\Local\Temp\2499.exe	API/Special instruction interceptor: Address: 11C4080
Source: C:\Users\user\AppData\Local\Temp\2499.exe	API/Special instruction interceptor: Address: 1176310
Source: C:\Users\user\AppData\Local\Temp\2499.exe	API/Special instruction interceptor: Address: 12B5B80

Source: whhsvcw

Binary or memory string: ASWHOOK

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: F00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2C60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2BA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1320000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2F60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 14F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1310000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4E30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2CF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2F20000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2CF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 10A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2BE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2B10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1080000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2BB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2A10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1430000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2F50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4F50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 25E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2870000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4870000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1600000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2EF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4EF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 24C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2730000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 24C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: FD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 29D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4AD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: BE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 27A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2500000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 830000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2480000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 23C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1700000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3280000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 5280000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1210000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2AB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 12D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2F80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2DD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2BD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2BD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 940000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2530000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4530000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 9A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 23F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: A80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2DD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2F60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2DF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1320000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2F00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D00000 memory reserve | memory write watch

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Thread delayed: delay time: 600000

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 423			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 848			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3302			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1543			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 886			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 861			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm46E8.tmp\INetC.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libcef.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\log4net.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm46E8.tmp\nsProcess.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libEGL.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm46E8.tmp\blowfish.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Del.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsuAB0.tmp\liteFirewall.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll			Jump to dropped file

Source: C:\Windows\explorer.exe TID: 5392	Thread sleep time: -84800s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 1476	Thread sleep time: -330200s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 1476	Thread sleep time: -154300s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe TID: 5800	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe TID: 5964	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 2828	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 4988	Thread sleep count: 34 > 30

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Code function: 10_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		10_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Code function: 10_2_004066FF FindFirstFileA,FindClose,		10_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\45DE.exe	Code function: 10_2_004027AA FindFirstFileA,		10_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: 11_2_002824BD FindFirstFileExW,		11_2_002824BD
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: 11_2_03241000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,		11_2_03241000
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: 11_2_03244E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,		11_2_03244E27
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: 11_2_03241D3C FindFirstFileW,FindNextFileW,		11_2_03241D3C
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: 11_2_032440BA FindFirstFileW,FindNextFileW,		11_2_032440BA
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: 11_2_03243EFC FindFirstFileW,FindNextFileW,		11_2_03243EFC

Source: C:\Users\user\AppData\Local\Temp\62FC.exe

Code function: 11_2_03242054 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,

11_2_03242054

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Thread delayed: delay time: 600000

Source: C:\Users\user\AppData\Local\Temp\62FC.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	File opened: C:\Users\user\AppData\Local\Adobe\			Jump to behavior

Source: explorer.exe, 00000002.00000000.2261967756.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: explorer.exe, 00000002.00000000.2262440491.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: explorer.exe, 00000002.00000000.2259150882.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2261967756.000000000978C000.00000004.00000001.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2697215630.0000000001A54000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2650281642.0000000001A54000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000002.2698592212.0000000001A54000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2664547120.0000000001A53000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000002.2698376107.00000000019FE000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2598973511.0000000001A54000.00000004.00000020.00020000.00000000.sdmp, 45DE.exe, 0000000A.00000003.3970046685.0000000000528000.00000004.00000020.00020000.00000000.sdmp, 45DE.exe, 0000000A.00000002.3972181561.0000000000528000.00000004.00000020.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000002.3523455444.000000000091D000.00000004.00000020.00020000.00000000.sdmp, 62FC.exe, 0000000B.00000002.3523455444.00000000008E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: explorer.exe, 00000002.00000000.2260463436.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: explorer.exe, 00000002.00000000.2262440491.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: explorer.exe, 00000002.00000000.2259150882.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: explorer.exe, 00000002.00000000.2264733443.000000000C354000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: explorer.exe, 00000002.00000000.2264733443.000000000C354000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: explorer.exe, 00000002.00000000.2264733443.000000000C354000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@]
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 2499.exe, 00000008.00000003.2613264123.0000000004036000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: explorer.exe, 00000002.00000000.2262440491.00000000097F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000000.2261967756.000000000973C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: explorer.exe, 00000002.00000000.2261967756.0000000009605000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: explorer.exe, 00000002.00000000.2259150882.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: explorer.exe, 00000002.00000000.2262440491.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 2499.exe, 00000008.00000003.2697215630.0000000001A54000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2650281642.0000000001A54000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000002.2698592212.0000000001A54000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2664547120.0000000001A53000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2598973511.0000000001A54000.00000004.00000020.00020000.00000000.sdmp, 45DE.exe, 0000000A.00000002.3971941688.0000000000507000.00000004.00000020.00020000.00000000.sdmp, 45DE.exe, 0000000A.00000003.3969776646.0000000000507000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: explorer.exe, 00000002.00000000.2259150882.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: 2499.exe, 00000008.00000003.2613264123.0000000004031000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\AppData\Local\Temp\45DE.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\EiPVv5yELP.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\EiPVv5yELP.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\Desktop\EiPVv5yELP.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\whhsvcw	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\whhsvcw	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\62FC.exe

Code function: 11_2_00274383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

11_2_00274383

Source: C:\Users\user\AppData\Local\Temp\45DE.exe

Code function: 10_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,

10_2_100010D0

Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Code function: 0_2_02810D90 mov eax, dword ptr fs:[00000030h]		0_2_02810D90
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Code function: 0_2_0281092B mov eax, dword ptr fs:[00000030h]		0_2_0281092B
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Code function: 0_2_028EE0AB push dword ptr fs:[00000030h]		0_2_028EE0AB
Source: C:\Users\user\AppData\Roaming\whhsvcw	Code function: 6_2_029A0D90 mov eax, dword ptr fs:[00000030h]		6_2_029A0D90
Source: C:\Users\user\AppData\Roaming\whhsvcw	Code function: 6_2_029A092B mov eax, dword ptr fs:[00000030h]		6_2_029A092B
Source: C:\Users\user\AppData\Roaming\whhsvcw	Code function: 6_2_02A2F9F3 push dword ptr fs:[00000030h]		6_2_02A2F9F3

Source: C:\Users\user\AppData\Local\Temp\62FC.exe

Code function: 11_2_00285891 GetProcessHeap,

11_2_00285891

Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: 11_2_00274383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		11_2_00274383
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: 11_2_00270495 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		11_2_00270495
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: 11_2_00270622 SetUnhandledExceptionFilter,		11_2_00270622
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: 11_2_002706F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		11_2_002706F0

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\explorer.exe

File created: 62FC.exe.2.dr

Jump to dropped file

Source: C:\Windows\explorer.exe	Network Connect: 141.8.192.126 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.68.16.7 443			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 127.0.0.127 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.3 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 186.101.193.110 80			Jump to behavior

Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Thread created: C:\Windows\explorer.exe EIP: 87E19D0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\whhsvcw	Thread created: unknown EIP: 31A19D0			Jump to behavior

Source: 2499.exe, 00000008.00000002.2697520681.0000000000D5D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: pedestriankodwu.xyz
Source: 2499.exe, 00000008.00000002.2697520681.0000000000D5D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: towerxxuytwi.xyz
Source: 2499.exe, 00000008.00000002.2697520681.0000000000D5D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: ellaboratepwsz.xyz
Source: 2499.exe, 00000008.00000002.2697520681.0000000000D5D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: penetratedpoopp.xyz
Source: 2499.exe, 00000008.00000002.2697520681.0000000000D5D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: swellfrrgwwos.xyz
Source: 2499.exe, 00000008.00000002.2697520681.0000000000D5D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: contintnetksows.shop
Source: 2499.exe, 00000008.00000002.2697520681.0000000000D5D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: foodypannyjsud.shop
Source: 2499.exe, 00000008.00000002.2697520681.0000000000D5D000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: potterryisiw.shop

Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Users\user\Desktop\EiPVv5yELP.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read			Jump to behavior
Source: C:\Users\user\AppData\Roaming\whhsvcw	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\whhsvcw	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read			Jump to behavior

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3728 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=4412 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=4492 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719979751033256 --launch-time-ticks=6642839349 --mojo-platform-channel-handle=4608 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 13; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719979751033256 --launch-time-ticks=6642849290 --mojo-platform-channel-handle=4680 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (android 13; mobile; rv:127.0) gecko/127.0 firefox/127.0" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3728 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (android 13; mobile; rv:127.0) gecko/127.0 firefox/127.0" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=4412 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (android 13; mobile; rv:127.0) gecko/127.0 firefox/127.0" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=4492 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (android 13; mobile; rv:127.0) gecko/127.0 firefox/127.0" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719979751033256 --launch-time-ticks=6642839349 --mojo-platform-channel-handle=4608 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (android 13; mobile; rv:127.0) gecko/127.0 firefox/127.0" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719979751033256 --launch-time-ticks=6642849290 --mojo-platform-channel-handle=4680 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (android 13; mobile; rv:127.0) gecko/127.0 firefox/127.0" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3728 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (android 13; mobile; rv:127.0) gecko/127.0 firefox/127.0" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=4412 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (android 13; mobile; rv:127.0) gecko/127.0 firefox/127.0" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=4492 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (android 13; mobile; rv:127.0) gecko/127.0 firefox/127.0" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719979751033256 --launch-time-ticks=6642839349 --mojo-platform-channel-handle=4608 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (android 13; mobile; rv:127.0) gecko/127.0 firefox/127.0" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719979751033256 --launch-time-ticks=6642849290 --mojo-platform-channel-handle=4680 --field-trial-handle=3716,i,10340991844468305379,15237520807086814430,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1

Source: explorer.exe, 00000002.00000000.2259426131.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: explorer.exe, 00000002.00000000.2259426131.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2260336746.00000000048E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.2259426131.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.2259150882.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: explorer.exe, 00000002.00000000.2259426131.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.2262440491.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd31A

Language, Device and Operating System Detection

Source: C:\Users\user\AppData\Local\Temp\62FC.exe

Code function: 11_2_0027013C cpuid

11_2_0027013C

Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: EnumSystemLocalesW,		11_2_00285051
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: GetLocaleInfoW,		11_2_0027E096
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,		11_2_002850DC
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: GetLocaleInfoW,		11_2_0028532F
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		11_2_00285458
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: GetLocaleInfoW,		11_2_0028555E
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		11_2_00285634
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: EnumSystemLocalesW,		11_2_0027DBC7
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,		11_2_00284CBF
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: EnumSystemLocalesW,		11_2_00284F6B
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	Code function: EnumSystemLocalesW,		11_2_00284FB6

Source: C:\Users\user\AppData\Local\Temp\2499.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\62FC.exe

Code function: 11_2_0027038F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

11_2_0027038F

Source: C:\Users\user\AppData\Local\Temp\45DE.exe

Code function: 10_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

10_2_004034CC

Source: C:\Users\user\AppData\Local\Temp\2499.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Source: 2499.exe, 00000008.00000003.2664692434.0000000001AD9000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2664460561.0000000001AD8000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2677917601.0000000001AD8000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2697040966.0000000001AD8000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000002.2698805266.0000000001AD8000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2672931566.0000000001AD8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Windows Defender\MsMpeng.exe

Source: 2499.exe, 00000008.00000003.2664692434.0000000001AD9000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2664460561.0000000001AD8000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2677917601.0000000001AD8000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2697040966.0000000001AD8000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000002.2698805266.0000000001AD8000.00000004.00000020.00020000.00000000.sdmp, 2499.exe, 00000008.00000003.2672931566.0000000001AD8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: dows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\2499.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Source: Yara match

File source: Process Memory Space: 2499.exe PID: 2616, type: MEMORYSTR

Source: Yara match	File source: 11.2.62FC.exe.979a60.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.62FC.exe.3240000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.62FC.exe.3240000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.62FC.exe.972340.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.62FC.exe.979a60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.62FC.exe.972340.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3523455444.000000000091D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3524183588.0000000003240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 62FC.exe PID: 1780, type: MEMORYSTR

Source: Yara match	File source: 00000000.00000002.2273459134.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2273150285.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2576511233.00000000029D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2576456147.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: 2499.exe, 00000008.00000003.2650281642.0000000001A54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum-LTC\wallets
Source: 2499.exe, 00000008.00000003.2650281642.0000000001A54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: 2499.exe, 00000008.00000003.2697215630.0000000001A54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: 2499.exe, 00000008.00000003.2650281642.0000000001A54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: 2499.exe, 00000008.00000003.2650281642.0000000001A54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 2499.exe, 00000008.00000003.2650281642.0000000001A54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 2499.exe, 00000008.00000003.2650281642.0000000001A54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: 2499.exe, 00000008.00000003.2650072383.0000000001A20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 2499.exe, 00000008.00000003.2650072383.0000000001A20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62FC.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\Binance			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\Binance			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2499.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ			Jump to behavior

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Directory queried: number of queries: 1294

Source: Yara match	File source: 00000008.00000003.2650281642.0000000001A54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2650072383.0000000001A54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2499.exe PID: 2616, type: MEMORYSTR

Remote Access Functionality

Source: Yara match

File source: Process Memory Space: 2499.exe PID: 2616, type: MEMORYSTR

Source: Yara match	File source: 11.2.62FC.exe.979a60.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.62FC.exe.3240000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.62FC.exe.3240000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.62FC.exe.972340.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.62FC.exe.979a60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.62FC.exe.972340.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3523455444.000000000091D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3524183588.0000000003240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 62FC.exe PID: 1780, type: MEMORYSTR

Source: Yara match	File source: 00000000.00000002.2273459134.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2273150285.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2576511233.00000000029D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2576456147.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY