Windows Analysis Report
JuHVfiAuLo.exe

Overview

General Information

Sample name: JuHVfiAuLo.exe
renamed because original name is a hash value
Original sample name: 0c653f386efe0b014ffc681b49120706.exe
Analysis ID: 1466598
MD5: 0c653f386efe0b014ffc681b49120706
SHA1: dd7ddec0bae7270469fa6cfb9d3d0b7f0c170b54
SHA256: a6c2a7ffb68b797967ad979e51a1330e9f16223e4f5dc8500b0a58741176f83c
Tags: exe
Infos:

Detection

LummaC, Poverty Stealer, SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected LummaC Stealer
Yara detected Poverty Stealer
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
SmokeLoader The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
 https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: JuHVfiAuLo.exe Avira: detected
Antivirus detection for URL or domain
Source: https://foodypannyjsud.shop/w Avira URL Cloud: Label: malware
Source: http://gebeus.ru/tmp/index.php Avira URL Cloud: Label: malware
Source: http://cx5519.com/tmp/index.php Avira URL Cloud: Label: malware
Source: contintnetksows.shop Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/J Avira URL Cloud: Label: malware
Source: http://evilos.cc/tmp/index.php Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/pi_ Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/apin Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/apio Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/piV Avira URL Cloud: Label: malware
Source: https://foodypannyjsud.shop/apiw Avira URL Cloud: Label: malware
Source: ellaboratepwsz.xyz Avira URL Cloud: Label: malware
Source: swellfrrgwwos.xyz Avira URL Cloud: Label: malware
Source: foodypannyjsud.shop Avira URL Cloud: Label: malware
Source: pedestriankodwu.xyz Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Temp\37A.exe Avira: detection malicious, Label: HEUR/AGEN.1313486
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Avira: detection malicious, Label: HEUR/AGEN.1352426
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\huge[1].dat Avira: detection malicious, Label: HEUR/AGEN.1359405
Found malware configuration
Source: 00000005.00000002.1674811450.0000000002860000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}
Source: 12.2.56AD.exe.39b0000.3.unpack Malware Configuration Extractor: Poverty Stealer {"C2 url": "146.70.169.164:2227"}
Source: 37A.exe.2464.6.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "potterryisiw.shop"], "Build id": "bOKHNM--"}
Multi AV Scanner detection for domain / URL
Source: http://gebeus.ru/tmp/index.php Virustotal: Detection: 15% Perma Link
Source: http://cx5519.com/tmp/index.php Virustotal: Detection: 11% Perma Link
Source: contintnetksows.shop Virustotal: Detection: 15% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\2C50.exe ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\37A.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\56AD.exe ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Roaming\ifgewai ReversingLabs: Detection: 39%
Multi AV Scanner detection for submitted file
Source: JuHVfiAuLo.exe ReversingLabs: Detection: 39%
Source: JuHVfiAuLo.exe Virustotal: Detection: 37% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\37A.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GamePall\Del.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: JuHVfiAuLo.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_039B1C94 CryptUnprotectData,CryptProtectData, 12_2_039B1C94
Uses 32bit PE files
Source: JuHVfiAuLo.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\setup.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbc source: 56AD.exe, 0000000C.00000002.2826942661.000000000AAA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdb source: widevinecdmadapter.dll.14.dr
Source: Binary string: D3DCompiler_43.pdb source: d3dcompiler_43.dll.14.dr
Source: Binary string: ntkrnlmp.pdbx source: 56AD.exe, 0000000C.00000002.2826942661.000000000AAA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbY source: 56AD.exe, 0000000C.00000002.2826942661.000000000AAA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000F.00000000.2985165110.00000000001C2000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 00000016.00000002.3206188987.0000000005332000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exeePallll source: setup.exe, 0000000E.00000002.3410722418.000000000040A000.00000004.00000001.01000000.0000000D.sdmp
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000014.00000002.3097190836.0000000005592000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 00000016.00000002.3206188987.0000000005332000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 56AD.exe, 0000000C.00000002.2666707491.000000000120D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdbGCTL source: widevinecdmadapter.dll.14.dr
Source: Binary string: D3DCompiler_43.pdb` source: d3dcompiler_43.dll.14.dr
Source: Binary string: ntkrnlmp.pdbb source: 56AD.exe, 0000000C.00000002.2826942661.000000000AAA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 00000014.00000002.3097190836.0000000005592000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: \Desktop\projects\Release\BigProject.pdb source: 56AD.exe, 0000000C.00000000.1932480311.00000000004B9000.00000002.00000001.01000000.0000000B.sdmp, 56AD.exe, 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000E.00000002.3578145645.00000000006DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000E.00000002.3578145645.00000000006DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Desktop\projects\Release\BigProject.pdb. source: 56AD.exe, 0000000C.00000000.1932480311.00000000004B9000.00000002.00000001.01000000.0000000B.sdmp, 56AD.exe, 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmp
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Directory queried: number of queries: 1389
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_004B24BD FindFirstFileExW, 12_2_004B24BD
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_039B1000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection, 12_2_039B1000
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_039B4E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW, 12_2_039B4E27
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_039B1D3C FindFirstFileW,FindNextFileW, 12_2_039B1D3C
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_039B40BA FindFirstFileW,FindNextFileW, 12_2_039B40BA
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_039B3EFC FindFirstFileW,FindNextFileW, 12_2_039B3EFC
Source: C:\Users\user\AppData\Local\Temp\56AD.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe File opened: C:\Users\user\AppData\Local\Adobe\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\ Jump to behavior

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 141.8.192.126 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.68.16.7 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 127.0.0.127 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 188.114.96.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 2.185.214.11 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: pedestriankodwu.xyz
Source: Malware configuration extractor URLs: towerxxuytwi.xyz
Source: Malware configuration extractor URLs: ellaboratepwsz.xyz
Source: Malware configuration extractor URLs: penetratedpoopp.xyz
Source: Malware configuration extractor URLs: swellfrrgwwos.xyz
Source: Malware configuration extractor URLs: contintnetksows.shop
Source: Malware configuration extractor URLs: foodypannyjsud.shop
Source: Malware configuration extractor URLs: potterryisiw.shop
Source: Malware configuration extractor URLs: potterryisiw.shop
Source: Malware configuration extractor URLs: http://evilos.cc/tmp/index.php
Source: Malware configuration extractor URLs: http://gebeus.ru/tmp/index.php
Source: Malware configuration extractor URLs: http://office-techs.biz/tmp/index.php
Source: Malware configuration extractor URLs: http://cx5519.com/tmp/index.php
Source: Malware configuration extractor URLs: 146.70.169.164:2227
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 1.1.1.1 1.1.1.1
Source: Joe Sandbox View IP Address: 104.192.141.1 104.192.141.1
Source: Joe Sandbox View IP Address: 104.192.141.1 104.192.141.1
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SPRINTHOSTRU SPRINTHOSTRU
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_00445B80 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,task,InternetReadFile,FreeLibrary,task, 12_2_00445B80
Source: GamePall.exe, 00000026.00000002.3396291727.0000000002C57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.install-stat.debug.world/clients/activity
Source: GamePall.exe, 0000001E.00000002.3413359163.0000000002CD8000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000026.00000002.3396291727.0000000002C01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.install-stat.debug.world/clients/activity=4
Source: GamePall.exe, 00000026.00000002.3396291727.0000000002C57000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000026.00000002.3396291727.0000000002C01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.install-stat.debug.world/clients/installs
Source: GamePall.exe, 00000026.00000002.3396291727.0000000002C57000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000026.00000002.3396291727.0000000002C01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bageyou.xyz
Source: 37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: explorer.exe, 00000002.00000000.1435797743.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1435797743.00000000091FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: resources.pak.14.dr String found in binary or memory: http://crbug.com/1352358
Source: resources.pak.14.dr String found in binary or memory: http://crbug.com/275944
Source: resources.pak.14.dr String found in binary or memory: http://crbug.com/378067
Source: resources.pak.14.dr String found in binary or memory: http://crbug.com/437891.
Source: resources.pak.14.dr String found in binary or memory: http://crbug.com/456214
Source: resources.pak.14.dr String found in binary or memory: http://crbug.com/497301
Source: resources.pak.14.dr String found in binary or memory: http://crbug.com/510270
Source: resources.pak.14.dr String found in binary or memory: http://crbug.com/514696
Source: resources.pak.14.dr String found in binary or memory: http://crbug.com/642141
Source: resources.pak.14.dr String found in binary or memory: http://crbug.com/672186).
Source: resources.pak.14.dr String found in binary or memory: http://crbug.com/717501
Source: resources.pak.14.dr String found in binary or memory: http://crbug.com/775961
Source: resources.pak.14.dr String found in binary or memory: http://crbug.com/819404
Source: resources.pak.14.dr String found in binary or memory: http://crbug.com/839189
Source: resources.pak.14.dr String found in binary or memory: http://crbug.com/957772
Source: 37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000002.00000000.1435797743.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1435797743.00000000091FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: explorer.exe, 00000002.00000000.1435797743.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1435797743.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1435797743.00000000091FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: GamePall.exe, 00000014.00000002.3097190836.0000000005592000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
Source: explorer.exe, 00000002.00000000.1434205230.0000000004405000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ns.adobeS
Source: 2C50.exe, 00000008.00000000.1867070648.000000000040A000.00000008.00000001.01000000.00000007.sdmp, setup.exe, 0000000E.00000003.2986001329.000000000073A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000E.00000000.2673100697.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, setup.exe, 0000000E.00000002.3410722418.000000000040A000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 2C50.exe, 00000008.00000000.1867070648.000000000040A000.00000008.00000001.01000000.00000007.sdmp, setup.exe, 0000000E.00000003.2986001329.000000000073A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000E.00000000.2673100697.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, setup.exe, 0000000E.00000002.3410722418.000000000040A000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000002.00000000.1435797743.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1435797743.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000000.1435797743.00000000090DA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: 37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: explorer.exe, 00000002.00000000.1433769568.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1435122753.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1435111090.0000000007710000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: GamePall.exe, 00000014.00000002.3097190836.0000000005592000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: http://www.apache.org/).
Source: GamePall.exe, 00000014.00000002.3097190836.0000000005592000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: http://www.apache.org/licenses/
Source: GamePall.exe, 00000014.00000002.3097190836.0000000005592000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000000.1435797743.0000000009237000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.c
Source: 37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: 37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: 2C50.exe, 00000008.00000003.1871311133.0000000003070000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://xiexie.wf/22_551/huge.dat
Source: 37A.exe, 00000006.00000003.1800749745.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000002.2682429151.000000000A161000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000002.00000000.1437648332.000000000BC80000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000002.00000000.1437648332.000000000BC80000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.1437648332.000000000BC80000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOSA4
Source: explorer.exe, 00000002.00000000.1437648332.000000000BC80000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOSd
Source: explorer.exe, 00000002.00000000.1434593106.000000000702D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.1435797743.00000000090DA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
Source: explorer.exe, 00000002.00000000.1435797743.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.1435797743.00000000091FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: 56AD.exe, 0000000C.00000003.2448304219.0000000001220000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aui-cdn.atlassian.com/
Source: 56AD.exe, 0000000C.00000002.2666707491.00000000011ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/
Source: 56AD.exe, 0000000C.00000002.2666707491.00000000011A0000.00000004.00000020.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000002.2666707491.00000000011ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee
Source: 56AD.exe, 0000000C.00000002.2666707491.00000000011ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee(
Source: 56AD.exe, 0000000C.00000002.2666707491.00000000011ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/l
Source: 37A.exe, 00000006.00000003.1827063278.0000000003AF7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: 37A.exe, 00000006.00000003.1827063278.0000000003AF7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: 56AD.exe, 0000000C.00000003.2448304219.0000000001220000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cookielaw.org/
Source: 37A.exe, 00000006.00000003.1800749745.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000002.2682429151.000000000A161000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
Source: 37A.exe, 00000006.00000003.1800749745.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000002.2682429151.000000000A161000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 37A.exe, 00000006.00000003.1800749745.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000002.2682429151.000000000A161000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: resources.pak.14.dr String found in binary or memory: https://chrome.google.com/webstore
Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.dr String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: af.pak.14.dr String found in binary or memory: https://chrome.google.com/webstore?hl=af&category=theme81https://myactivity.google.com/myactivity/?u
Source: af.pak.14.dr String found in binary or memory: https://chrome.google.com/webstore?hl=afCtrl$1
Source: hi.pak.14.dr String found in binary or memory: https://chrome.google.com/webstore?hl=hi&category=theme81https://myactivity.google.com/myactivity/?u
Source: hi.pak.14.dr String found in binary or memory: https://chrome.google.com/webstore?hl=hiCtrl$1
Source: ja.pak.14.dr String found in binary or memory: https://chrome.google.com/webstore?hl=ja&category=theme81https://myactivity.google.com/myactivity/?u
Source: ja.pak.14.dr String found in binary or memory: https://chrome.google.com/webstore?hl=jaCtrl$1
Source: mr.pak.14.dr String found in binary or memory: https://chrome.google.com/webstore?hl=mr&category=theme81https://myactivity.google.com/myactivity/?u
Source: mr.pak.14.dr String found in binary or memory: https://chrome.google.com/webstore?hl=mrCtrl$1
Source: ms.pak.14.dr String found in binary or memory: https://chrome.google.com/webstore?hl=ms&category=theme81https://myactivity.google.com/myactivity/?u
Source: ms.pak.14.dr String found in binary or memory: https://chrome.google.com/webstore?hl=msCtrl$1
Source: tr.pak.14.dr String found in binary or memory: https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u
Source: tr.pak.14.dr String found in binary or memory: https://chrome.google.com/webstore?hl=trCtrl$1
Source: ur.pak.14.dr String found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
Source: ur.pak.14.dr String found in binary or memory: https://chrome.google.com/webstore?hl=urCtrl$2
Source: vi.pak.14.dr String found in binary or memory: https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u
Source: vi.pak.14.dr String found in binary or memory: https://chrome.google.com/webstore?hl=viCtrl$1
Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, af.pak.14.dr String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: resources.pak.14.dr String found in binary or memory: https://chromewebstore.google.com/
Source: resources.pak.14.dr String found in binary or memory: https://codereview.chromium.org/25305002).
Source: 37A.exe, 00000006.00000003.1827063278.0000000003AF7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: 37A.exe, 00000006.00000003.1827063278.0000000003AF7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: resources.pak.14.dr String found in binary or memory: https://crbug.com/1201800
Source: resources.pak.14.dr String found in binary or memory: https://crbug.com/1245093):
Source: resources.pak.14.dr String found in binary or memory: https://crbug.com/1446731
Source: 56AD.exe, 0000000C.00000003.2448304219.0000000001220000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
Source: 56AD.exe, 0000000C.00000003.2448304219.0000000001220000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
Source: 37A.exe, 00000006.00000003.1800749745.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000002.2682429151.000000000A161000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 37A.exe, 00000006.00000003.1800749745.0000000003B26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 37A.exe, 00000006.00000003.1800749745.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000002.2682429151.000000000A161000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000002.00000000.1437648332.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: 37A.exe, 00000006.00000003.1873171538.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1799987736.0000000000C19000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910690894.0000000000C64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/
Source: 37A.exe, 00000006.00000003.1799870119.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1799987736.0000000000C19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/J
Source: 37A.exe, 00000006.00000003.1799987736.0000000000C19000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910690894.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1878559703.0000000000C64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/api
Source: 37A.exe, 00000006.00000003.1799870119.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1799987736.0000000000C19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/apiN
Source: 37A.exe, 00000006.00000003.1799870119.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1799987736.0000000000C19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/apin
Source: 37A.exe, 00000006.00000002.1912240377.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1878333229.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1871396191.0000000000C83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/apio
Source: 37A.exe, 00000006.00000003.1853254880.0000000000C61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/apiw
Source: 37A.exe, 00000006.00000003.1853429053.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1853254880.0000000000C61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/ks4
Source: 37A.exe, 00000006.00000003.1853429053.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1853254880.0000000000C61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/ksx
Source: 37A.exe, 00000006.00000003.1910888988.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000002.1912209776.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910690894.0000000000C64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/pi
Source: 37A.exe, 00000006.00000003.1878559703.0000000000C6B000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910888988.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000002.1912209776.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1873171538.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910690894.0000000000C64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/piV
Source: 37A.exe, 00000006.00000003.1878559703.0000000000C6B000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910888988.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000002.1912209776.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1873171538.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910690894.0000000000C64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/pi_
Source: 37A.exe, 00000006.00000003.1799870119.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1799987736.0000000000C19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop/w
Source: 37A.exe, 00000006.00000003.1910649634.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1878486202.0000000003AF2000.00000004.00000800.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910950384.0000000003AF8000.00000004.00000800.00020000.00000000.sdmp, 37A.exe, 00000006.00000002.1913522906.0000000003AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop:443/api
Source: 37A.exe, 00000006.00000003.1853092174.0000000003AF3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://foodypannyjsud.shop:443/apicrosoft
Source: Newtonsoft.Json.xml.14.dr String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json/issues/652
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
Source: 37A.exe, 00000006.00000003.1827063278.0000000003AF7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.dr String found in binary or memory: https://myactivity.google.com/
Source: explorer.exe, 00000002.00000000.1437648332.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: ur.pak.14.dr String found in binary or memory: https://passwords.google.com
Source: ms.pak.14.dr String found in binary or memory: https://passwords.google.comAkaun
Source: tr.pak.14.dr, hi.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr String found in binary or memory: https://passwords.google.comGoogle
Source: af.pak.14.dr String found in binary or memory: https://passwords.google.comGoogle-rekeningGestoorde
Source: vi.pak.14.dr String found in binary or memory: https://passwords.google.comT
Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.dr String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.dr String found in binary or memory: https://policies.google.com/
Source: explorer.exe, 00000002.00000000.1437648332.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comer
Source: 56AD.exe, 0000000C.00000003.2448304219.0000000001220000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: 56AD.exe, 0000000C.00000003.2448304219.0000000001220000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, af.pak.14.dr String found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.dr String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.dr String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: 37A.exe, 00000006.00000003.1826683278.0000000003C15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 37A.exe, 00000006.00000003.1826683278.0000000003C15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: GamePall.exe, 00000014.00000002.3097288070.00000000055D6000.00000002.00000001.01000000.00000011.sdmp, GamePall.exe, 00000014.00000002.3097190836.0000000005592000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: 56AD.exe, 0000000C.00000003.2448304219.0000000001220000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.1437648332.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/EM0
Source: explorer.exe, 00000002.00000000.1437648332.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com48
Source: 37A.exe, 00000006.00000003.1827063278.0000000003AF7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: 37A.exe, 00000006.00000003.1800749745.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000002.2682429151.000000000A161000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: resources.pak.14.dr String found in binary or memory: https://www.google.com/
Source: hi.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: ur.pak.14.dr String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&
Source: ms.pak.14.dr String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlB&antuanDiurus
Source: af.pak.14.dr String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlBestuur
Source: vi.pak.14.dr String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&r
Source: tr.pak.14.dr String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlYar&d
Source: 37A.exe, 00000006.00000003.1800749745.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000002.2682429151.000000000A161000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 37A.exe, 00000006.00000003.1827063278.0000000003AF7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: 37A.exe, 00000006.00000003.1826578266.0000000003B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: 37A.exe, 00000006.00000003.1826683278.0000000003C15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: 37A.exe, 00000006.00000003.1826683278.0000000003C15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: 37A.exe, 00000006.00000003.1826683278.0000000003C15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 37A.exe, 00000006.00000003.1826683278.0000000003C15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: Newtonsoft.Json.xml.14.dr String found in binary or memory: https://www.newtonsoft.com/jsonschema

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000005.00000002.1675035476.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1447641178.00000000028D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1674811450.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1447603831.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_039B4BA2 GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,DeleteObject,DeleteDC,ReleaseDC, 12_2_039B4BA2
Too many similar processes found
Source: GamePall.exe Process created: 48

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000005.00000002.1675035476.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1447641178.00000000028D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.1674783702.0000000002850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.1674934767.000000000299C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1447731627.000000000296C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1447509883.0000000002780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.1674811450.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1447603831.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Abnormal high CPU Usage
Source: C:\Windows\explorer.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Code function: 0_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401538
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Code function: 0_2_00402FE9 RtlCreateUserThread,NtTerminateProcess, 0_2_00402FE9
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Code function: 0_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004014DE
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Code function: 0_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401496
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Code function: 0_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401543
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Code function: 0_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401565
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Code function: 0_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401579
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Code function: 0_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_0040157C
Source: C:\Users\user\AppData\Roaming\ifgewai Code function: 5_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 5_2_00401538
Source: C:\Users\user\AppData\Roaming\ifgewai Code function: 5_2_00402FE9 RtlCreateUserThread,NtTerminateProcess, 5_2_00402FE9
Source: C:\Users\user\AppData\Roaming\ifgewai Code function: 5_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 5_2_004014DE
Source: C:\Users\user\AppData\Roaming\ifgewai Code function: 5_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 5_2_00401496
Source: C:\Users\user\AppData\Roaming\ifgewai Code function: 5_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 5_2_00401543
Source: C:\Users\user\AppData\Roaming\ifgewai Code function: 5_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 5_2_00401565
Source: C:\Users\user\AppData\Roaming\ifgewai Code function: 5_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 5_2_00401579
Source: C:\Users\user\AppData\Roaming\ifgewai Code function: 5_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 5_2_0040157C
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_004A1490 12_2_004A1490
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_004AD515 12_2_004AD515
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_004B4775 12_2_004B4775
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_004ABE09 12_2_004ABE09
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\huge[1].dat B9BC473FC866909F089E005BAF2537EE7FF2825668D40D67C960D5C2AFB34E9F
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\2C50.exe 42CEB2252FEC41FD0ACC6874B41C91E0BA07C367045D6A9A7850D59781C2584C
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: String function: 004A0310 appears 51 times
Uses 32bit PE files
Source: JuHVfiAuLo.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000005.00000002.1675035476.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1447641178.00000000028D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.1674783702.0000000002850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.1674934767.000000000299C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1447731627.000000000296C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1447509883.0000000002780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.1674811450.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1447603831.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: JuHVfiAuLo.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ifgewai.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Ionic.Zip.dll.14.dr, WinZipAesCipherStream.cs Cryptographic APIs: 'TransformBlock'
Source: Ionic.Zip.dll.14.dr, WinZipAesCipherStream.cs Cryptographic APIs: 'TransformFinalBlock'
Source: Ionic.Zip.dll.14.dr, WinZipAesCipherStream.cs Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: GamePall.exe.14.dr, Program.cs Base64 encoded string: 'pizR9uKkcZIkMW+F1cRjYV0LMt6eYXmLuiNCndESDPkTO3eY1Mjv7Hs2Qvo+t26G', 'ZTDMzZVpdA1FSa2RiY6ZCl2QGyLDtQ3OBRa/N40wO2xxcvcDsATtLRGwKtaEB36dqPJnDF8qXNs92JbMBlsOyg==', 'nYQvMVlU2Asj2rNkmi7xBNqGCkGzSnaP0raCPfB8A9hSwWFTIjPcsKgDrCVAEwSQ1lHf/WOhnKR59a5JjrkJVUOFvV43wO8MM1FKgjYuj7ZzvvuGve+okViUQx+oGN+llGnjS4Fm9o1MUn7p+qcPVIDZRcvMal1ARjQNk+bFvT5vC4J8slkhLZYtvBYmOybvSK90G7/f/U8GPBdM7WBmfFdHzzGxw6WFcHlkdySP8Nvmzff08RdOn8QOu8FlABEqqEjQ0W84v+/lU0lmhvzugpodd8fIp2kb2/twZPg9/Jsy5viOC65K8bs1ES63SA2d62f5cJYpFf1f0WBQbCBcSzfwiDlBCWVIW9vFXW1awyEMdm3q36+BViyETC5tnyHuoLRgf3bXoQAwqE0OIII5DROfW+LmqqHY82rVXHAqhVjdA2wZRWcSI1zxV7+qTfhmp9qbIQAWSuuXTzhbIvI3gjvtPCdz9uBv8rjyg1XZNxfdgYdtF+klyGgKdefnu5G2pgjfT3Kb/VbjgkFvLlqtWNr5K7iC080FVeHsZazMHUrrDtsmNdChtvnX8Zj77rIGVxi9RfvHhhIhBj+WSos+lJ2nuvQkUpqVEa1mrZSwPezG/uoh0qvs+BAHbNFNjv99WS6tgWIkvcQVCi2h3cfxTGQiZDetQZqB+N/mnvgC6WdrcRKGHBE4mp6bpgTY9+nt3lPiH6OZnlxC8rdHbuGtY6R/FgNFYkw49JWXYeZ1VV3KnjSrFMvDlkyMCAW1X9/1VoC+f73WVYMLwXafDKtGO2lfr9vwKms+8HoEgs7bj0aroIPdmLK/z/djAsFZO8Vp', 'T7BWwqrn4yISEECEAnARpwE8R+3lDHSc+RlcJT90an1SNsS27lGBQjOx4RmDHlrj7oJnnzx1IWXOkbTfLzBeCfU6UJhOIoQKhcWidAxAKIxvqZnoB6AujIU0F7dEj65vahyTdEvkIxzFaV2+akbl53KcDi5RPBOP16iXVi0WJdHV5AbSCI9WCEcSX/fUpmukBh4bjVF/T/P/B6TFVtNZintCOSO2Ha+2va2CJMOnJ020zYskwuvcH9d1rGD3Zf9RBC2obzrhRNK2LXTEIYnifs6L2UdqFhw5aANXILziQtzKvsTQKvc15hvHCCoeXJCyyK7/WgA/oRu7bdrTs2DwCQ==', 'ZY0WCEgzqiLEU8ZUVJwGTpbkuL9KoMwYVloBqJXjur8rfBZEXTysQNKRQ1H7/vn7o0wyHAux60SVy06r4v6So5WWxddei09LXvL6ZwK/tyY=', 's7iS2XfzyI+IBoARaZQlTINg1kEy7qT7EopaSHQzpqktZBtc7UiOYrPdv/6f4cNI', 'o2ZleBui4P9C2ZjnB98Vuesy1C+WucHiXjQJ8RANoX6TheGfnLYAWDsXRfSeNCDHWdkBP2RBrkWPBy/nuM2NFLMETMUsPFeG3JHWafvGKzaNEjYO3Up9m61SnaY5tINvLCYJ/TKITszJ9H1YSm2chnmQGLUzbz4pwvWvvKfH8m7z585W73/QZrtw3l/30vcZaVocgwemYusDJYsOTgeWc0okiDahD7qtJcBYZ0aOzxZZmHDMBYigkRVf8GTJ/xucA/i7EHBFpaWoLVZVcuGFMA==', 'T7BWwqrn4yISEECEAnARp+JyVgG3cZc2/9+3VbyOjc4PuRSCU7ZfXuXpIIH8uj2roUU+W7nSmXHqTuxLhe6DBfNVh8PFZrhNX/YhIexDxrk=', 'G4TxOgdwfNBdU+6bscw2hqt3kZYZMfoEuKZtmCxRLrF8xJCK1+L0ocd8eSQjty7d', 'PcG64iM3U1vDIVDm7HuwTSvKhuz45f/WPqYoWZvzLHcapbEfkynZkUjmDgg30eof', 'XGcq7Js3+2f2oGHGFzxJPiYsrodwK+bTw/0lKjiUd0tSWMHEjdVqzAclD1/nPksq3sGhVTN8oFeHMRE7wAt3mCLVCEXKF9JLnNeWw9vvCbs=', 'T7BWwqrn4yISEECEAnARp8UQ6kvfa8mDiwe39obQZ+Rxfj5bbo//kf+4mlTsZUEg0QM/4QBKb6sUDMsk9OTdYg==', 'T7BWwqrn4yISEECEAnARp/U1NCwfjpQ4K5UKuMbDqXSrjfU6Tf/pOCpHlHXtYnU5', 'Gg/rFkGmnFrfPAny9sQ3qerPGxlC7+cuu92x2tgXrCRkqABwTbbIR8+hJN0krbBD9OJX8s2JqeR+xICuD2u17N7KjlWCZwpg4+c7mG1xAahALfXXbu/EvJy+KsAzQlzR9bu8P4wbyuM6r6/7kdf+VQ==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLT3pudJg4gGhcEax3IHwBI0R5vZR7J9mjUQ8R9MdKz/Fw==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLTcCwJrbTmNGWmZutw1Di2FSZ+3JxFtC00BiemuQuq2+A=='
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@256/114@0/10
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Code function: 0_2_0296F384 CreateToolhelp32Snapshot,Module32First, 0_2_0296F384
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\ifgewai Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_rendLog.txt
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Mutant created: \Sessions\1\BaseNamedObjects\1e7f31ac-1494-47cc-9633-054c20e7432e
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_mainLog.txt
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\37A.tmp Jump to behavior
Source: JuHVfiAuLo.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: 37A.exe, 00000006.00000003.1813211172.0000000003B05000.00000004.00000800.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1814214767.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1800583621.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1815597097.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1800904646.0000000003AF6000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2633336272.0000000001299000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: JuHVfiAuLo.exe ReversingLabs: Detection: 39%
Source: JuHVfiAuLo.exe Virustotal: Detection: 37%
Source: unknown Process created: C:\Users\user\Desktop\JuHVfiAuLo.exe "C:\Users\user\Desktop\JuHVfiAuLo.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\ifgewai C:\Users\user\AppData\Roaming\ifgewai
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\37A.exe C:\Users\user\AppData\Local\Temp\37A.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\2C50.exe C:\Users\user\AppData\Local\Temp\2C50.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\56AD.exe C:\Users\user\AppData\Local\Temp\56AD.exe
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"
Source: C:\Users\user\AppData\Local\Temp\setup.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3420 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3536 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3576 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903769137 --mojo-platform-channel-handle=3936 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903928806 --mojo-platform-channel-handle=4104 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\37A.exe C:\Users\user\AppData\Local\Temp\37A.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\2C50.exe C:\Users\user\AppData\Local\Temp\2C50.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\56AD.exe C:\Users\user\AppData\Local\Temp\56AD.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3420 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3536 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3576 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903769137 --mojo-platform-channel-handle=3936 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903928806 --mojo-platform-channel-handle=4104 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cdprt.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ifgewai Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ifgewai Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ifgewai Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: firewallapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: fwbase.dll
Source: C:\Users\user\AppData\Local\Temp\setup.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mmdevapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: audioses.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.ui.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winsta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscms.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: coloradapterclient.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mdmregistration.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mdmregistration.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: omadmapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dmcmnutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iri.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dsreg.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mfplat.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rtworkq.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\setup.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbc source: 56AD.exe, 0000000C.00000002.2826942661.000000000AAA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdb source: widevinecdmadapter.dll.14.dr
Source: Binary string: D3DCompiler_43.pdb source: d3dcompiler_43.dll.14.dr
Source: Binary string: ntkrnlmp.pdbx source: 56AD.exe, 0000000C.00000002.2826942661.000000000AAA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdbY source: 56AD.exe, 0000000C.00000002.2826942661.000000000AAA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000F.00000000.2985165110.00000000001C2000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 00000016.00000002.3206188987.0000000005332000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exeePallll source: setup.exe, 0000000E.00000002.3410722418.000000000040A000.00000004.00000001.01000000.0000000D.sdmp
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000014.00000002.3097190836.0000000005592000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 00000016.00000002.3206188987.0000000005332000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 56AD.exe, 0000000C.00000002.2666707491.000000000120D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdbGCTL source: widevinecdmadapter.dll.14.dr
Source: Binary string: D3DCompiler_43.pdb` source: d3dcompiler_43.dll.14.dr
Source: Binary string: ntkrnlmp.pdbb source: 56AD.exe, 0000000C.00000002.2826942661.000000000AAA0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 00000014.00000002.3097190836.0000000005592000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: \Desktop\projects\Release\BigProject.pdb source: 56AD.exe, 0000000C.00000000.1932480311.00000000004B9000.00000002.00000001.01000000.0000000B.sdmp, 56AD.exe, 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000E.00000002.3578145645.00000000006DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000E.00000002.3578145645.00000000006DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Desktop\projects\Release\BigProject.pdb. source: 56AD.exe, 0000000C.00000000.1932480311.00000000004B9000.00000002.00000001.01000000.0000000B.sdmp, 56AD.exe, 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Unpacked PE file: 0.2.JuHVfiAuLo.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\ifgewai Unpacked PE file: 5.2.ifgewai.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Binary contains a suspicious time stamp
Source: Newtonsoft.Json.dll.14.dr Static PE information: 0xF68F744F [Mon Jan 31 06:35:59 2101 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_00445B80 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,task,InternetReadFile,FreeLibrary,task, 12_2_00445B80
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmpLp
PE file contains sections with non-standard names
Source: 37A.exe.2.dr Static PE information: section name: .vmpLp
Source: 37A.exe.2.dr Static PE information: section name: .vmpLp
Source: 37A.exe.2.dr Static PE information: section name: .vmpLp
Source: chrome_elf.dll.14.dr Static PE information: section name: .00cfg
Source: chrome_elf.dll.14.dr Static PE information: section name: .crthunk
Source: chrome_elf.dll.14.dr Static PE information: section name: CPADinfo
Source: chrome_elf.dll.14.dr Static PE information: section name: malloc_h
Source: libEGL.dll.14.dr Static PE information: section name: .00cfg
Source: libGLESv2.dll.14.dr Static PE information: section name: .00cfg
Source: libcef.dll.14.dr Static PE information: section name: .00cfg
Source: libcef.dll.14.dr Static PE information: section name: .rodata
Source: libcef.dll.14.dr Static PE information: section name: CPADinfo
Source: libcef.dll.14.dr Static PE information: section name: malloc_h
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Code function: 0_2_00401CD1 push ecx; ret 0_2_00401CD2
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Code function: 0_2_00401C91 push 00000076h; iretd 0_2_00401C93
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Code function: 0_2_00402E96 push B92A2F4Ch; retf 0_2_00402E9B
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Code function: 0_2_02781D38 push ecx; ret 0_2_02781D39
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Code function: 0_2_02781CF8 push 00000076h; iretd 0_2_02781CFA
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Code function: 0_2_02782EFD push B92A2F4Ch; retf 0_2_02782F02
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Code function: 0_2_02974DD6 push edx; ret 0_2_02974DD7
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Code function: 0_2_02976E54 push FFFFFFFBh; iretd 0_2_02976E6A
Source: C:\Users\user\AppData\Roaming\ifgewai Code function: 5_2_00401CD1 push ecx; ret 5_2_00401CD2
Source: C:\Users\user\AppData\Roaming\ifgewai Code function: 5_2_00401C91 push 00000076h; iretd 5_2_00401C93
Source: C:\Users\user\AppData\Roaming\ifgewai Code function: 5_2_00402E96 push B92A2F4Ch; retf 5_2_00402E9B
Source: C:\Users\user\AppData\Roaming\ifgewai Code function: 5_2_02852EFD push B92A2F4Ch; retf 5_2_02852F02
Source: C:\Users\user\AppData\Roaming\ifgewai Code function: 5_2_02851CF8 push 00000076h; iretd 5_2_02851CFA
Source: C:\Users\user\AppData\Roaming\ifgewai Code function: 5_2_02851D38 push ecx; ret 5_2_02851D39
Source: C:\Users\user\AppData\Roaming\ifgewai Code function: 5_2_029A5586 push edx; ret 5_2_029A5587
Source: C:\Users\user\AppData\Roaming\ifgewai Code function: 5_2_029A7604 push FFFFFFFBh; iretd 5_2_029A761A
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_004A004B push ecx; ret 12_2_004A005E
Source: JuHVfiAuLo.exe Static PE information: section name: .text entropy: 7.498035460167549
Source: ifgewai.2.dr Static PE information: section name: .text entropy: 7.498035460167549
Source: Ionic.Zip.dll.14.dr Static PE information: section name: .text entropy: 6.821349263259562
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\libEGL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2C50.exe File created: C:\Users\user\AppData\Local\Temp\setup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2C50.exe File created: C:\Users\user\AppData\Local\Temp\nsm2A3E.tmp\nsProcess.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2C50.exe File created: C:\Users\user\AppData\Local\Temp\nsm2A3E.tmp\blowfish.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\libcef.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\ifgewai Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\37A.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2C50.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\huge[1].dat Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2C50.exe File created: C:\Users\user\AppData\Local\Temp\nsm2A3E.tmp\INetC.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\log4net.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\2C50.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\Del.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\56AD.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe File created: C:\Users\user\AppData\Local\Temp\nsyDD2E.tmp\liteFirewall.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\ifgewai Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall
Source: C:\Users\user\AppData\Local\Temp\setup.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\juhvfiaulo.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\ifgewai:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ifgewai Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ifgewai Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ifgewai Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ifgewai Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ifgewai Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ifgewai Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\37A.exe System information queried: FirmwareTableInformation Jump to behavior
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe API/Special instruction interceptor: Address: 7FFBCB7AE814
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe API/Special instruction interceptor: Address: 7FFBCB7AD584
Source: C:\Users\user\AppData\Roaming\ifgewai API/Special instruction interceptor: Address: 7FFBCB7AE814
Source: C:\Users\user\AppData\Roaming\ifgewai API/Special instruction interceptor: Address: 7FFBCB7AD584
Source: C:\Users\user\AppData\Local\Temp\37A.exe API/Special instruction interceptor: Address: 1366310
Source: C:\Users\user\AppData\Local\Temp\37A.exe API/Special instruction interceptor: Address: 13B522F
Source: C:\Users\user\AppData\Local\Temp\37A.exe API/Special instruction interceptor: Address: 12976F5
Source: C:\Users\user\AppData\Local\Temp\37A.exe API/Special instruction interceptor: Address: 14A5B80
Source: C:\Users\user\AppData\Local\Temp\37A.exe API/Special instruction interceptor: Address: 1374E89
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: JuHVfiAuLo.exe, ifgewai Binary or memory string: ASWHOOK
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 22F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2480000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4480000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1010000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2A70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2830000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1000000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2970000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4970000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: D10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 27C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 47C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1300000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 3000000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1580000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: BD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2900000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2650000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: B00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 27E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: DB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 7D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2300000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4300000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: CA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2AA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: DD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2E10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 30F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 50F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 10F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2D90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2BA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2C50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2E40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4E40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1330000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2E10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2C80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1240000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2CB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4CB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2C50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2EA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2DB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: FD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2900000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 4900000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: C30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2AC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1050000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2F70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 30C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 50C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 11F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2BF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2A00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 860000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 24F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2310000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1440000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 3060000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2F80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: F40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2C00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2AD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 730000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2440000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 22C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1040000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 2AA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: 1120000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Thread delayed: delay time: 600000
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 459 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 4595 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 987 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 359 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 888 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 864 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libEGL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2A3E.tmp\nsProcess.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Del.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2A3E.tmp\blowfish.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libcef.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2C50.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2A3E.tmp\INetC.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsyDD2E.tmp\liteFirewall.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\log4net.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5256 Thread sleep time: -459500s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7064 Thread sleep time: -98700s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2344 Thread sleep time: -34600s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2060 Thread sleep time: -35900s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe TID: 4152 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe TID: 4152 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 2704 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 6784 Thread sleep count: 35 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_004B24BD FindFirstFileExW, 12_2_004B24BD
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_039B1000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection, 12_2_039B1000
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_039B4E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW, 12_2_039B4E27
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_039B1D3C FindFirstFileW,FindNextFileW, 12_2_039B1D3C
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_039B40BA FindFirstFileW,FindNextFileW, 12_2_039B40BA
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_039B3EFC FindFirstFileW,FindNextFileW, 12_2_039B3EFC
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_039B2054 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA, 12_2_039B2054
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\56AD.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe File opened: C:\Users\user\AppData\Local\Adobe\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\ Jump to behavior
Source: 37A.exe, 00000006.00000003.1814604438.0000000003B38000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696494690p
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696494690f
Source: explorer.exe, 00000002.00000000.1435797743.0000000009330000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696494690
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696494690s
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: explorer.exe, 00000002.00000000.1433170482.0000000000A20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00=
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: explorer.exe, 00000002.00000000.1435797743.0000000009255000.00000004.00000001.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1878628515.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000002.1911871756.0000000000BD7000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1853300930.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1799870119.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1853494573.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910690894.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1871675979.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910690894.0000000000BD7000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000002.1911955460.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1873234514.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: GamePall.exe, 00000028.00000002.3406232740.0000000000C87000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Y
Source: explorer.exe, 00000002.00000000.1435797743.00000000091FB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: explorer.exe, 00000002.00000000.1435797743.00000000090DA000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: GamePall.exe, 0000000F.00000002.3133485478.00000000009E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000002.00000000.1435797743.0000000009255000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: explorer.exe, 00000002.00000000.1435797743.00000000090DA000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696494690o
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: explorer.exe, 00000002.00000000.1433170482.0000000000A20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000000.1435797743.0000000009255000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696494690j
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696494690
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: GamePall.exe, 00000013.00000002.3203197449.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: explorer.exe, 00000002.00000000.1433170482.0000000000A20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000002.00000000.1435797743.0000000009330000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: explorer.exe, 00000002.00000000.1433170482.0000000000A20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ifgewai System information queried: CodeIntegrityInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\ifgewai Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_004A4383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_004A4383
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_00445B80 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,task,InternetReadFile,FreeLibrary,task, 12_2_00445B80
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Code function: 0_2_0278092B mov eax, dword ptr fs:[00000030h] 0_2_0278092B
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Code function: 0_2_02780D90 mov eax, dword ptr fs:[00000030h] 0_2_02780D90
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Code function: 0_2_0296EC61 push dword ptr fs:[00000030h] 0_2_0296EC61
Source: C:\Users\user\AppData\Roaming\ifgewai Code function: 5_2_02850D90 mov eax, dword ptr fs:[00000030h] 5_2_02850D90
Source: C:\Users\user\AppData\Roaming\ifgewai Code function: 5_2_0285092B mov eax, dword ptr fs:[00000030h] 5_2_0285092B
Source: C:\Users\user\AppData\Roaming\ifgewai Code function: 5_2_0299F411 push dword ptr fs:[00000030h] 5_2_0299F411
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_004B5891 GetProcessHeap, 12_2_004B5891
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_004A4383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_004A4383
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_004A0495 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_004A0495
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_004A0622 SetUnhandledExceptionFilter, 12_2_004A0622
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_004A06F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_004A06F0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: 56AD.exe.2.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 141.8.192.126 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.68.16.7 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 127.0.0.127 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 188.114.96.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 2.185.214.11 80 Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Thread created: C:\Windows\explorer.exe EIP: B619D0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ifgewai Thread created: unknown EIP: 76C19D0 Jump to behavior
LummaC encrypted strings found
Source: 37A.exe, 00000006.00000002.1912521666.0000000000F4D000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: pedestriankodwu.xyz
Source: 37A.exe, 00000006.00000002.1912521666.0000000000F4D000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: towerxxuytwi.xyz
Source: 37A.exe, 00000006.00000002.1912521666.0000000000F4D000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: ellaboratepwsz.xyz
Source: 37A.exe, 00000006.00000002.1912521666.0000000000F4D000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: penetratedpoopp.xyz
Source: 37A.exe, 00000006.00000002.1912521666.0000000000F4D000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: swellfrrgwwos.xyz
Source: 37A.exe, 00000006.00000002.1912521666.0000000000F4D000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: contintnetksows.shop
Source: 37A.exe, 00000006.00000002.1912521666.0000000000F4D000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: foodypannyjsud.shop
Source: 37A.exe, 00000006.00000002.1912521666.0000000000F4D000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: potterryisiw.shop
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\JuHVfiAuLo.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\ifgewai Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\ifgewai Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3420 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3536 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3576 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903769137 --mojo-platform-channel-handle=3936 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903928806 --mojo-platform-channel-handle=4104 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: unknown unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3420 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3536 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3576 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903769137 --mojo-platform-channel-handle=3936 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903928806 --mojo-platform-channel-handle=4104 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3420 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3536 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3576 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903769137 --mojo-platform-channel-handle=3936 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903928806 --mojo-platform-channel-handle=4104 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: explorer.exe, 00000002.00000000.1434461103.00000000044D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1435797743.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1433382361.0000000001090000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.1433170482.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1433382361.0000000001090000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.1433382361.0000000001090000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: 0Program Manager
Source: explorer.exe, 00000002.00000000.1433382361.0000000001090000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.1435797743.000000000936E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd]1Q
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_004A013C cpuid 12_2_004A013C
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: EnumSystemLocalesW, 12_2_004B5051
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 12_2_004B50DC
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: GetLocaleInfoW, 12_2_004AE096
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: GetLocaleInfoW, 12_2_004B532F
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 12_2_004B5458
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: GetLocaleInfoW, 12_2_004B555E
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 12_2_004B5634
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: EnumSystemLocalesW, 12_2_004ADBC7
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 12_2_004B4CBF
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: EnumSystemLocalesW, 12_2_004B4F6B
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: EnumSystemLocalesW, 12_2_004B4FB6
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\37A.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\56AD.exe Code function: 12_2_004A038F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 12_2_004A038F
Source: C:\Users\user\AppData\Local\Temp\37A.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: 37A.exe, 00000006.00000003.1878559703.0000000000C6B000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910888988.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000002.1912209776.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1871624978.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1873171538.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910690894.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1873234514.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1871675979.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1872012539.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\37A.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 37A.exe PID: 2464, type: MEMORYSTR
Yara detected Poverty Stealer
Source: Yara match File source: 12.2.56AD.exe.39b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.56AD.exe.1218f80.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.56AD.exe.125e8a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.56AD.exe.39b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.56AD.exe.125e8a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.56AD.exe.1218f80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2666707491.000000000120D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 56AD.exe PID: 4936, type: MEMORYSTR
Yara detected SmokeLoader
Source: Yara match File source: 00000005.00000002.1675035476.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1447641178.00000000028D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1674811450.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1447603831.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 37A.exe, 00000006.00000003.1799666723.0000000000C60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "p": "%appdata%\\Electrum\\wallets",
Source: 37A.exe, 00000006.00000003.1799666723.0000000000C60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "p": "%appdata%\\ElectronCash\\wallets",
Source: 37A.exe, 00000006.00000003.1799666723.0000000000C60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: { "en": "cjelfplplebdjjenllpjcblmjkfcffne", "ez": "Jaxx Liberty" },
Source: 37A.exe, 00000006.00000003.1799666723.0000000000C60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "m": ["app-store.json", ".finger-print.fp", "simple-storage.json", "window-state.json"],
Source: 37A.exe, 00000006.00000003.1799666723.0000000000C60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "p": "%appdata%\\Exodus\\exodus.wallet",
Source: 37A.exe, 00000006.00000003.1799666723.0000000000C60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: { "en": "aholpfdialjgjfhomihkjbmgjidlcdno", "ez": "ExodusWeb3" },
Source: 37A.exe, 00000006.00000003.1799666723.0000000000C60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "p": "%appdata%\\Ethereum",
Source: 37A.exe, 00000006.00000003.1853300930.0000000000BE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 37A.exe, 00000006.00000003.1799666723.0000000000C60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "m": ["keystore"],
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56AD.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\37A.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Directory queried: C:\Users\user\Documents\ZGGKNSUKOP Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Directory queried: C:\Users\user\Documents\ZGGKNSUKOP Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Directory queried: C:\Users\user\Documents\ZGGKNSUKOP Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37A.exe Directory queried: C:\Users\user\Documents\ZGGKNSUKOP Jump to behavior
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe Directory queried: number of queries: 1389
Yara detected Credential Stealer
Source: Yara match File source: 00000006.00000003.1853300930.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.1853494573.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 37A.exe PID: 2464, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 37A.exe PID: 2464, type: MEMORYSTR
Yara detected Poverty Stealer
Source: Yara match File source: 12.2.56AD.exe.39b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.56AD.exe.1218f80.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.56AD.exe.125e8a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.56AD.exe.39b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.56AD.exe.125e8a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.56AD.exe.1218f80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2666707491.000000000120D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 56AD.exe PID: 4936, type: MEMORYSTR
Yara detected SmokeLoader
Source: Yara match File source: 00000005.00000002.1675035476.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1447641178.00000000028D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1674811450.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1447603831.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1466598 Sample: JuHVfiAuLo.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 104 Multi AV Scanner detection for domain / URL 2->104 106 Found malware configuration 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 12 other signatures 2->110 12 JuHVfiAuLo.exe 2->12         started        15 ifgewai 2->15         started        process3 signatures4 140 Detected unpacking (changes PE section rights) 12->140 142 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->142 144 Maps a DLL or memory area into another process 12->144 146 Switches to a custom stack to bypass stack traces 12->146 17 explorer.exe 64 13 12->17 injected 148 Multi AV Scanner detection for dropped file 15->148 150 Checks if the current machine is a virtual machine (disk enumeration) 15->150 152 Creates a thread in another existing process (thread injection) 15->152 process5 dnsIp6 86 185.68.16.7 UKRAINE-ASUA Ukraine 17->86 88 2.185.214.11 TCIIR Iran (ISLAMIC Republic Of) 17->88 90 3 other IPs or domains 17->90 62 C:\Users\user\AppData\Roaming\ifgewai, PE32 17->62 dropped 64 C:\Users\user\AppData\Local\Temp\56AD.exe, PE32 17->64 dropped 66 C:\Users\user\AppData\Local\Temp\37A.exe, PE32 17->66 dropped 68 2 other malicious files 17->68 dropped 112 System process connects to network (likely due to code injection or exploit) 17->112 114 Benign windows process drops PE files 17->114 116 Deletes itself after installation 17->116 118 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->118 22 2C50.exe 3 35 17->22         started        26 37A.exe 17->26         started        29 56AD.exe 12 17->29         started        file7 signatures8 process9 dnsIp10 70 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 22->70 dropped 72 C:\Users\user\AppData\Local\...\blowfish.dll, PE32 22->72 dropped 74 C:\Users\user\AppData\Local\...\huge[1].dat, PE32 22->74 dropped 76 2 other files (none is malicious) 22->76 dropped 124 Antivirus detection for dropped file 22->124 126 Multi AV Scanner detection for dropped file 22->126 31 setup.exe 112 22->31         started        96 188.114.97.3 CLOUDFLARENETUS European Union 26->96 128 Query firmware table information (likely to detect VMs) 26->128 130 Machine Learning detection for dropped file 26->130 132 Found many strings related to Crypto-Wallets (likely being stolen) 26->132 138 3 other signatures 26->138 98 146.70.169.164 TENET-1ZA United Kingdom 29->98 100 104.192.141.1 AMAZON-02US United States 29->100 134 Found evasive API chain (may stop execution after checking mutex) 29->134 136 Tries to harvest and steal browser information (history, passwords, etc) 29->136 file11 signatures12 process13 file14 78 C:\Users\user\AppData\...\vulkan-1.dll, PE32 31->78 dropped 80 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32 31->80 dropped 82 C:\Users\user\AppData\...\libGLESv2.dll, PE32 31->82 dropped 84 16 other files (13 malicious) 31->84 dropped 102 Antivirus detection for dropped file 31->102 35 GamePall.exe 31->35         started        signatures15 process16 dnsIp17 92 172.67.221.174 CLOUDFLARENETUS United States 35->92 120 Antivirus detection for dropped file 35->120 122 Machine Learning detection for dropped file 35->122 39 GamePall.exe 35->39         started        41 GamePall.exe 35->41         started        44 GamePall.exe 35->44         started        46 6 other processes 35->46 signatures18 process19 dnsIp20 48 GamePall.exe 39->48         started        50 GamePall.exe 39->50         started        52 GamePall.exe 39->52         started        54 9 other processes 39->54 94 1.1.1.1 CLOUDFLARENETUS Australia 41->94 process21 process22 56 GamePall.exe 48->56         started        58 GamePall.exe 48->58         started        60 GamePall.exe 50->60         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
1.1.1.1
 unknown Australia
13335 CLOUDFLARENETUS false
104.192.141.1
 unknown United States
16509 AMAZON-02US false
188.114.97.3
 unknown European Union
13335 CLOUDFLARENETUS false
141.8.192.126
 unknown Russian Federation
35278 SPRINTHOSTRU true
188.114.96.3
 unknown European Union
13335 CLOUDFLARENETUS true
172.67.221.174
 unknown United States
13335 CLOUDFLARENETUS false
185.68.16.7
 unknown Ukraine
200000 UKRAINE-ASUA true
2.185.214.11
 unknown Iran (ISLAMIC Republic Of)
58224 TCIIR true
146.70.169.164
 unknown United Kingdom
2018 TENET-1ZA true

Private

IP
127.0.0.127

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://gebeus.ru/tmp/index.php true
  • 16%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://cx5519.com/tmp/index.php true
  • 12%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
contintnetksows.shop true
  • 16%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://evilos.cc/tmp/index.php true
  • Avira URL Cloud: malware
 unknown
ellaboratepwsz.xyz true
  • Avira URL Cloud: malware
 unknown
swellfrrgwwos.xyz true
  • Avira URL Cloud: malware
 unknown
foodypannyjsud.shop true
  • Avira URL Cloud: malware
 unknown
pedestriankodwu.xyz true
  • Avira URL Cloud: malware
 unknown