7277e8b88bd7b5ba14e7243579329180880e4834127ef515d0439de434c62155

Analysis

max time kernel
300s
max time network
273s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7277e8b88bd7b5ba14e7243579329180880e4834127ef515d0439de434c62155.exe
Size

234KB
MD5

ca1222f744791190c86d0ade1bc9c222
SHA1

7e27bedc21a3dabab82741840799f3fc78f35b4f
SHA256

7277e8b88bd7b5ba14e7243579329180880e4834127ef515d0439de434c62155
SHA512

278a6ae5defe92d59cf9725ec639d38d0320eb879824e9276e79e524de8b4888b60de16706aa946163a424f09b10840391a49bfccd0ae2c32a354c079d82de3f
SSDEEP

3072:RFi6z/VXzAf3ocOva7fvYnS4OVzX+xm9roxE8cqU/A:RxFSqy7qAzOxm9YcqP

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 27 IoCs

Processes:

setup.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exe

pid	process
2488	setup.exe
1356	GamePall.exe
2376	GamePall.exe
340	GamePall.exe
3024	GamePall.exe
3044	GamePall.exe
2068	GamePall.exe
1648	GamePall.exe
1916	GamePall.exe
1204	GamePall.exe
2760	GamePall.exe
2560	GamePall.exe
2364	GamePall.exe
1744	GamePall.exe
1536	GamePall.exe
2440	GamePall.exe
2084	GamePall.exe
1564	GamePall.exe
1776	GamePall.exe
892	GamePall.exe
448	GamePall.exe
1472	GamePall.exe
2648	GamePall.exe
1484	GamePall.exe
2000	GamePall.exe
2928	GamePall.exe
1404	GamePall.exe

Loads dropped DLL 64 IoCs

Processes:

7277e8b88bd7b5ba14e7243579329180880e4834127ef515d0439de434c62155.exesetup.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exe

pid	process
620	7277e8b88bd7b5ba14e7243579329180880e4834127ef515d0439de434c62155.exe
620	7277e8b88bd7b5ba14e7243579329180880e4834127ef515d0439de434c62155.exe
620	7277e8b88bd7b5ba14e7243579329180880e4834127ef515d0439de434c62155.exe
620	7277e8b88bd7b5ba14e7243579329180880e4834127ef515d0439de434c62155.exe
2488	setup.exe
2488	setup.exe
2488	setup.exe
1356	GamePall.exe
1356	GamePall.exe
1356	GamePall.exe
1356	GamePall.exe
1356	GamePall.exe
1356	GamePall.exe
1356	GamePall.exe
1356	GamePall.exe
1356	GamePall.exe
1356	GamePall.exe
1356	GamePall.exe
1356	GamePall.exe
2376	GamePall.exe
2376	GamePall.exe
2376	GamePall.exe
2376	GamePall.exe
340	GamePall.exe
340	GamePall.exe
340	GamePall.exe
340	GamePall.exe
2376	GamePall.exe
2376	GamePall.exe
340	GamePall.exe
340	GamePall.exe
3024	GamePall.exe
3024	GamePall.exe
3024	GamePall.exe
3024	GamePall.exe
3024	GamePall.exe
3024	GamePall.exe
3044	GamePall.exe
3044	GamePall.exe
3044	GamePall.exe
3044	GamePall.exe
3044	GamePall.exe
3044	GamePall.exe
2068	GamePall.exe
2068	GamePall.exe
2068	GamePall.exe
2068	GamePall.exe
2068	GamePall.exe
2068	GamePall.exe
1648	GamePall.exe
1648	GamePall.exe
1648	GamePall.exe
1648	GamePall.exe
1648	GamePall.exe
1648	GamePall.exe
1916	GamePall.exe
1916	GamePall.exe
1916	GamePall.exe
1916	GamePall.exe
1916	GamePall.exe
1916	GamePall.exe
2376	GamePall.exe
2376	GamePall.exe
2376	GamePall.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\GamePall = "C:\\Users\\Admin\\AppData\\Roaming\\GamePall\\GamePall.exe"	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
NSIS installer 2 IoCs
installer

Processes:

resource yara_rule

C:\Users\Admin\AppData\Roaming\GamePall\Uninstall.exe nsis_installer_1
C:\Users\Admin\AppData\Roaming\GamePall\Uninstall.exe nsis_installer_2

resource	yara_rule
C:\Users\Admin\AppData\Roaming\GamePall\Uninstall.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\GamePall\Uninstall.exe	nsis_installer_2

Modifies Control Panel 5 IoCs

evasion

Processes:

GamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	GamePall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	GamePall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	GamePall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	GamePall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	GamePall.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

7277e8b88bd7b5ba14e7243579329180880e4834127ef515d0439de434c62155.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exe

pid	process
620	7277e8b88bd7b5ba14e7243579329180880e4834127ef515d0439de434c62155.exe
620	7277e8b88bd7b5ba14e7243579329180880e4834127ef515d0439de434c62155.exe
1356	GamePall.exe
1356	GamePall.exe
1356	GamePall.exe
1356	GamePall.exe
1356	GamePall.exe
1356	GamePall.exe
1356	GamePall.exe
1356	GamePall.exe
2376	GamePall.exe
2376	GamePall.exe
2376	GamePall.exe
2376	GamePall.exe
2376	GamePall.exe
2376	GamePall.exe
2376	GamePall.exe
1204	GamePall.exe
1204	GamePall.exe
1204	GamePall.exe
1204	GamePall.exe
1204	GamePall.exe
1204	GamePall.exe
1204	GamePall.exe
2440	GamePall.exe
2440	GamePall.exe
2440	GamePall.exe
2440	GamePall.exe
2440	GamePall.exe
2440	GamePall.exe
2440	GamePall.exe
1472	GamePall.exe
1472	GamePall.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

GamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exeGamePall.exe

description	pid	process
Token: SeDebugPrivilege	1356	GamePall.exe
Token: SeDebugPrivilege	2376	GamePall.exe
Token: SeDebugPrivilege	340	GamePall.exe
Token: SeDebugPrivilege	3024	GamePall.exe
Token: SeDebugPrivilege	3044	GamePall.exe
Token: SeDebugPrivilege	2068	GamePall.exe
Token: SeDebugPrivilege	1648	GamePall.exe
Token: SeDebugPrivilege	1916	GamePall.exe
Token: SeDebugPrivilege	1204	GamePall.exe
Token: SeDebugPrivilege	2760	GamePall.exe
Token: SeDebugPrivilege	2560	GamePall.exe
Token: SeDebugPrivilege	2364	GamePall.exe
Token: SeDebugPrivilege	1744	GamePall.exe
Token: SeDebugPrivilege	1536	GamePall.exe
Token: SeDebugPrivilege	2440	GamePall.exe
Token: SeDebugPrivilege	2084	GamePall.exe
Token: SeDebugPrivilege	1564	GamePall.exe
Token: SeDebugPrivilege	1776	GamePall.exe
Token: SeDebugPrivilege	892	GamePall.exe
Token: SeDebugPrivilege	448	GamePall.exe
Token: SeDebugPrivilege	1472	GamePall.exe
Token: SeDebugPrivilege	2648	GamePall.exe
Token: SeDebugPrivilege	1484	GamePall.exe
Token: SeDebugPrivilege	2000	GamePall.exe
Token: SeDebugPrivilege	2928	GamePall.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7277e8b88bd7b5ba14e7243579329180880e4834127ef515d0439de434c62155.exesetup.exeGamePall.exeGamePall.exeGamePall.exe

description	pid	process	target process
PID 620 wrote to memory of 2488	620	7277e8b88bd7b5ba14e7243579329180880e4834127ef515d0439de434c62155.exe	setup.exe
PID 620 wrote to memory of 2488	620	7277e8b88bd7b5ba14e7243579329180880e4834127ef515d0439de434c62155.exe	setup.exe
PID 620 wrote to memory of 2488	620	7277e8b88bd7b5ba14e7243579329180880e4834127ef515d0439de434c62155.exe	setup.exe
PID 620 wrote to memory of 2488	620	7277e8b88bd7b5ba14e7243579329180880e4834127ef515d0439de434c62155.exe	setup.exe
PID 620 wrote to memory of 2488	620	7277e8b88bd7b5ba14e7243579329180880e4834127ef515d0439de434c62155.exe	setup.exe
PID 620 wrote to memory of 2488	620	7277e8b88bd7b5ba14e7243579329180880e4834127ef515d0439de434c62155.exe	setup.exe
PID 620 wrote to memory of 2488	620	7277e8b88bd7b5ba14e7243579329180880e4834127ef515d0439de434c62155.exe	setup.exe
PID 2488 wrote to memory of 1356	2488	setup.exe	GamePall.exe
PID 2488 wrote to memory of 1356	2488	setup.exe	GamePall.exe
PID 2488 wrote to memory of 1356	2488	setup.exe	GamePall.exe
PID 2488 wrote to memory of 1356	2488	setup.exe	GamePall.exe
PID 1356 wrote to memory of 2376	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 2376	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 2376	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 2376	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 340	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 340	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 340	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 340	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 3024	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 3024	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 3024	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 3024	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 3044	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 3044	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 3044	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 3044	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 2068	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 2068	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 2068	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 2068	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 1648	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 1648	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 1648	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 1648	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 1916	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 1916	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 1916	1356	GamePall.exe	GamePall.exe
PID 1356 wrote to memory of 1916	1356	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 1204	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 1204	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 1204	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 1204	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 2760	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 2760	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 2760	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 2760	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 2560	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 2560	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 2560	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 2560	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 2364	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 2364	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 2364	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 2364	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 1744	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 1744	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 1744	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 1744	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 1536	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 1536	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 1536	2376	GamePall.exe	GamePall.exe
PID 2376 wrote to memory of 1536	2376	GamePall.exe	GamePall.exe
PID 1204 wrote to memory of 2440	1204	GamePall.exe	GamePall.exe

C:\Users\Admin\AppData\Local\Temp\7277e8b88bd7b5ba14e7243579329180880e4834127ef515d0439de434c62155.exe
"C:\Users\Admin\AppData\Local\Temp\7277e8b88bd7b5ba14e7243579329180880e4834127ef515d0439de434c62155.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
5⤵
- Executes dropped EXE
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
6⤵
- Executes dropped EXE
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
7⤵
- Executes dropped EXE
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
7⤵
- Executes dropped EXE
PID:1404

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:340

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
"C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1916

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso7C34.tmp\liteFirewall.dll
Filesize
81KB

MD5
165e1ef5c79475e8c33d19a870e672d4

SHA1
965f02bfd103f094ac6b3eef3abe7fdcb8d9e2a5

SHA256
9db9c58e44dff2d985dc078fdbb7498dcc66c4cc4eb12f68de6a98a5d665abbd

SHA512
cd10eaf0928e5df048bf0488d9dbfe9442e2e106396a0967462bef440bf0b528cdf3ab06024fb6fdaf9f247e2b7f3ca0cea78afc0ce6943650ef9d6c91fee52a

Download Submit
C:\Users\Admin\AppData\Roaming\GamePall\Uninstall.exe
Filesize
210KB

MD5
9d21a25aa1b5985a2c8cbce7f7007295

SHA1
86ebf56352b4dbb831fae0cca180b4add951240d

SHA256
e41f984c39183ba4fd1578134d71e203f4a7a8c23f278924562876326fc40ee2

SHA512
ee4a1ac97968f2dda3c54a49ac33d3fce28c4dae72032d9fdd1f8d8ba41b07a1d78d15e11586da54ad5e0f2bd4a48c79a0cbac84de3d957b2ac6c1b5f41a33bb

Download Submit
C:\Users\Admin\AppData\Roaming\GamePall\Xilium.CefGlue.dll
Filesize
855KB

MD5
b03c7f6072a0cb1a1d6a92ee7b82705a

SHA1
6675839c5e266075e7e1812ad8e856a2468274dd

SHA256
f561713347544e9d06d30f02a3dfcec5fe593b38894593aeedf5700666b35027

SHA512
19d6792eb9ba8584b94d0d59e07ce9d1c9c4da5516490f4abce5ae0d7d55b357bda45b2093b3e9eb9d6858061e9d3f530a6655c4779a50c911501ae23925c566

Download Submit
C:\Users\Admin\AppData\Roaming\GamePall\log4net.dll
Filesize
269KB

MD5
7ea1429e71d83a1ccaa0942c4d7f1c41

SHA1
4ce6acf4d735354b98f416b3d94d89af0611e563

SHA256
edec54da1901e649588e8cb52b001ab2aec76ed0430824457a904fcc0abd4299

SHA512
91c90845a12a377b617140b67639cfa71a0648300336d5edd422afc362e65c6ccd3a4ff4936d4262b0eaf7bae2b9624bcd3c7eec79f7e7ca18abe1ec62c4c869

Download Submit
\Users\Admin\AppData\Local\Temp\nst24E1.tmp\INetC.dll
Filesize
21KB

MD5
92ec4dd8c0ddd8c4305ae1684ab65fb0

SHA1
d850013d582a62e502942f0dd282cc0c29c4310e

SHA256
5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934

SHA512
581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651

Download Submit
\Users\Admin\AppData\Local\Temp\nst24E1.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
\Users\Admin\AppData\Local\Temp\nst24E1.tmp\nsProcess.dll
Filesize
4KB

MD5
faa7f034b38e729a983965c04cc70fc1

SHA1
df8bda55b498976ea47d25d8a77539b049dab55e

SHA256
579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf

SHA512
7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

Download Submit
\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
Filesize
289KB

MD5
7a3502c1119795d35569535de243b6fe

SHA1
da0d16bc66614c7d273c47f321c5ee0652fb5575

SHA256
b18fefb56ed7b89e45cec8a5494fbec81e36a5cb5538ccbb8de41cce960faa30

SHA512
258b111ac256cd8145cbe212d59dff5840d67e70effd7cddc157b2a3461b398bbc3446004980131faa6a8762c19305f56e7b793f045331b56b8bd17d85b884c4

Download Submit
\Users\Admin\AppData\Roaming\GamePall\Newtonsoft.Json.dll
Filesize
560KB

MD5
8f81c9520104b730c25d90a9dd511148

SHA1
7cf46cb81c3b51965c1f78762840eb5797594778

SHA256
f1f01b3474b92d6e1c3d6adfae74ee0ea0eba6e9935565fe2317686d80a2e886

SHA512
b4a66389bf06a6611df47e81b818cc2fcd0a854324a2564a4438866953f148950f59cd4c07c9d40cc3a9043b5ce12b150c8a56cccdf98d5e3f0225edf8c516f3

Download Submit
memory/1356-140-0x0000000000800000-0x000000000084E000-memory.dmp

Filesize
312KB

Download
memory/1356-144-0x0000000000420000-0x000000000046A000-memory.dmp

Filesize
296KB

Download
memory/1356-150-0x0000000005130000-0x000000000520C000-memory.dmp

Filesize
880KB

Download
memory/1356-154-0x00000000042F0000-0x0000000004380000-memory.dmp

Filesize
576KB

Download
memory/2376-197-0x0000000005530000-0x00000000055C0000-memory.dmp

Filesize
576KB

Download