njrat | f4f0017ee4cd585c200a2dcd8a87c2a98e4fca402aa5e7d18c40453c5f69c01d

Analysis

max time kernel
106s
max time network
102s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
06/04/2025, 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gamemodegame.exe
Size

43KB
MD5

eb3149b5aed08f6b3c4abb50049764f0
SHA1

4001ac2d3473c71cc3ae2578c8e49bf247ca5bb5
SHA256

f4f0017ee4cd585c200a2dcd8a87c2a98e4fca402aa5e7d18c40453c5f69c01d
SHA512

87c2268bacfdcac15abc3485bca48c0fc46e90b68cda30c09ae80a01b123a517eccadf1e70856f175bd50a62dd39a615ce74af7a39457ad8e8ffed2b09648e7c
SSDEEP

384:qZy7hsVqb08yPipFcrUMgEIV2c9z0Iij+ZsNO3PlpJKkkjh/TzF7pWnS0reT0pq7:o+hs8Y5Pi/qB4VpuXQ/oz+L

Score

10^/10

njrat hacked discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

77.222.105.54:6346

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	gamemodegame.exe

Executes dropped EXE 9 IoCs

pid	Process
4136	gamemodegame.exe
840	gamemodegame.exe
5564	gamemodegame.exe
4380	gamemodegame.exe
5600	gamemodegame.exe
2436	gamemodegame.exe
2804	Server.exe
4028	gamemodegame.exe
6044	gamemodegame.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\gamemodegame.exe\" .."	gamemodegame.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\gamemodegame.exe\" .."	gamemodegame.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gamemodegame.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gamemodegame.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gamemodegame.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gamemodegame.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gamemodegame.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gamemodegame.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gamemodegame.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gamemodegame.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gamemodegame.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gamemodegame.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gamemodegame.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3412	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 7 IoCs

pid	Process
4472	gamemodegame.exe
788	gamemodegame.exe
3804	gamemodegame.exe
4136	gamemodegame.exe
840	gamemodegame.exe
5564	gamemodegame.exe
4380	gamemodegame.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	1664	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1664	AUDIODG.EXE
Token: SeDebugPrivilege	4472	gamemodegame.exe
Token: 33	4472	gamemodegame.exe
Token: SeIncBasePriorityPrivilege	4472	gamemodegame.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 3412	4472	gamemodegame.exe	95
PID 4472 wrote to memory of 3412	4472	gamemodegame.exe	95
PID 4472 wrote to memory of 3412	4472	gamemodegame.exe	95
PID 4876 wrote to memory of 788	4876	cmd.exe	97
PID 4876 wrote to memory of 788	4876	cmd.exe	97
PID 4876 wrote to memory of 788	4876	cmd.exe	97
PID 4884 wrote to memory of 3804	4884	cmd.exe	98
PID 4884 wrote to memory of 3804	4884	cmd.exe	98
PID 4884 wrote to memory of 3804	4884	cmd.exe	98
PID 5396 wrote to memory of 4136	5396	cmd.exe	104
PID 5396 wrote to memory of 4136	5396	cmd.exe	104
PID 5396 wrote to memory of 4136	5396	cmd.exe	104
PID 5588 wrote to memory of 840	5588	cmd.exe	105
PID 5588 wrote to memory of 840	5588	cmd.exe	105
PID 5588 wrote to memory of 840	5588	cmd.exe	105
PID 6096 wrote to memory of 5564	6096	cmd.exe	111
PID 6096 wrote to memory of 5564	6096	cmd.exe	111
PID 6096 wrote to memory of 5564	6096	cmd.exe	111
PID 3160 wrote to memory of 4380	3160	cmd.exe	115
PID 3160 wrote to memory of 4380	3160	cmd.exe	115
PID 3160 wrote to memory of 4380	3160	cmd.exe	115
PID 4756 wrote to memory of 5600	4756	cmd.exe	120
PID 4756 wrote to memory of 5600	4756	cmd.exe	120
PID 4756 wrote to memory of 5600	4756	cmd.exe	120
PID 1988 wrote to memory of 2436	1988	cmd.exe	134
PID 1988 wrote to memory of 2436	1988	cmd.exe	134
PID 1988 wrote to memory of 2436	1988	cmd.exe	134
PID 1220 wrote to memory of 4028	1220	cmd.exe	152
PID 1220 wrote to memory of 4028	1220	cmd.exe	152
PID 1220 wrote to memory of 4028	1220	cmd.exe	152
PID 4260 wrote to memory of 6044	4260	cmd.exe	157
PID 4260 wrote to memory of 6044	4260	cmd.exe	157
PID 4260 wrote to memory of 6044	4260	cmd.exe	157

C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
"C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3412

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:5588
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:5396
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:6096
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:5312
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:3624
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:2088

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp/Server.exe"
1⤵
- Executes dropped EXE
PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:3568
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:1396
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:3812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:4924
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:3356
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:4428
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:5988
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:2208
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:5820
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:3640
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:2868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:1164
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:1584
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:5540
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:1292
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:1980
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:3308
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:3012
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:6496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:5276
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:6696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:2156
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:6276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:2024
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:6816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:4500
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:3272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:4892
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:4288
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:7156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:5184
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:4896
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:5028
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:1692
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:3064
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:404
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:7144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:840
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:2016
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:6236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:4856
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:5572
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:4776
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:3776
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:1256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:3688
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:2960
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:3104
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:2724
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:6208
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:6964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:6216
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:2576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:6400
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:6408
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:6536
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:6544
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:6672
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:6680
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:6832
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:6256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:6840
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:7020
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:7028
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:1556
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:7492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:6200
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:6508
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:5844
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:7700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:548
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:7588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:7152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:3156
- C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe
  C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe ..
  2⤵
  PID:7868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:6148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:6268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:6464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:6308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:7012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:5564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:7224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:7232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:7420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:7428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:7560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:7568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:7760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:7768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:7892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:7904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:8120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe" ..
1⤵
PID:8128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gamemodegame.exe.log

Filesize
507B

MD5
dd113bc063fe53dc74ead8403c979e3d

SHA1
f0a5283a5d047aeb6b4b906194e5f3252b95d5e9

SHA256
aebf3315c2c092e5b9bf62717e6e8ec7a8c48433a531162e35e3f1a6bde4b242

SHA512
c951f5740dcfa018d92a78bcaabee5a39079beeb72041975f85ee2b01bd25e507fb9a2a2d8962196e04edf00cbe69eb235b0117056dd95476093577e537e2281

Download Submit
C:\Users\Admin\AppData\Local\Temp\gamemodegame.exe

Filesize
43KB

MD5
eb3149b5aed08f6b3c4abb50049764f0

SHA1
4001ac2d3473c71cc3ae2578c8e49bf247ca5bb5

SHA256
f4f0017ee4cd585c200a2dcd8a87c2a98e4fca402aa5e7d18c40453c5f69c01d

SHA512
87c2268bacfdcac15abc3485bca48c0fc46e90b68cda30c09ae80a01b123a517eccadf1e70856f175bd50a62dd39a615ce74af7a39457ad8e8ffed2b09648e7c

Download Submit
memory/788-9-0x0000000074A10000-0x00000000751C1000-memory.dmp

Filesize
7.7MB

Download
memory/788-13-0x0000000074A10000-0x00000000751C1000-memory.dmp

Filesize
7.7MB

Download
memory/788-11-0x0000000074A10000-0x00000000751C1000-memory.dmp

Filesize
7.7MB

Download
memory/788-10-0x0000000074A10000-0x00000000751C1000-memory.dmp

Filesize
7.7MB

Download
memory/4472-3-0x0000000005FD0000-0x0000000006576000-memory.dmp

Filesize
5.6MB

Download
memory/4472-7-0x0000000074A10000-0x00000000751C1000-memory.dmp

Filesize
7.7MB

Download
memory/4472-6-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

Filesize
4KB

Download
memory/4472-5-0x0000000005AC0000-0x0000000005B52000-memory.dmp

Filesize
584KB

Download
memory/4472-4-0x0000000074A10000-0x00000000751C1000-memory.dmp

Filesize
7.7MB

Download
memory/4472-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

Filesize
4KB

Download
memory/4472-14-0x0000000005900000-0x000000000590A000-memory.dmp

Filesize
40KB

Download
memory/4472-2-0x00000000056C0000-0x000000000575C000-memory.dmp

Filesize
624KB

Download
memory/4472-1-0x0000000000CC0000-0x0000000000CD2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads