xworm | 501811083cd4441914057188240e81b0c07ee52da841be5b48439b23dd1c78b7

Analysis

max time kernel
149s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

steam.exe
Size

64KB
MD5

931304a01acc611b8e637e4056eacf1a
SHA1

621327eb10dc7a3b4ea5f4f8eacde198a1b83eda
SHA256

501811083cd4441914057188240e81b0c07ee52da841be5b48439b23dd1c78b7
SHA512

3aba4030c25a9b90e2d5ebaafed9efd42314d60e4c5dc374a14ebb10788777372301129ccb92484e0d0ee188637ba8aa892e200b7c9f73e77cb0d8916ebf8b94
SSDEEP

1536:HtGW7tT67jrizXqMRJtjYtfEWPrfPh4bZKtpe/:0WpmLi+MOPr+bZ2pe/

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

25.ip.gl.ply.gg:22709

Attributes

Install_directory
%AppData%
install_file
svhost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0063000000011c27-5.dat	family_xworm
behavioral1/memory/2616-8-0x0000000000390000-0x00000000003A8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2256	powershell.exe
2536	powershell.exe
2800	powershell.exe
2060	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	yougame.biz.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	yougame.biz.exe

Executes dropped EXE 64 IoCs

pid	Process
2616	yougame.biz.exe
2828	yougame.biz.exe
2584	yougame.biz.exe
340	yougame.biz.exe
2188	yougame.biz.exe
1772	yougame.biz.exe
1872	yougame.biz.exe
2688	yougame.biz.exe
1956	yougame.biz.exe
1136	yougame.biz.exe
1968	yougame.biz.exe
2752	yougame.biz.exe
2676	yougame.biz.exe
2568	yougame.biz.exe
2096	yougame.biz.exe
316	yougame.biz.exe
1836	yougame.biz.exe
1600	yougame.biz.exe
2344	yougame.biz.exe
2176	yougame.biz.exe
2972	yougame.biz.exe
2924	yougame.biz.exe
692	yougame.biz.exe
2220	yougame.biz.exe
1948	yougame.biz.exe
2140	yougame.biz.exe
2436	yougame.biz.exe
2896	yougame.biz.exe
1200	yougame.biz.exe
2816	yougame.biz.exe
276	yougame.biz.exe
2572	yougame.biz.exe
1836	yougame.biz.exe
3032	yougame.biz.exe
344	yougame.biz.exe
1820	yougame.biz.exe
1792	yougame.biz.exe
2860	yougame.biz.exe
1364	yougame.biz.exe
2108	yougame.biz.exe
2720	yougame.biz.exe
2668	yougame.biz.exe
2824	yougame.biz.exe
2676	yougame.biz.exe
1500	yougame.biz.exe
2556	yougame.biz.exe
2416	yougame.biz.exe
2584	yougame.biz.exe
2892	yougame.biz.exe
1784	yougame.biz.exe
2176	yougame.biz.exe
1008	yougame.biz.exe
292	yougame.biz.exe
1324	yougame.biz.exe
1160	yougame.biz.exe
2876	yougame.biz.exe
2428	yougame.biz.exe
2720	yougame.biz.exe
2668	yougame.biz.exe
2896	yougame.biz.exe
2648	yougame.biz.exe
948	yougame.biz.exe
2804	yougame.biz.exe
540	yougame.biz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe"	yougame.biz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2536	powershell.exe
2800	powershell.exe
2060	powershell.exe
2256	powershell.exe
2616	yougame.biz.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	yougame.biz.exe
Token: SeDebugPrivilege	2828	yougame.biz.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2584	yougame.biz.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2616	yougame.biz.exe
Token: SeDebugPrivilege	340	yougame.biz.exe
Token: SeDebugPrivilege	2188	yougame.biz.exe
Token: SeDebugPrivilege	1772	yougame.biz.exe
Token: SeDebugPrivilege	1872	yougame.biz.exe
Token: SeDebugPrivilege	2688	yougame.biz.exe
Token: SeDebugPrivilege	1956	yougame.biz.exe
Token: SeDebugPrivilege	1136	yougame.biz.exe
Token: SeDebugPrivilege	1968	yougame.biz.exe
Token: SeDebugPrivilege	2752	yougame.biz.exe
Token: SeDebugPrivilege	2676	yougame.biz.exe
Token: SeDebugPrivilege	2568	yougame.biz.exe
Token: SeDebugPrivilege	2096	yougame.biz.exe
Token: SeDebugPrivilege	316	yougame.biz.exe
Token: SeDebugPrivilege	1836	yougame.biz.exe
Token: SeDebugPrivilege	1600	yougame.biz.exe
Token: SeDebugPrivilege	2344	yougame.biz.exe
Token: SeDebugPrivilege	2176	yougame.biz.exe
Token: SeDebugPrivilege	2972	yougame.biz.exe
Token: SeDebugPrivilege	2924	yougame.biz.exe
Token: SeDebugPrivilege	692	yougame.biz.exe
Token: SeDebugPrivilege	2220	yougame.biz.exe
Token: SeDebugPrivilege	1948	yougame.biz.exe
Token: SeDebugPrivilege	2140	yougame.biz.exe
Token: SeDebugPrivilege	2436	yougame.biz.exe
Token: SeDebugPrivilege	2896	yougame.biz.exe
Token: SeDebugPrivilege	1200	yougame.biz.exe
Token: SeDebugPrivilege	2816	yougame.biz.exe
Token: SeDebugPrivilege	276	yougame.biz.exe
Token: SeDebugPrivilege	2572	yougame.biz.exe
Token: SeDebugPrivilege	1836	yougame.biz.exe
Token: SeDebugPrivilege	3032	yougame.biz.exe
Token: SeDebugPrivilege	344	yougame.biz.exe
Token: SeDebugPrivilege	1820	yougame.biz.exe
Token: SeDebugPrivilege	1792	yougame.biz.exe
Token: SeDebugPrivilege	2860	yougame.biz.exe
Token: SeDebugPrivilege	1364	yougame.biz.exe
Token: SeDebugPrivilege	2108	yougame.biz.exe
Token: SeDebugPrivilege	2720	yougame.biz.exe
Token: SeDebugPrivilege	2668	yougame.biz.exe
Token: SeDebugPrivilege	2824	yougame.biz.exe
Token: SeDebugPrivilege	2676	yougame.biz.exe
Token: SeDebugPrivilege	1500	yougame.biz.exe
Token: SeDebugPrivilege	2556	yougame.biz.exe
Token: SeDebugPrivilege	2416	yougame.biz.exe
Token: SeDebugPrivilege	2584	yougame.biz.exe
Token: SeDebugPrivilege	2892	yougame.biz.exe
Token: SeDebugPrivilege	1784	yougame.biz.exe
Token: SeDebugPrivilege	2176	yougame.biz.exe
Token: SeDebugPrivilege	1008	yougame.biz.exe
Token: SeDebugPrivilege	292	yougame.biz.exe
Token: SeDebugPrivilege	1324	yougame.biz.exe
Token: SeDebugPrivilege	1160	yougame.biz.exe
Token: SeDebugPrivilege	2876	yougame.biz.exe
Token: SeDebugPrivilege	2428	yougame.biz.exe
Token: SeDebugPrivilege	2720	yougame.biz.exe
Token: SeDebugPrivilege	2668	yougame.biz.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2616	yougame.biz.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2708	2364	steam.exe	30
PID 2364 wrote to memory of 2708	2364	steam.exe	30
PID 2364 wrote to memory of 2708	2364	steam.exe	30
PID 2364 wrote to memory of 2616	2364	steam.exe	31
PID 2364 wrote to memory of 2616	2364	steam.exe	31
PID 2364 wrote to memory of 2616	2364	steam.exe	31
PID 2708 wrote to memory of 2544	2708	steam.exe	32
PID 2708 wrote to memory of 2544	2708	steam.exe	32
PID 2708 wrote to memory of 2544	2708	steam.exe	32
PID 2708 wrote to memory of 2828	2708	steam.exe	33
PID 2708 wrote to memory of 2828	2708	steam.exe	33
PID 2708 wrote to memory of 2828	2708	steam.exe	33
PID 2616 wrote to memory of 2536	2616	yougame.biz.exe	34
PID 2616 wrote to memory of 2536	2616	yougame.biz.exe	34
PID 2616 wrote to memory of 2536	2616	yougame.biz.exe	34
PID 2616 wrote to memory of 2800	2616	yougame.biz.exe	36
PID 2616 wrote to memory of 2800	2616	yougame.biz.exe	36
PID 2616 wrote to memory of 2800	2616	yougame.biz.exe	36
PID 2616 wrote to memory of 2060	2616	yougame.biz.exe	38
PID 2616 wrote to memory of 2060	2616	yougame.biz.exe	38
PID 2616 wrote to memory of 2060	2616	yougame.biz.exe	38
PID 2544 wrote to memory of 1360	2544	steam.exe	40
PID 2544 wrote to memory of 1360	2544	steam.exe	40
PID 2544 wrote to memory of 1360	2544	steam.exe	40
PID 2544 wrote to memory of 2584	2544	steam.exe	41
PID 2544 wrote to memory of 2584	2544	steam.exe	41
PID 2544 wrote to memory of 2584	2544	steam.exe	41
PID 2616 wrote to memory of 2256	2616	yougame.biz.exe	42
PID 2616 wrote to memory of 2256	2616	yougame.biz.exe	42
PID 2616 wrote to memory of 2256	2616	yougame.biz.exe	42
PID 1360 wrote to memory of 592	1360	steam.exe	44
PID 1360 wrote to memory of 592	1360	steam.exe	44
PID 1360 wrote to memory of 592	1360	steam.exe	44
PID 1360 wrote to memory of 340	1360	steam.exe	45
PID 1360 wrote to memory of 340	1360	steam.exe	45
PID 1360 wrote to memory of 340	1360	steam.exe	45
PID 592 wrote to memory of 2080	592	steam.exe	46
PID 592 wrote to memory of 2080	592	steam.exe	46
PID 592 wrote to memory of 2080	592	steam.exe	46
PID 592 wrote to memory of 2188	592	steam.exe	47
PID 592 wrote to memory of 2188	592	steam.exe	47
PID 592 wrote to memory of 2188	592	steam.exe	47
PID 2080 wrote to memory of 1820	2080	steam.exe	48
PID 2080 wrote to memory of 1820	2080	steam.exe	48
PID 2080 wrote to memory of 1820	2080	steam.exe	48
PID 2080 wrote to memory of 1772	2080	steam.exe	49
PID 2080 wrote to memory of 1772	2080	steam.exe	49
PID 2080 wrote to memory of 1772	2080	steam.exe	49
PID 1820 wrote to memory of 824	1820	steam.exe	50
PID 1820 wrote to memory of 824	1820	steam.exe	50
PID 1820 wrote to memory of 824	1820	steam.exe	50
PID 1820 wrote to memory of 1872	1820	steam.exe	51
PID 1820 wrote to memory of 1872	1820	steam.exe	51
PID 1820 wrote to memory of 1872	1820	steam.exe	51
PID 824 wrote to memory of 2124	824	steam.exe	52
PID 824 wrote to memory of 2124	824	steam.exe	52
PID 824 wrote to memory of 2124	824	steam.exe	52
PID 824 wrote to memory of 2688	824	steam.exe	53
PID 824 wrote to memory of 2688	824	steam.exe	53
PID 824 wrote to memory of 2688	824	steam.exe	53
PID 2124 wrote to memory of 1040	2124	steam.exe	54
PID 2124 wrote to memory of 1040	2124	steam.exe	54
PID 2124 wrote to memory of 1040	2124	steam.exe	54
PID 2124 wrote to memory of 1956	2124	steam.exe	55

C:\Users\Admin\AppData\Local\Temp\steam.exe
"C:\Users\Admin\AppData\Local\Temp\steam.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\steam.exe
  "C:\Users\Admin\AppData\Local\Temp\steam.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\steam.exe
    "C:\Users\Admin\AppData\Local\Temp\steam.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\steam.exe
      "C:\Users\Admin\AppData\Local\Temp\steam.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1360
    - - C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:592
      - C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        10⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        11⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        12⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        13⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        14⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        15⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        16⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        17⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        18⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        19⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        20⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        21⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        22⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        23⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        24⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        25⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        26⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        27⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        28⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        29⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        30⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        31⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        32⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        33⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        34⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        35⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        36⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        37⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        38⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        39⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        40⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        41⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        42⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        43⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        44⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        45⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        46⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        47⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        48⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        49⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        50⤵
        
        PID:420
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        51⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        52⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        53⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        54⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        55⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        56⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        57⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        58⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        59⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        60⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        61⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        62⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        63⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        64⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        65⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        66⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        67⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        68⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        69⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        70⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        71⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\steam.exe
        
        "C:\Users\Admin\AppData\Local\Temp\steam.exe"
        72⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        72⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        71⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        70⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        69⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        68⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        67⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        66⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        65⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        64⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        63⤵
        Executes dropped EXE
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        62⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        61⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        60⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        54⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:276
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
      - C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
  - - C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
      "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2584
- - C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
    "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe
  "C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'yougame.biz.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yougame.biz.exe

Filesize
73KB

MD5
ee9a22a50485cfdc04d74d064d31c759

SHA1
7771a94716a3415b12e33a4733e76d7d0db92dac

SHA256
bfd2d7d903cca76b8600df3c3c4f3ebb5e5c04ec9608912373a402c7d0b9333e

SHA512
d8f2acb24b49735b40b14edc4259affd1cfa6201fc6574eaaadf748f33de21713fd0cffc3e15208688c975e31be2bad208d141b4f535ca51c6bf27e9383d4719

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6033cbb7f6304bcc0cc9d826be8bf3aa

SHA1
1363b5527357c0b94908bb4068ba6272d5943ecb

SHA256
210ebff651d9e8bbb69ab34a1e38907502bde5fb8fc5697f0b85621a7accea4a

SHA512
0ebccdc42e692d7c10dfdcd26a775e0c5677ace88b9acc1dc1e37359075ee66acd06600c528a7aafcf9c571eb582a2809da383e0b9f10d2067792af83d57acaf

Download Submit
memory/2364-10-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/2364-0-0x000007FEF5683000-0x000007FEF5684000-memory.dmp

Filesize
4KB

Download
memory/2364-7-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/2364-1-0x000000013F760000-0x000000013F774000-memory.dmp

Filesize
80KB

Download
memory/2536-17-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2536-18-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2616-8-0x0000000000390000-0x00000000003A8000-memory.dmp

Filesize
96KB

Download
memory/2708-9-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/2708-12-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/2800-24-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2800-25-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download