asyncrat | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

22/04/2025, 00:37

250422-ayqbeaspz6 10

21/04/2025, 17:05

250421-vmcamatky2 10

Analysis

max time kernel
52s
max time network
75s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
21/04/2025, 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

winlogson

192.168.178.69:4782

coluich1220.duckdns.org:4782

Mutex

a409f48d-fe2a-4207-b2c2-585b18fb47b3

Attributes

encryption_key
4A886EE72F3932EB3311C152EDED110A81EF6553
install_name
winlogson.exe
log_directory
Logs
reconnect_delay
3000
startup_key
winlogson
subdirectory
winlogson

Extracted

Family

quasar

Version

1.4.1

Botnet

RuntimeBroker

qrpn9be.localto.net:2810

Mutex

fc5edab1-6e8f-4963-98aa-bd077e08750f

Attributes

encryption_key
F749DCAC94A1FC3102D2B0CFBBFCB76086F86568
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
a7

Extracted

Family

xworm

Version

5.0

lohoainam2008-36048.portmap.io:36048

Attributes

Install_directory
%AppData%
install_file
Setup.exe
telegram
https://api.telegram.org/bot6189190228:AAF5CGiKGC5p4mkyZfTy1Lp5BrZMWsKu-pk/sendMessage?chat_id=5666777098

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

8TdjLZxCzOjI

Attributes

delay
3
install
true
install_file
client.exe
install_folder
%AppData%

aes.plain

Extracted

Family

metasploit

Version

windows/reverse_tcp

167.250.49.155:445

Extracted

Family

lumma

https://zestmodp.top/zeda

https://jawdedmirror.run/ewqd

https://changeaie.top/geps

https://lonfgshadow.live/xawi

https://liftally.top/xasj

https://nighetwhisper.top/lekd

https://salaccgfa.top/gsooz

https://owlflright.digital/qopy

Extracted

Family

gurcu

https://api.telegram.org/bot6189190228:AAF5CGiKGC5p4mkyZfTy1Lp5BrZMWsKu-pk/sendMessage?chat_id=5666777098

Signatures

An open source browser data exporter written in golang. 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002b1ca-162.dat	family_hackbrowserdata

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002b1c2-72.dat	family_xworm
behavioral1/memory/4540-80-0x00000000003F0000-0x000000000040A000-memory.dmp	family_xworm

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
HackBrowserData
An open source golang web browser extractor.
infostealer hackbrowserdata
Hackbrowserdata family
hackbrowserdata
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral1/files/0x001900000002b1b7-27.dat	family_quasar
behavioral1/memory/5088-35-0x0000000000F10000-0x0000000001270000-memory.dmp	family_quasar
behavioral1/files/0x001900000002b1ba-46.dat	family_quasar
behavioral1/memory/4076-53-0x0000000000730000-0x0000000000A54000-memory.dmp	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x002100000002b1ee-407.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3904	powershell.exe
5824	powershell.exe
2324	powershell.exe
240	powershell.exe

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 19 IoCs

flow	pid	Process
74	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
81	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
5	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
5	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
5	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
5	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
5	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
5	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
5	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
5	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
5	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
5	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
5	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
5	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
57	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
3	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
12	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
15	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
63	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe

Modifies Windows Firewall 2 TTPs 7 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2280	netsh.exe
788	netsh.exe
4960	netsh.exe
920	netsh.exe
4444	netsh.exe
2940	netsh.exe
5256	netsh.exe

Drops startup file 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Bloxflip%20Predictor.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Bloxflip Predictor.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Bloxflip Predictor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Bloxflip Predictor.exe

Executes dropped EXE 64 IoCs

pid	Process
2348	kdmapper.exe
2892	fusca%20game.exe
5088	Windows12.exe
4756	winlogson.exe
4076	RuntimeBroker.exe
2256	Destover.exe
4540	XClient.exe
4792	RuntimeBroker.exe
4780	Bloxflip%20Predictor.exe
2620	fusca%20game.exe
912	fusca%20game.exe
2468	fusca%20game.exe
3760	fusca%20game.exe
2876	fusca%20game.exe
1892	fusca%20game.exe
2044	fusca%20game.exe
1292	fusca%20game.exe
4920	Setup.exe
5848	opyhjdase.exe
5592	fusca%20game.exe
3128	fusca%20game.exe
4276	fusca%20game.exe
3792	fusca%20game.exe
5696	ActivationHelper.exe
3388	SystemService.exe
5844	fusca%20game.exe
5892	fusca%20game.exe
2164	fusca%20game.exe
912	fusca%20game.exe
956	Bloxflip Predictor.exe
5636	fusca%20game.exe
3524	fusca%20game.exe
1368	svchost.exe
400	Terminal_9235.exe
3980	fusca%20game.exe
4576	fusca%20game.exe
4896	fusca%20game.exe
4048	fusca%20game.exe
3756	fusca%20game.exe
1744	fusca%20game.exe
3156	fusca%20game.exe
2964	fusca%20game.exe
4040	fusca%20game.exe
4336	fusca%20game.exe
5248	fusca%20game.exe
2676	fusca%20game.exe
1064	fusca%20game.exe
3748	fusca%20game.exe
3336	fusca%20game.exe
4740	fusca%20game.exe
5948	client.exe
1676	fusca%20game.exe
1844	fusca%20game.exe
4388	fusca%20game.exe
5472	fusca%20game.exe
1820	fusca%20game.exe
4996	fusca%20game.exe
4028	fusca%20game.exe
1604	fusca%20game.exe
3408	fusca%20game.exe
2888	fusca%20game.exe
2904	fusca%20game.exe
4988	fusca%20game.exe
1468	fusca%20game.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x001900000002b1d5-399.dat	vmprotect
behavioral1/memory/1368-415-0x00007FF622220000-0x00007FF6227CC000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Windows\\Bloxflip Predictor.exe"	Bloxflip%20Predictor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Bloxflip Predictor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Bloxflip Predictor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Bloxflip Predictor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\220fe34d4dcc4a99fe35d2fb7ce78939 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\fusca%20game.exe\" .."	fusca%20game.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Run\Setup = "C:\\Users\\Admin\\AppData\\Roaming\\Setup.exe"	XClient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Bloxflip Predictor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Lead.Upload.Report.Feb.2025.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Host = "C:\\Program Files (x86)\\DSL Host\\dslhost.exe"	MSystem32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Run\220fe34d4dcc4a99fe35d2fb7ce78939 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\fusca%20game.exe\" .."	fusca%20game.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Run\Backup = "C:\\Windows\\System32\\wscript.exe //B \"C:\\ProgramData\\silent_start.vbs\""	ActivationHelper.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSystem32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
4	discord.com
5	raw.githubusercontent.com
33	discord.com
1	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\autorun.inf	856.exe
File created	C:\autorun.inf	856.exe
File opened for modification	C:\autorun.inf	856.exe
File created	F:\autorun.inf	856.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\winlogson\winlogson.exe	Windows12.exe
File opened for modification	C:\Windows\system32\winlogson	Windows12.exe
File opened for modification	C:\Windows\system32\winlogson\winlogson.exe	winlogson.exe
File opened for modification	C:\Windows\system32\winlogson	winlogson.exe
File created	C:\Windows\system32\a7\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7	RuntimeBroker.exe
File created	C:\Windows\system32\winlogson\winlogson.exe	Windows12.exe
File opened for modification	C:\Windows\system32\a7\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7\RuntimeBroker.exe	RuntimeBroker.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002b202-476.dat	upx
behavioral1/memory/5808-480-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/5808-577-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DSL Host\dslhost.exe	MSystem32.exe
File opened for modification	C:\Program Files (x86)\DSL Host\dslhost.exe	MSystem32.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Bloxflip Predictor.exe	Bloxflip%20Predictor.exe
File opened for modification	C:\Windows\Bloxflip Predictor.exe	attrib.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	injector.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bloxflip Predictor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	856.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Terminal_9235.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Destover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ActivationHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4744	timeout.exe

Kills process with taskkill 15 IoCs

defense_evasion

pid	Process
3216	taskkill.exe
5404	taskkill.exe
3708	taskkill.exe
3628	taskkill.exe
3728	taskkill.exe
3560	taskkill.exe
5812	taskkill.exe
3884	taskkill.exe
3364	taskkill.exe
4604	taskkill.exe
4908	taskkill.exe
3292	taskkill.exe
464	taskkill.exe
4912	taskkill.exe
5508	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000_Classes\Local Settings	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
8	schtasks.exe
3208	schtasks.exe
4248	schtasks.exe
856	schtasks.exe
3972	schtasks.exe
4828	schtasks.exe
2720	schtasks.exe
2720	schtasks.exe
4512	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4540	XClient.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
240	powershell.exe
240	powershell.exe
3904	powershell.exe
3904	powershell.exe
3904	powershell.exe
5824	powershell.exe
5824	powershell.exe
5824	powershell.exe
2324	powershell.exe
2324	powershell.exe
2324	powershell.exe
4540	XClient.exe
4540	XClient.exe
1368	svchost.exe
1368	svchost.exe
1368	svchost.exe
1368	svchost.exe
400	Terminal_9235.exe
400	Terminal_9235.exe
400	Terminal_9235.exe
400	Terminal_9235.exe
400	Terminal_9235.exe
400	Terminal_9235.exe
400	Terminal_9235.exe
400	Terminal_9235.exe
400	Terminal_9235.exe
400	Terminal_9235.exe
400	Terminal_9235.exe
400	Terminal_9235.exe
400	Terminal_9235.exe
400	Terminal_9235.exe
400	Terminal_9235.exe
400	Terminal_9235.exe
400	Terminal_9235.exe
400	Terminal_9235.exe
4428	MSystem32.exe
4428	MSystem32.exe
4428	MSystem32.exe
4428	MSystem32.exe
1816	856.exe
1816	856.exe
1816	856.exe
1816	856.exe
4428	MSystem32.exe
4428	MSystem32.exe
4428	MSystem32.exe
4428	MSystem32.exe
1816	856.exe
1816	856.exe
1816	856.exe
1816	856.exe
1816	856.exe
1816	856.exe
1816	856.exe
1816	856.exe
1816	856.exe
1816	856.exe
1816	856.exe
1816	856.exe
1816	856.exe
1816	856.exe
1816	856.exe
1816	856.exe
1816	856.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeDebugPrivilege	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
Token: SeDebugPrivilege	5088	Windows12.exe
Token: SeDebugPrivilege	4756	winlogson.exe
Token: SeDebugPrivilege	4076	RuntimeBroker.exe
Token: SeDebugPrivilege	4540	XClient.exe
Token: SeDebugPrivilege	4792	RuntimeBroker.exe
Token: SeDebugPrivilege	240	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	5824	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	4540	XClient.exe
Token: SeDebugPrivilege	4920	Setup.exe
Token: SeDebugPrivilege	3216	taskkill.exe
Token: SeDebugPrivilege	4912	taskkill.exe
Token: SeDebugPrivilege	5404	taskkill.exe
Token: SeDebugPrivilege	5812	taskkill.exe
Token: SeDebugPrivilege	3708	taskkill.exe
Token: SeDebugPrivilege	3884	taskkill.exe
Token: SeDebugPrivilege	5508	taskkill.exe
Token: SeDebugPrivilege	3364	taskkill.exe
Token: SeDebugPrivilege	3628	taskkill.exe
Token: SeDebugPrivilege	4604	taskkill.exe
Token: SeDebugPrivilege	3292	taskkill.exe
Token: SeDebugPrivilege	2892	fusca%20game.exe
Token: 33	2892	fusca%20game.exe
Token: SeIncBasePriorityPrivilege	2892	fusca%20game.exe
Token: SeDebugPrivilege	4908	taskkill.exe
Token: SeDebugPrivilege	3728	taskkill.exe
Token: SeDebugPrivilege	464	taskkill.exe
Token: SeDebugPrivilege	3560	taskkill.exe
Token: SeDebugPrivilege	1368	svchost.exe
Token: SeDebugPrivilege	400	Terminal_9235.exe
Token: 33	2892	fusca%20game.exe
Token: SeIncBasePriorityPrivilege	2892	fusca%20game.exe
Token: SeDebugPrivilege	956	Bloxflip Predictor.exe
Token: SeDebugPrivilege	5948	client.exe
Token: 33	2892	fusca%20game.exe
Token: SeIncBasePriorityPrivilege	2892	fusca%20game.exe
Token: 33	956	Bloxflip Predictor.exe
Token: SeIncBasePriorityPrivilege	956	Bloxflip Predictor.exe
Token: SeDebugPrivilege	1436	Setup.exe
Token: 33	2892	fusca%20game.exe
Token: SeIncBasePriorityPrivilege	2892	fusca%20game.exe
Token: 33	956	Bloxflip Predictor.exe
Token: SeIncBasePriorityPrivilege	956	Bloxflip Predictor.exe
Token: SeDebugPrivilege	4428	MSystem32.exe
Token: 33	2892	fusca%20game.exe
Token: SeIncBasePriorityPrivilege	2892	fusca%20game.exe
Token: SeDebugPrivilege	1816	856.exe
Token: 33	956	Bloxflip Predictor.exe
Token: SeIncBasePriorityPrivilege	956	Bloxflip Predictor.exe
Token: SeDebugPrivilege	2740	TrainJX.exe
Token: SeDebugPrivilege	2904	svchost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4756	winlogson.exe
4792	RuntimeBroker.exe
4540	XClient.exe
1744	injector.exe
1744	injector.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2348	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	79
PID 2404 wrote to memory of 2348	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	79
PID 2404 wrote to memory of 2892	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	81
PID 2404 wrote to memory of 2892	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	81
PID 2404 wrote to memory of 2892	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	81
PID 2404 wrote to memory of 5088	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	82
PID 2404 wrote to memory of 5088	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	82
PID 5088 wrote to memory of 4512	5088	Windows12.exe	83
PID 5088 wrote to memory of 4512	5088	Windows12.exe	83
PID 5088 wrote to memory of 4756	5088	Windows12.exe	85
PID 5088 wrote to memory of 4756	5088	Windows12.exe	85
PID 4756 wrote to memory of 8	4756	winlogson.exe	86
PID 4756 wrote to memory of 8	4756	winlogson.exe	86
PID 2404 wrote to memory of 4076	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	88
PID 2404 wrote to memory of 4076	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	88
PID 2404 wrote to memory of 2256	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	89
PID 2404 wrote to memory of 2256	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	89
PID 2404 wrote to memory of 2256	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	89
PID 2404 wrote to memory of 4540	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	90
PID 2404 wrote to memory of 4540	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	90
PID 4076 wrote to memory of 3208	4076	RuntimeBroker.exe	91
PID 4076 wrote to memory of 3208	4076	RuntimeBroker.exe	91
PID 4076 wrote to memory of 4792	4076	RuntimeBroker.exe	93
PID 4076 wrote to memory of 4792	4076	RuntimeBroker.exe	93
PID 2404 wrote to memory of 4780	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	94
PID 2404 wrote to memory of 4780	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	94
PID 2404 wrote to memory of 4780	2404	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	94
PID 4792 wrote to memory of 4248	4792	RuntimeBroker.exe	95
PID 4792 wrote to memory of 4248	4792	RuntimeBroker.exe	95
PID 2892 wrote to memory of 920	2892	fusca%20game.exe	97
PID 2892 wrote to memory of 920	2892	fusca%20game.exe	97
PID 2892 wrote to memory of 920	2892	fusca%20game.exe	97
PID 1932 wrote to memory of 2620	1932	cmd.exe	103
PID 1932 wrote to memory of 2620	1932	cmd.exe	103
PID 1932 wrote to memory of 2620	1932	cmd.exe	103
PID 2872 wrote to memory of 912	2872	cmd.exe	104
PID 2872 wrote to memory of 912	2872	cmd.exe	104
PID 2872 wrote to memory of 912	2872	cmd.exe	104
PID 4540 wrote to memory of 240	4540	XClient.exe	106
PID 4540 wrote to memory of 240	4540	XClient.exe	106
PID 3680 wrote to memory of 2468	3680	cmd.exe	112
PID 3680 wrote to memory of 2468	3680	cmd.exe	112
PID 3680 wrote to memory of 2468	3680	cmd.exe	112
PID 5076 wrote to memory of 3760	5076	cmd.exe	113
PID 5076 wrote to memory of 3760	5076	cmd.exe	113
PID 5076 wrote to memory of 3760	5076	cmd.exe	113
PID 4540 wrote to memory of 3904	4540	XClient.exe	114
PID 4540 wrote to memory of 3904	4540	XClient.exe	114
PID 4540 wrote to memory of 5824	4540	XClient.exe	116
PID 4540 wrote to memory of 5824	4540	XClient.exe	116
PID 4540 wrote to memory of 2324	4540	XClient.exe	122
PID 4540 wrote to memory of 2324	4540	XClient.exe	122
PID 3752 wrote to memory of 2876	3752	cmd.exe	123
PID 3752 wrote to memory of 2876	3752	cmd.exe	123
PID 3752 wrote to memory of 2876	3752	cmd.exe	123
PID 2052 wrote to memory of 1892	2052	cmd.exe	124
PID 2052 wrote to memory of 1892	2052	cmd.exe	124
PID 2052 wrote to memory of 1892	2052	cmd.exe	124
PID 2832 wrote to memory of 2044	2832	cmd.exe	130
PID 2832 wrote to memory of 2044	2832	cmd.exe	130
PID 2832 wrote to memory of 2044	2832	cmd.exe	130
PID 5676 wrote to memory of 1292	5676	cmd.exe	131
PID 5676 wrote to memory of 1292	5676	cmd.exe	131
PID 5676 wrote to memory of 1292	5676	cmd.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5412	attrib.exe
5880	attrib.exe
2260	attrib.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
"C:\Users\Admin\AppData\Local\Temp\2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe"
1⤵
- Downloads MZ/PE file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\Files\kdmapper.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\kdmapper.exe"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" "fusca%20game.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:920
- C:\Users\Admin\AppData\Local\Temp\Files\Windows12.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Windows12.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "winlogson" /sc ONLOGON /tr "C:\Windows\system32\winlogson\winlogson.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4512
- - C:\Windows\system32\winlogson\winlogson.exe
    "C:\Windows\system32\winlogson\winlogson.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "winlogson" /sc ONLOGON /tr "C:\Windows\system32\winlogson\winlogson.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:8
- C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3208
- - C:\Windows\system32\a7\RuntimeBroker.exe
    "C:\Windows\system32\a7\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4248
- C:\Users\Admin\AppData\Local\Temp\Files\Destover.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Destover.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2256
- C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Setup.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Setup.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Setup" /tr "C:\Users\Admin\AppData\Roaming\Setup.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:856
- C:\Users\Admin\AppData\Local\Temp\Files\Bloxflip%20Predictor.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Bloxflip%20Predictor.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  PID:4780
- - C:\Windows\Bloxflip Predictor.exe
    "C:\Windows\Bloxflip Predictor.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:956
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
      4⤵
      Drops startup file
      Views/modifies file attributes
      PID:5880
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:5412
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Windows\Bloxflip Predictor.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2260
- C:\Users\Admin\AppData\Local\Temp\Files\opyhjdase.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\opyhjdase.exe"
  2⤵
  - Executes dropped EXE
  PID:5848
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM chrome.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3216
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM firefox.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4912
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM brave.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5404
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM opera.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5812
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM kometa.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3708
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM orbitum.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3884
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM centbrowser.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5508
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM 7star.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3364
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sputnik.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3628
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM vivaldi.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4604
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM epicprivacybrowser.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3292
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM msedge.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4908
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM uran.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3728
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM yandex.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:464
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM iridium.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3560
- C:\Users\Admin\AppData\Local\Temp\Files\ActivationHelper.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ActivationHelper.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5696
- C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Users\Admin\AppData\Local\Temp\Files\Terminal_9235.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Terminal_9235.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:400
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "client" /tr '"C:\Users\Admin\AppData\Roaming\client.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4604
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "client" /tr '"C:\Users\Admin\AppData\Roaming\client.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp98A6.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3468
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4744
  - - C:\Users\Admin\AppData\Roaming\client.exe
      "C:\Users\Admin\AppData\Roaming\client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5948
- C:\Users\Admin\AppData\Local\Temp\Files\Lead.Upload.Report.Feb.2025.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Lead.Upload.Report.Feb.2025.exe"
  2⤵
  - Adds Run key to start application
  PID:1292
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c 1.vbs && 2.xlsx
    3⤵
    - Modifies registry class
    PID:5584
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.vbs"
      4⤵
      PID:5580
- C:\Users\Admin\AppData\Local\Temp\Files\R1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\R1.exe"
  2⤵
  PID:5540
- C:\Users\Admin\AppData\Local\Temp\Files\shell.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\shell.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1536
- C:\Users\Admin\AppData\Local\Temp\Files\billi_e58d74e455634dc695ed8a7b8b320325.exe.upx.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\billi_e58d74e455634dc695ed8a7b8b320325.exe.upx.exe"
  2⤵
  PID:5808
- C:\Users\Admin\AppData\Local\Temp\Files\MSystem32.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\MSystem32.exe"
  2⤵
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "DSL Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF107.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4828
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "DSL Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF166.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2720
- C:\Users\Admin\AppData\Local\Temp\Files\856.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\856.exe"
  2⤵
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\856.exe" "856.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4444
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\856.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5256
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\856.exe" "856.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2940
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2280
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4960
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:788
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2720
- C:\Users\Admin\AppData\Local\Temp\Files\TrainJX.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\TrainJX.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Users\Admin\AppData\Local\Temp\Files\injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\injector.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1744
- - \??\c:\users\admin\appdata\local\temp\files\injector.exe
    c:\users\admin\appdata\local\temp\files\injector.exe
    3⤵
    PID:4032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3828
- - C:\Windows\Resources\Themes\icsys.icn.exe
    C:\Windows\Resources\Themes\icsys.icn.exe
    3⤵
    PID:5916
  - - \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      4⤵
      PID:972
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:5100
      - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        6⤵
        
        PID:1160
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        7⤵
        
        PID:5280
- C:\Users\Admin\AppData\Local\Temp\Files\TPB-ACTIVATOR-1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\TPB-ACTIVATOR-1.exe"
  2⤵
  PID:1488
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:5676
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Setup.exe
1⤵
PID:1072
- C:\Users\Admin\AppData\Roaming\Setup.exe
  C:\Users\Admin\AppData\Roaming\Setup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5880
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5628
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:4288
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:3792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:4104
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\wscript.exe //B "C:\ProgramData\silent_start.vbs"
1⤵
PID:4608
- C:\Windows\System32\wscript.exe
  C:\Windows\System32\wscript.exe //B "C:\ProgramData\silent_start.vbs"
  2⤵
  PID:1568
- - C:\ProgramData\SystemService.exe
    "C:\ProgramData\SystemService.exe"
    3⤵
    - Executes dropped EXE
    PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5240
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:4588
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5116
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3116
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Bloxflip Predictor.exe
1⤵
PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:892
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3544
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3876
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5756
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5596
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:2752
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:4912
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:648
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:2088
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3680
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3812
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:2268
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:4908
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3184
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:2864
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3568
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:2784
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3676
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:3920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:1536
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3160
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5136
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:1956
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:4516
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5896
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:2196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5644
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:1908
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3672
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5924
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:2028
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5512
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:2960
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:1816
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3028
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:4808
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:2676
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:1664
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:572

C:\Users\Admin\AppData\Roaming\Setup.exe
C:\Users\Admin\AppData\Roaming\Setup.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:2764
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:800
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5352
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:836
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:4752
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:632
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:2724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5104
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:4020
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
PID:1968
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5188
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:2348
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:4420
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3748
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3116
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3552
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3864
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:2764
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:2352
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\DSL Host\dslhost.exe
1⤵
PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:1436
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:2284
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:3160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:4880
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5116
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:4572
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3880
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5184
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:1448
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:2092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:2812
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3892
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:2940
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:1432
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:4732
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:4256
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3196
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:2364
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO
1⤵
PID:3448
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe RO
  2⤵
  PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO
1⤵
PID:724
- \??\c:\windows\resources\svchost.exe
  c:\windows\resources\svchost.exe RO
  2⤵
  PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:3812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5868
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5164
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO
1⤵
PID:1544
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe RO
  2⤵
  PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO
1⤵
PID:5872
- \??\c:\windows\resources\svchost.exe
  c:\windows\resources\svchost.exe RO
  2⤵
  PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:1732
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5680
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:4840
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:4700
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:5168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:4592
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:1884
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:1880
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5344
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5980
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:3792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:2160
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:2208
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:6024
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:2148
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5844
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:5672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5188
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:1028
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5812
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5508
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:240
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5052
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:4632
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:4568
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3832
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5920
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:5324
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:2300
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:3640
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:6172
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:6276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:6180
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:6268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:6328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:6336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:6452
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:6660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:6460
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:6572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:6604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:6612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:6736
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:6976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" ..
1⤵
PID:6744
- C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
  C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe ..
  2⤵
  PID:6908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:6864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL
1⤵
PID:6872

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\silent_start.vbs

Filesize
129B

MD5
c85a2433ffa34f988f5ed62a3017438d

SHA1
1a4b3d9f0faac14e5c38c8c059164cefcc41cd5c

SHA256
afacce3a2a62c4a880de2b24b35102ac7c1a68b9e0ed27dbb56fc99c72284757

SHA512
00a118c57be9bdb928fe55386231441967e7b866cc4b6d2e293c3844b982b5fb4bfa1f80864b67f2e275411249708a2d66e314736401e331d3413dab91f78ac3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\fusca%20game.exe.log

Filesize
319B

MD5
2a0834560ed3770fc33d7a42f8229722

SHA1
c8c85f989e7a216211cf9e4ce90b0cc95354aa53

SHA256
8aa2d836004258f1a1195dc4a96215b685aed0c46a261a2860625d424e9402b6

SHA512
c5b64d84e57eb8cc387b5feedf7719f1f7ae21f6197169f5f73bc86deddb538b9af3c9952c94c4f69ae956e1656d11ab7441c292d2d850a4d2aaa9ec678f8e82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cef328ddb1ee8916e7a658919323edd8

SHA1
a676234d426917535e174f85eabe4ef8b88256a5

SHA256
a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

SHA512
747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe

Filesize
242KB

MD5
4af19fe7a3441e7be08b5cbc74d1cdf5

SHA1
8718837cd3700e866583fe68cdd7400ff5e9939a

SHA256
c3980bd2dbcf0754efd570d722568a3e84428a74e7ae319ee9f139654b8cac5b

SHA512
99d301d7822e07bdb6ef55dd0b9273b936576e1b699fe97f13c44d304e8bd27ff94bd42c49211ed63f200af91c4bd6ffdd8423425f3fa0fc0e90d887fa988678

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\856.exe

Filesize
93KB

MD5
68edafe0a1705d5c7dd1cb14fa1ca8ce

SHA1
7e9d854c90acd7452645506874c4e6f10bfdda31

SHA256
68f0121f2062aede8ae8bd52bba3c4c6c8aa19bdf32958b4e305cf716a92cc3d

SHA512
89a965f783ea7f54b55a542168ff759e851eae77cdfa9e23ba76145614b798f0815f2feb8670c16f26943e83bba2ade0649d6dc83af8d87c51c42f96d015573d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ActivationHelper.exe

Filesize
801KB

MD5
9b0220abe9f875c52a33115265ba1f66

SHA1
9d3f8eb6af4afd13ab1ff60d88dd91fbf122fca8

SHA256
43d38e8dcf434e5a8b363089564b6d282a8d22265cc68c6519017a98f323465c

SHA512
350a90fc1ab82436acde8c6c21e2c185d169d70278682d36cd1cc3ad0743e0d86a6d14f3dcf0cf885756584625548203d0dc38458a921bb57424f6c49f9afcd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Bloxflip%20Predictor.exe

Filesize
27KB

MD5
7bf897ca59b77ad3069c07149c35f97e

SHA1
6951dc20fa1e550ec9d066fe20e5100a9946a56b

SHA256
bc37b896fee26a5b4de7845cdd046e0200c783d4907ffa7e16da84ed6b5987dd

SHA512
6e0725043262eec328130883b8c6a413c03fa11e766db44e6e2595dfa5d3e13d02b7a199105cad8439c66238cf2975099d40b33cdaeb4768da159060b6f35daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Destover.exe

Filesize
89KB

MD5
e904bf93403c0fb08b9683a9e858c73e

SHA1
8397c1e1f0b9d53a114850f6b3ae8c1f2b2d1590

SHA256
4c2efe2f1253b94f16a1cab032f36c7883e4f6c8d9fc17d0ee553b5afb16330c

SHA512
d83f63737f7fcac9179ca262aa5c32bba7e140897736b63474afcf4f972ffb4c317c5e1d6f7ebe6a0f2d77db8f41204031314d7749c7185ec3e3b5286d77c1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Lead.Upload.Report.Feb.2025.exe

Filesize
99KB

MD5
6ca1d8895e299ea630a4673213536564

SHA1
95bcbee0041ede1eaa4c13ba8a70893d61f83c84

SHA256
da620174bef1c7f41f581104a7193808d5aba54cf2edde9169c012854795e7f8

SHA512
4bee0ef4294fc73b4cd2374ea2ec443cc5f30e4e56aa1fe79049a6cf5d5229a569417f5c895e9052c8d07cab497cc325b9786a12cab9afa335502305927d96a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\MSystem32.exe

Filesize
235KB

MD5
0b9c6adaad6b250ad72923c2014b44b0

SHA1
7b9f82bef71e2d4ddfc258c2d1b7e7c5f76547fe

SHA256
1a9dc2fbfe2257278e6452872cdbd18c50bf5c7142dd04c772f1633a7f20fd0d

SHA512
3b9e734d09e8f01751d370aaff2cbe68ecaf18ec78ef6cc97974ff1ab8c5fe8db2b8b942e86b4b15e8f2657f5f5141088ca0cbe5b845b878732d3bed521aa0b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\R1.exe

Filesize
190KB

MD5
25435613e2bf2fdc1bce0feef839a0a6

SHA1
ada0f61764c41d23c7a647825583a9a58500868d

SHA256
afc25d6af755170ab85a5b53bf69476fdcc325be94fb15a271d2432155164ffa

SHA512
ef59106b773f9413ce0a0563bbee75edd4e0bb5b3130754a8331c394b8a359730baf7ff23b621d8feed756386120e51e23ff5cf66a98ffea4e85c171e8603b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe

Filesize
3.1MB

MD5
57145c33045ce67e1c1fe7c763438ab1

SHA1
2a83ecef8bbe640577a2cc3f6602bbd8e7d6c847

SHA256
9764bc832bfa8a9f3d7af1ea6747e7376774bd903e9cc545d9998f2657e97fa3

SHA512
7ce3d6dbd3c3b05ff6fe1ac57888123cf5e01e890c5b5e7204859b361841d15fdb8a460626355236b9c3df58824cb1979c187f34fa6d7d282517023f3a26a112

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\TPB-ACTIVATOR-1.exe

Filesize
1.5MB

MD5
d0c0e2b8cdcf7891093e828326fc7240

SHA1
82d4bc2c660c5853818925351b1f01a4933755a3

SHA256
4ef46582ae95f961c0a0af8262de20681d9fc34ab18ead54a634448c077fd82d

SHA512
35033dddd0ed3ebb292be5e3eb1f01f116b71ff63cf03efdf069be081bb58c7582f9ab0756184905db6050c462197f40fdedee67436c8952edf23a24301723df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Terminal_9235.exe

Filesize
51KB

MD5
7bc2e6b25bfafe16708196e844dc1476

SHA1
4689ebd58df0eaa8f21191f1e0aae0259a2a7497

SHA256
a72a243ca862f09c197a135b15cc3081b7635cb1c78bb7f92daa932b78754b06

SHA512
aef4619973c3d71ce6eda4f4c1d4be2dcd88fceaf48bf2b4efde7c762d3ac45a3d4900b33aea04dfbd40079a279efd7ea2505056f0828cdb364ee478627e9e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\TrainJX.exe

Filesize
127KB

MD5
ff25c6870885926ccce8141d244024aa

SHA1
08e25752ebad8edcf0877fe9cdf0bbacd9e27e71

SHA256
24db2893fc8fb265f397e313cdb4142700b7d5e6d9bed1deeb173db479c68e13

SHA512
ef38c8c1a19ec3d2a007056d4b9af6dc3b9ea787fa0f998fcb33736c689c9c5efa54b3f06cdb96e479b1b769ffb95343929ce5e6b634f314395a338c70e6ac2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Windows12.exe

Filesize
3.4MB

MD5
8b2e0fa65ef1b87ffcc3ca43ddab5eb8

SHA1
89c584fa347a1e9b9caa3205f37b67d4bdf47fcc

SHA256
098f75d091ae6473dce8b06216ab154737468869375e35e5949e39904dbe71e6

SHA512
3d5eec18d870a104389e0e628e01ae3fdd372e65a3b7a0eb33fbc99965e3b6cd8e51cccf208041e0f6a3be55764286bf855e10c0792982cf458a8633ff29cbce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

Filesize
80KB

MD5
1fdbde7773dca61675f332594d8f7e99

SHA1
b993f62c871c311fe9a398ad2424389b1072906e

SHA256
439f9b3edd8b69f54c8a03c34f56660b95f345688edfad7911780a41f9839d65

SHA512
51a74a252c827f9fd3cbcd39cd6b95d721b97fd25fb8f78574700ccbf60e85d072ffa5b893887d67a2c5f69478df3ce687c6d11632312117bed928800b3e63b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\billi_e58d74e455634dc695ed8a7b8b320325.exe.upx.exe

Filesize
45KB

MD5
092c3991693cf8e0023895e4c1681fae

SHA1
eac132697a7317fb617a2237df11395bfc76b18d

SHA256
86e691956c37b1594ef05158264e82e28655233a446fb06d4e269769ed582f06

SHA512
64c3575fba4e9eba8b93e60b557dce0108ff97b0556736f5fd30b2af080d2786062afbaf57ffe6988d7a0b170f00faf4b8aaf871a978fbe7e05342cc673c9e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe

Filesize
235KB

MD5
6932b7496923927a168f33e9c584df04

SHA1
12efc094c2b3e1f1da263751baeb918e892faf2c

SHA256
6cbeec3d5e443abf3dd88847fa7ba3e4cc716ceb39f1bb514e32b9295dbc8529

SHA512
c2bf4f24ee785c526f9bea8e2d1a427008ed5e6d47eb9065d32b7c0fc12928d6de4377b33f9e683676cc2f38e59da269987b4c7d8fceda6d263afb873eb3eb77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\injector.exe

Filesize
2.3MB

MD5
f6aaabbe869f9896e9f42188eeff7bd0

SHA1
1efcc84697399da14b1860e196d7effc09616f45

SHA256
0a0051921bf902df467a3faf3eb43cee8e9b26fbc3582861b2498ec2728bb641

SHA512
7e95891540121e2c15b7f2ce51155fc3a6feefb9b493e2aa550a94b6a00f25ac47a946beb5096bdd6ebc2ac8eeac606f8e372f07d56bba3d697552b2f330aa10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kdmapper.exe

Filesize
134KB

MD5
54d024fff14ecf2068b43d9ce52ad66e

SHA1
f84b57ac51377b0742e88f565221177710bc5def

SHA256
4bd506c3b40b8d614aeac97bf7abfef595544b6fdbd20b495ad6a694efa85ff3

SHA512
b99cfd043192600718a8491d600693f78af53bb7c02c376bf2404dbc85ca9799c44268ff4cb624c0a06edcc6351ffd84a5766c19143be3afcc8f3ed34acdc909

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\opyhjdase.exe

Filesize
14.6MB

MD5
0d53256905411410fcfbbbcda13abdbb

SHA1
cdea834f452864559cf7471614948cbc575e0fcb

SHA256
d336273cee697dec1b8f9e1643005a2cd8b80305e9f8dc257ab69d2322f38927

SHA512
d6d2f8973cfda896edd0869a76773d14dc9a866be31fd1629c8cc9139ff18f1c7d84a6321cac1369d254eb64edb6bc7f7ba3d905c0622a6e5dc84faa813122f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\shell.exe

Filesize
72KB

MD5
156b3dd7b265fdbeb2ade043097d069b

SHA1
58d37918893d2109804c79f93316570a74aa2855

SHA256
da47b99da4257ab831799c5d2fb02086c093511988fb4239aab3a57dab00c049

SHA512
43d28d9f5b32e8acea884380ef733eaf51b9110c6fe334ab2d9551319c3f4b7e235f08b1f3f26fb5914b6973586e6089f14f7aceebcf110ca40f492f963fdea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe

Filesize
2.7MB

MD5
b373c11c594e3a3f2230860496f2507b

SHA1
53e9c1857b150df576cdccfc630e7e8cd24d61b2

SHA256
2754cf43d44358046721e9fbd6cb1447154cc9f9da62349e54576327ff3a5b02

SHA512
c7565f67f51e40bf4150bf525b8e2ebaaaca24d9db56559578a108162a0fca8a6463f92131f5931323534b9c5adefec60b2cf904ef9f799a63e61ab1576bb414

Download Submit
C:\Users\Admin\AppData\Local\Temp\Local Storage\leveldb_7.temp\CURRENT.5

Filesize
16B

MD5
9f36605efba98dab15728fe8b5538aa0

SHA1
6a7cff514ae159a59b70f27dde52a3a5dd01b1c8

SHA256
9c283f6e81028b9eb0760d918ee4bc0aa256ed3b926393c1734c760c4bd724fd

SHA512
1893aa3d1abcf7f9e83911468fa2eeb2ad1d7e23f4586bd6c4d76f9f96a645c15e63e44da55700347165e97b6ac412e6d495b81c3da9faa61d617c7a71a7404c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\CURRENT.bak

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xpeqmqnw.bjz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
11af6e08d014d479f565d11b10de6bce

SHA1
7ff5259cbcbe8671f09b81b7ba72876ea607f91c

SHA256
a5beb6c544cfc27903d817777db75f779c1a76b6d1183c0c8cad5d22bb3a9bc9

SHA512
5c3e98649504d248a09c84fb6ce109a752c4d82fd10ecfbcabed7c098cc6f55f7ca8ef7512cd1d1041e4ad50498faf5a24cb02c1dc9e882296674f2730248656

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1KB

MD5
2094c945d45008373ddcfc7eda4ec38b

SHA1
1fc13cdc1c1d10eadcece59a5d4653b4896c0f0e

SHA256
dcbc905e60462b05ac480250ab0046b59781afcd5c59aa2d46b9817d16a49bd8

SHA512
a0e194908cd1bacc483052f1b95da8e44cce8cd196d1c2b0a4b1eeb9d3b8cf96752a5689823ccce9afe6b717ca65e7a3ee7cfb5050b38f0331cfa3516bcc4e27

Download Submit
memory/240-109-0x000002095BE10000-0x000002095BE32000-memory.dmp

Filesize
136KB

Download
memory/400-418-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/404-611-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/972-578-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1160-595-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1360-619-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1368-413-0x00007FF830CB0000-0x00007FF830CB2000-memory.dmp

Filesize
8KB

Download
memory/1368-415-0x00007FF622220000-0x00007FF6227CC000-memory.dmp

Filesize
5.7MB

Download
memory/1744-549-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1744-602-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2256-377-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2256-431-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2256-508-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2404-1-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/2404-0-0x000000007508E000-0x000000007508F000-memory.dmp

Filesize
4KB

Download
memory/2404-58-0x000000007508E000-0x000000007508F000-memory.dmp

Filesize
4KB

Download
memory/2404-89-0x0000000075080000-0x0000000075831000-memory.dmp

Filesize
7.7MB

Download
memory/2404-2-0x0000000004CF0000-0x0000000004D8C000-memory.dmp

Filesize
624KB

Download
memory/2404-3-0x0000000075080000-0x0000000075831000-memory.dmp

Filesize
7.7MB

Download
memory/2740-534-0x00000000006C0000-0x00000000006E8000-memory.dmp

Filesize
160KB

Download
memory/2740-536-0x0000000005600000-0x0000000005BA6000-memory.dmp

Filesize
5.6MB

Download
memory/2740-538-0x0000000005200000-0x000000000520A000-memory.dmp

Filesize
40KB

Download
memory/2740-537-0x0000000005050000-0x00000000050E2000-memory.dmp

Filesize
584KB

Download
memory/2892-20-0x00000000700E1000-0x00000000700E2000-memory.dmp

Filesize
4KB

Download
memory/2892-100-0x00000000700E0000-0x0000000070691000-memory.dmp

Filesize
5.7MB

Download
memory/2892-21-0x00000000700E0000-0x0000000070691000-memory.dmp

Filesize
5.7MB

Download
memory/2892-22-0x00000000700E0000-0x0000000070691000-memory.dmp

Filesize
5.7MB

Download
memory/2892-148-0x00000000700E0000-0x0000000070691000-memory.dmp

Filesize
5.7MB

Download
memory/3388-195-0x0000000001990000-0x00000000019AB000-memory.dmp

Filesize
108KB

Download
memory/4076-53-0x0000000000730000-0x0000000000A54000-memory.dmp

Filesize
3.1MB

Download
memory/4540-80-0x00000000003F0000-0x000000000040A000-memory.dmp

Filesize
104KB

Download
memory/4636-612-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4636-610-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4756-57-0x000000001C7E0000-0x000000001C892000-memory.dmp

Filesize
712KB

Download
memory/4756-54-0x000000001BFC0000-0x000000001C010000-memory.dmp

Filesize
320KB

Download
memory/4792-147-0x000000001D700000-0x000000001DC28000-memory.dmp

Filesize
5.2MB

Download
memory/5088-34-0x00007FF80FC53000-0x00007FF80FC55000-memory.dmp

Filesize
8KB

Download
memory/5088-35-0x0000000000F10000-0x0000000001270000-memory.dmp

Filesize
3.4MB

Download
memory/5100-590-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5100-600-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5280-599-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5540-458-0x0000000000D90000-0x0000000000DC4000-memory.dmp

Filesize
208KB

Download
memory/5696-184-0x0000000000D50000-0x0000000000D6B000-memory.dmp

Filesize
108KB

Download
memory/5696-182-0x00000000009A0000-0x00000000009B9000-memory.dmp

Filesize
100KB

Download
memory/5808-577-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5808-480-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5916-601-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5932-620-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5932-621-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download