Analysis
-
max time kernel
64s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 17:50
Static task
static1
General
-
Target
elements.exp
-
Size
339B
-
MD5
21d2e6e281398404012724a6e8f3242d
-
SHA1
11ca6bd4edb1466712e10c57c02c5a1cc3475176
-
SHA256
31a13807659b75ab5dfd25e097f727705bdbdc9a6d61a8673df2510aa04110d0
-
SHA512
3b2ab9dc7cc615a9b61bd421d416845748ad18c38bc31663496d3f54314538a480cc6b0ec1a976f7e66e9382fae5b6db97fce20c7ef5bb85f929da16755251fe
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x000400000002301d-528.dat family_umbral behavioral1/memory/3816-536-0x000001FC7E660000-0x000001FC7E6A0000-memory.dmp family_umbral -
AgentTesla payload 1 IoCs
resource yara_rule behavioral1/memory/5896-524-0x0000012ABED50000-0x0000012ABEF64000-memory.dmp family_agenttesla -
Command and Scripting Interpreter: PowerShell 1 TTPs 23 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4696 powershell.exe 3944 powershell.exe 6268 powershell.exe 372 powershell.exe 5952 powershell.exe 6612 Process not Found 4696 powershell.exe 2192 powershell.exe 6744 powershell.exe 1116 powershell.exe 6512 powershell.exe 4612 powershell.exe 820 Process not Found 5564 powershell.exe 3932 powershell.exe 6020 powershell.exe 7076 powershell.exe 2764 powershell.exe 1996 powershell.exe 1048 Process not Found 1920 Process not Found 6588 powershell.exe 6788 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts HiderLdPlayer.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation PowerCheatEmuHider.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation PowerCheatEmuHider.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation PowerCheat free.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation PowerCheatEmuHider.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation PowerCheatEmuHider.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation PowerCheatEmuHider.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation PowerCheatEmuHider.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation PowerCheatEmuHider.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation PowerCheatEmuHider.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation PowerCheatEmuHider.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation PowerCheatEmuHider.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation PowerCheatEmuHider.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation PowerCheatEmuHider.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation PowerCheatEmuHider.exe -
Executes dropped EXE 27 IoCs
pid Process 5860 PowerCheat free.exe 5896 PowerCheat_free.exe 6024 PowerCheatEmuHider.exe 3636 PowerCheatEmuHider.exe 3816 HiderLdPlayer.exe 3144 PowerCheatEmuHider.exe 5188 HiderLdPlayer.exe 5824 PowerCheatEmuHider.exe 5848 HiderLdPlayer.exe 1232 PowerCheatEmuHider.exe 3900 HiderLdPlayer.exe 6156 PowerCheatEmuHider.exe 6520 HiderLdPlayer.exe 6700 PowerCheatEmuHider.exe 6804 HiderLdPlayer.exe 6980 PowerCheatEmuHider.exe 7128 HiderLdPlayer.exe 544 PowerCheatEmuHider.exe 3932 HiderLdPlayer.exe 5856 PowerCheatEmuHider.exe 5800 HiderLdPlayer.exe 6656 PowerCheatEmuHider.exe 6316 HiderLdPlayer.exe 6880 PowerCheatEmuHider.exe 6840 HiderLdPlayer.exe 6872 PowerCheatEmuHider.exe 7136 HiderLdPlayer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 46 IoCs
flow ioc 463 discord.com 502 discord.com 531 discord.com 532 discord.com 545 discord.com 561 discord.com 569 discord.com 436 discord.com 577 discord.com 447 discord.com 455 discord.com 538 discord.com 576 discord.com 584 discord.com 376 discord.com 448 discord.com 495 discord.com 562 discord.com 377 discord.com 503 discord.com 568 discord.com 496 discord.com 385 discord.com 454 discord.com 469 discord.com 482 discord.com 511 discord.com 350 discord.com 364 discord.com 384 discord.com 435 discord.com 470 discord.com 488 discord.com 489 discord.com 525 discord.com 363 discord.com 427 discord.com 428 discord.com 462 discord.com 481 discord.com 509 discord.com 524 discord.com 539 discord.com 349 discord.com 583 discord.com 546 discord.com -
Looks up external IP address via web service 23 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 535 ip-api.com 542 ip-api.com 549 ip-api.com 321 ip-api.com 432 ip-api.com 520 ip-api.com 580 ip-api.com 373 ip-api.com 409 ip-api.com 444 ip-api.com 499 ip-api.com 565 ip-api.com 572 ip-api.com 360 ip-api.com 381 ip-api.com 466 ip-api.com 478 ip-api.com 485 ip-api.com 492 ip-api.com 506 ip-api.com 528 ip-api.com 451 ip-api.com 459 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Detects videocard installed 1 TTPs 23 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3600 wmic.exe 6788 wmic.exe 6824 wmic.exe 6748 wmic.exe 6772 wmic.exe 3204 wmic.exe 6416 wmic.exe 6864 wmic.exe 6552 Process not Found 1256 wmic.exe 6692 wmic.exe 4344 wmic.exe 7096 Process not Found 5108 wmic.exe 5288 wmic.exe 900 wmic.exe 7144 wmic.exe 4524 wmic.exe 5320 Process not Found 6244 Process not Found 4184 Process not Found 1080 wmic.exe 6600 wmic.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS PowerCheat_free.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer PowerCheat_free.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion PowerCheat_free.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\PowerCheat free.exe:Zone.Identifier firefox.exe -
Runs ping.exe 1 TTPs 23 IoCs
pid Process 6300 PING.EXE 3620 PING.EXE 5288 PING.EXE 6852 PING.EXE 3060 PING.EXE 5320 Process not Found 6204 PING.EXE 6464 PING.EXE 3836 PING.EXE 4968 PING.EXE 2980 Process not Found 6840 Process not Found 6492 PING.EXE 2764 PING.EXE 1756 Process not Found 5964 Process not Found 404 PING.EXE 6268 PING.EXE 2564 PING.EXE 6512 PING.EXE 5680 PING.EXE 5952 PING.EXE 2980 PING.EXE -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 3816 HiderLdPlayer.exe 3816 HiderLdPlayer.exe 5896 PowerCheat_free.exe 5896 PowerCheat_free.exe 5896 PowerCheat_free.exe 5564 powershell.exe 5564 powershell.exe 5564 powershell.exe 5896 PowerCheat_free.exe 5896 PowerCheat_free.exe 5848 powershell.exe 5848 powershell.exe 5848 powershell.exe 1040 msedge.exe 1040 msedge.exe 2740 msedge.exe 2740 msedge.exe 5896 PowerCheat_free.exe 5896 PowerCheat_free.exe 5896 PowerCheat_free.exe 5896 PowerCheat_free.exe 5896 PowerCheat_free.exe 6680 powershell.exe 6680 powershell.exe 6680 powershell.exe 4660 powershell.exe 4660 powershell.exe 4660 powershell.exe 5896 PowerCheat_free.exe 5896 PowerCheat_free.exe 5896 PowerCheat_free.exe 5896 PowerCheat_free.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 660 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4828 firefox.exe Token: SeDebugPrivilege 4828 firefox.exe Token: SeDebugPrivilege 5896 PowerCheat_free.exe Token: SeDebugPrivilege 3816 HiderLdPlayer.exe Token: SeIncreaseQuotaPrivilege 2228 wmic.exe Token: SeSecurityPrivilege 2228 wmic.exe Token: SeTakeOwnershipPrivilege 2228 wmic.exe Token: SeLoadDriverPrivilege 2228 wmic.exe Token: SeSystemProfilePrivilege 2228 wmic.exe Token: SeSystemtimePrivilege 2228 wmic.exe Token: SeProfSingleProcessPrivilege 2228 wmic.exe Token: SeIncBasePriorityPrivilege 2228 wmic.exe Token: SeCreatePagefilePrivilege 2228 wmic.exe Token: SeBackupPrivilege 2228 wmic.exe Token: SeRestorePrivilege 2228 wmic.exe Token: SeShutdownPrivilege 2228 wmic.exe Token: SeDebugPrivilege 2228 wmic.exe Token: SeSystemEnvironmentPrivilege 2228 wmic.exe Token: SeRemoteShutdownPrivilege 2228 wmic.exe Token: SeUndockPrivilege 2228 wmic.exe Token: SeManageVolumePrivilege 2228 wmic.exe Token: 33 2228 wmic.exe Token: 34 2228 wmic.exe Token: 35 2228 wmic.exe Token: 36 2228 wmic.exe Token: SeIncreaseQuotaPrivilege 2228 wmic.exe Token: SeSecurityPrivilege 2228 wmic.exe Token: SeTakeOwnershipPrivilege 2228 wmic.exe Token: SeLoadDriverPrivilege 2228 wmic.exe Token: SeSystemProfilePrivilege 2228 wmic.exe Token: SeSystemtimePrivilege 2228 wmic.exe Token: SeProfSingleProcessPrivilege 2228 wmic.exe Token: SeIncBasePriorityPrivilege 2228 wmic.exe Token: SeCreatePagefilePrivilege 2228 wmic.exe Token: SeBackupPrivilege 2228 wmic.exe Token: SeRestorePrivilege 2228 wmic.exe Token: SeShutdownPrivilege 2228 wmic.exe Token: SeDebugPrivilege 2228 wmic.exe Token: SeSystemEnvironmentPrivilege 2228 wmic.exe Token: SeRemoteShutdownPrivilege 2228 wmic.exe Token: SeUndockPrivilege 2228 wmic.exe Token: SeManageVolumePrivilege 2228 wmic.exe Token: 33 2228 wmic.exe Token: 34 2228 wmic.exe Token: 35 2228 wmic.exe Token: 36 2228 wmic.exe Token: SeDebugPrivilege 5564 powershell.exe Token: SeDebugPrivilege 5848 powershell.exe Token: SeDebugPrivilege 6680 powershell.exe Token: SeDebugPrivilege 4660 powershell.exe Token: SeIncreaseQuotaPrivilege 6996 wmic.exe Token: SeSecurityPrivilege 6996 wmic.exe Token: SeTakeOwnershipPrivilege 6996 wmic.exe Token: SeLoadDriverPrivilege 6996 wmic.exe Token: SeSystemProfilePrivilege 6996 wmic.exe Token: SeSystemtimePrivilege 6996 wmic.exe Token: SeProfSingleProcessPrivilege 6996 wmic.exe Token: SeIncBasePriorityPrivilege 6996 wmic.exe Token: SeCreatePagefilePrivilege 6996 wmic.exe Token: SeBackupPrivilege 6996 wmic.exe Token: SeRestorePrivilege 6996 wmic.exe Token: SeShutdownPrivilege 6996 wmic.exe Token: SeDebugPrivilege 6996 wmic.exe Token: SeSystemEnvironmentPrivilege 6996 wmic.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 4828 firefox.exe 4828 firefox.exe 4828 firefox.exe 4828 firefox.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe -
Suspicious use of SendNotifyMessage 27 IoCs
pid Process 4828 firefox.exe 4828 firefox.exe 4828 firefox.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe 2740 msedge.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2436 OpenWith.exe 4828 firefox.exe 4828 firefox.exe 4828 firefox.exe 4828 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2936 wrote to memory of 4828 2936 firefox.exe 90 PID 2936 wrote to memory of 4828 2936 firefox.exe 90 PID 2936 wrote to memory of 4828 2936 firefox.exe 90 PID 2936 wrote to memory of 4828 2936 firefox.exe 90 PID 2936 wrote to memory of 4828 2936 firefox.exe 90 PID 2936 wrote to memory of 4828 2936 firefox.exe 90 PID 2936 wrote to memory of 4828 2936 firefox.exe 90 PID 2936 wrote to memory of 4828 2936 firefox.exe 90 PID 2936 wrote to memory of 4828 2936 firefox.exe 90 PID 2936 wrote to memory of 4828 2936 firefox.exe 90 PID 2936 wrote to memory of 4828 2936 firefox.exe 90 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2308 4828 firefox.exe 91 PID 4828 wrote to memory of 2224 4828 firefox.exe 92 PID 4828 wrote to memory of 2224 4828 firefox.exe 92 PID 4828 wrote to memory of 2224 4828 firefox.exe 92 PID 4828 wrote to memory of 2224 4828 firefox.exe 92 PID 4828 wrote to memory of 2224 4828 firefox.exe 92 PID 4828 wrote to memory of 2224 4828 firefox.exe 92 PID 4828 wrote to memory of 2224 4828 firefox.exe 92 PID 4828 wrote to memory of 2224 4828 firefox.exe 92 PID 4828 wrote to memory of 2224 4828 firefox.exe 92 PID 4828 wrote to memory of 2224 4828 firefox.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 23 IoCs
pid Process 7116 attrib.exe 2416 attrib.exe 5112 attrib.exe 7084 attrib.exe 1920 attrib.exe 7016 attrib.exe 5964 Process not Found 5960 Process not Found 5036 attrib.exe 6880 attrib.exe 3928 attrib.exe 6132 attrib.exe 4380 attrib.exe 4824 attrib.exe 6740 attrib.exe 3980 attrib.exe 7044 attrib.exe 2440 attrib.exe 2196 Process not Found 7008 attrib.exe 2592 Process not Found 4524 attrib.exe 6840 attrib.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\elements.exp1⤵
- Modifies registry class
PID:4152
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2436
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.0.366085307\688833909" -parentBuildID 20230214051806 -prefsHandle 1760 -prefMapHandle 1752 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49819a5c-507c-4595-9db6-6edbb0f1c1e1} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 1852 28af0c0cb58 gpu3⤵PID:2308
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.1.944453049\1995671286" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ee2a48b-91f0-4beb-9641-1b7c803e33b3} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 2416 28ae3d8ae58 socket3⤵PID:2224
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.2.807627887\1331619510" -childID 1 -isForBrowser -prefsHandle 2872 -prefMapHandle 2912 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {876da24a-aee6-420a-84fe-e67c5e9ef3b0} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 3036 28af3708558 tab3⤵PID:320
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.3.102754992\1393564359" -childID 2 -isForBrowser -prefsHandle 3872 -prefMapHandle 3868 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38c041bd-5714-46e9-a142-5a9c9aefd34a} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 3884 28af56eae58 tab3⤵PID:2212
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.4.1007493914\1018867495" -childID 3 -isForBrowser -prefsHandle 5016 -prefMapHandle 5032 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fc78e78-024a-46a4-8206-c5f6db9c2c53} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 5052 28af7f3a258 tab3⤵PID:1128
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.5.28061997\356594222" -childID 4 -isForBrowser -prefsHandle 5324 -prefMapHandle 5320 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d46ed20-e416-49d5-9928-9fb003ab5cdb} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 5332 28af7f38d58 tab3⤵PID:4368
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.6.1206839349\1201560154" -childID 5 -isForBrowser -prefsHandle 5476 -prefMapHandle 5484 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b59ec4a-9503-4e95-9e8e-8f530e38daa2} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 5468 28af7f3ab58 tab3⤵PID:5080
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.7.1637403578\881903388" -childID 6 -isForBrowser -prefsHandle 5856 -prefMapHandle 5864 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88b0529c-fa7a-46ca-bd27-58313083a352} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 5840 28af9b4cb58 tab3⤵PID:3352
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.8.888948920\720653812" -childID 7 -isForBrowser -prefsHandle 9828 -prefMapHandle 9832 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb957e85-3302-4d3b-a66b-5face77b0ed2} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 9804 28aeffb0658 tab3⤵PID:5852
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.9.2003731149\27172208" -childID 8 -isForBrowser -prefsHandle 9772 -prefMapHandle 9684 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a2ebec8-b2c0-444c-a62c-530112037b53} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 9648 28aeffb1b58 tab3⤵PID:5860
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.10.1556129039\862370453" -childID 9 -isForBrowser -prefsHandle 9384 -prefMapHandle 9388 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c34abae2-a1dc-4527-adce-1c94d568a123} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 9472 28aeffaf458 tab3⤵PID:5868
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.11.149148807\532716151" -childID 10 -isForBrowser -prefsHandle 5608 -prefMapHandle 5604 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {edd3241d-7789-4105-b9dc-ee32d0b5bb8d} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 5596 28af7f37858 tab3⤵PID:6108
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.12.756841565\163854027" -childID 11 -isForBrowser -prefsHandle 5616 -prefMapHandle 4860 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f6e3e4d-7c33-4888-af2e-5228ab92126e} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 9404 28af56ea258 tab3⤵PID:5788
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.13.1434841764\1385885324" -childID 12 -isForBrowser -prefsHandle 9560 -prefMapHandle 9544 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d724a62-c08c-4962-9d4d-0e23d05698bc} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 9572 28af632f858 tab3⤵PID:5772
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4828.14.1603718289\1115361721" -childID 13 -isForBrowser -prefsHandle 9832 -prefMapHandle 9828 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3aa625e2-1e0a-4096-ac04-d59e91c03522} 4828 "\\.\pipe\gecko-crash-server-pipe.4828" 9792 28af653df58 tab3⤵PID:5792
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5148
-
C:\Users\Admin\Downloads\PowerCheat free.exe"C:\Users\Admin\Downloads\PowerCheat free.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5860 -
C:\Users\Admin\AppData\Local\Temp\PowerCheat_free.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheat_free.exe"2⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5896 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/powergirlso23⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2740 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0x120,0x124,0xfc,0x128,0x7ffb46e046f8,0x7ffb46e04708,0x7ffb46e047184⤵PID:5248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,8626161929999143323,18119786401915081530,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:24⤵PID:1932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,8626161929999143323,18119786401915081530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:1040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,8626161929999143323,18119786401915081530,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:84⤵PID:5588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8626161929999143323,18119786401915081530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:14⤵PID:6220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8626161929999143323,18119786401915081530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:14⤵PID:6232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8626161929999143323,18119786401915081530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:14⤵PID:6784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,8626161929999143323,18119786401915081530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 /prefetch:84⤵PID:5960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,8626161929999143323,18119786401915081530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 /prefetch:84⤵PID:6392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8626161929999143323,18119786401915081530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:14⤵PID:4360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8626161929999143323,18119786401915081530,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:14⤵PID:4172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8626161929999143323,18119786401915081530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:14⤵PID:5904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8626161929999143323,18119786401915081530,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:14⤵PID:6284
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:6024 -
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
PID:3144 -
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
PID:5824 -
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
PID:6156 -
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
PID:6700 -
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
PID:6980 -
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
PID:544 -
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
PID:5856 -
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
PID:6656 -
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
PID:6880 -
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
PID:6872 -
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"15⤵PID:6384
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"16⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"17⤵PID:4252
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"18⤵PID:6856
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"19⤵PID:6888
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"20⤵PID:6796
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"21⤵PID:6984
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"22⤵PID:3404
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"23⤵PID:1008
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"24⤵PID:5200
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"25⤵PID:6656
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"26⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"27⤵PID:7164
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"28⤵PID:6736
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"29⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"30⤵PID:6512
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"31⤵PID:3620
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"32⤵PID:6720
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"33⤵PID:968
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"34⤵PID:6984
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"35⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"36⤵PID:6492
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"37⤵PID:6712
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"38⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"39⤵PID:7156
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"40⤵PID:4184
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"41⤵PID:2228
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"42⤵PID:6692
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"43⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"44⤵PID:5956
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"45⤵PID:720
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"46⤵PID:7084
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"47⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"48⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"49⤵PID:6588
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"50⤵PID:6720
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"51⤵PID:1008
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"52⤵PID:6736
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"53⤵PID:6932
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"54⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"55⤵PID:900
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"56⤵PID:968
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"57⤵PID:4056
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"58⤵PID:7116
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"59⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"60⤵PID:720
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"61⤵PID:5952
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"62⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"63⤵PID:6960
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"64⤵PID:6844
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"65⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"66⤵PID:2228
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"67⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"68⤵PID:6800
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"69⤵PID:6980
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"70⤵PID:4352
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"71⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"72⤵PID:2228
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"73⤵PID:5552
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"74⤵PID:5824
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"75⤵PID:6592
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"76⤵PID:5568
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"77⤵PID:6856
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"78⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"79⤵PID:5956
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"80⤵PID:6204
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"81⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"82⤵PID:2400
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"83⤵PID:6676
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"84⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"85⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"86⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"87⤵PID:6420
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"88⤵PID:4996
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"89⤵PID:7084
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"90⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"91⤵PID:2228
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"92⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"93⤵PID:6676
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"94⤵PID:3864
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"95⤵PID:512
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"96⤵PID:6564
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"97⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"98⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"99⤵PID:6824
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"100⤵PID:6680
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"101⤵PID:6488
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"102⤵PID:7116
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"103⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"104⤵PID:6564
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"105⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"106⤵PID:7136
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"107⤵PID:6692
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"108⤵PID:3500
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"109⤵PID:6488
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"110⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"111⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"112⤵PID:6452
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"113⤵PID:6500
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"114⤵PID:6340
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"115⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"116⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"117⤵PID:6772
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"118⤵PID:6964
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"119⤵PID:6248
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"120⤵PID:3500
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"121⤵PID:2228
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"122⤵PID:5940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-