Analysis
-
max time kernel
46s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 17:55
Static task
static1
General
-
Target
macros.exp
-
Size
11B
-
MD5
4bc624dceaefa042d85d620a6899f789
-
SHA1
80075d4ba26c76a151ae37110a47eacd30bc2c8e
-
SHA256
799adf5563cca6365b1290711e311947ed6618e1854d91ae021aa51a5028e6d6
-
SHA512
d732882835028d2827caff2f438a5309e032f029b208d03d32dacb2d896f11faba52ee38de3e3c6940f130425c87317f3896144a4f4aaa665285b2ccc30fe0a3
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1250361429333250119/Ue0qgEfIsngTl30ZNCtwzPjGafoMAt1Nkvz6HdtQyp6-br8N7e5NViVMa77MrDft7Ulq
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x00080000000234f5-626.dat family_umbral behavioral1/memory/5680-628-0x00000194759F0000-0x0000019475A30000-memory.dmp family_umbral -
AgentTesla payload 1 IoCs
resource yara_rule behavioral1/memory/5668-613-0x0000021639F80000-0x000002163A194000-memory.dmp family_agenttesla -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1540 powershell.exe 6860 powershell.exe 6276 powershell.exe 6116 powershell.exe 6932 powershell.exe 5124 powershell.exe 6572 powershell.exe 1540 powershell.exe 6604 powershell.exe 6500 powershell.exe 2684 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation PowerCheat free.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation PowerCheatEmuHider.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation PowerCheatEmuHider.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation PowerCheatEmuHider.exe -
Executes dropped EXE 9 IoCs
pid Process 5356 PowerCheat free.exe 5668 PowerCheat_free.exe 5984 PowerCheatEmuHider.exe 6008 PowerCheatEmuHider.exe 5680 HiderLdPlayer.exe 3236 PowerCheatEmuHider.exe 3872 HiderLdPlayer.exe 5172 PowerCheatEmuHider.exe 5348 HiderLdPlayer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 22 IoCs
flow ioc 451 discord.com 490 discord.com 491 discord.com 518 discord.com 444 discord.com 461 discord.com 519 discord.com 356 discord.com 399 discord.com 413 discord.com 419 discord.com 420 discord.com 400 discord.com 427 discord.com 428 discord.com 443 discord.com 460 discord.com 358 discord.com 414 discord.com 452 discord.com 506 discord.com 507 discord.com -
Looks up external IP address via web service 12 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 416 ip-api.com 424 ip-api.com 440 ip-api.com 502 ip-api.com 522 ip-api.com 338 ip-api.com 396 ip-api.com 455 ip-api.com 466 ip-api.com 515 ip-api.com 404 ip-api.com 448 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Detects videocard installed 1 TTPs 11 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 6680 wmic.exe 6840 wmic.exe 7008 wmic.exe 6096 wmic.exe 1912 wmic.exe 4068 wmic.exe 6832 wmic.exe 7164 wmic.exe 6912 wmic.exe 6568 wmic.exe 4068 wmic.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion PowerCheat_free.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS PowerCheat_free.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer PowerCheat_free.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\PowerCheat free.exe:Zone.Identifier firefox.exe -
Runs ping.exe 1 TTPs 11 IoCs
pid Process 5300 PING.EXE 1060 PING.EXE 5176 PING.EXE 1108 PING.EXE 3036 PING.EXE 6908 PING.EXE 4540 PING.EXE 6644 PING.EXE 6924 PING.EXE 6336 PING.EXE 6996 PING.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 5668 PowerCheat_free.exe 5668 PowerCheat_free.exe 5668 PowerCheat_free.exe 5680 HiderLdPlayer.exe 5680 HiderLdPlayer.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 2092 firefox.exe Token: SeDebugPrivilege 2092 firefox.exe Token: SeDebugPrivilege 5668 PowerCheat_free.exe Token: SeDebugPrivilege 5680 HiderLdPlayer.exe Token: SeIncreaseQuotaPrivilege 3792 wmic.exe Token: SeSecurityPrivilege 3792 wmic.exe Token: SeTakeOwnershipPrivilege 3792 wmic.exe Token: SeLoadDriverPrivilege 3792 wmic.exe Token: SeSystemProfilePrivilege 3792 wmic.exe Token: SeSystemtimePrivilege 3792 wmic.exe Token: SeProfSingleProcessPrivilege 3792 wmic.exe Token: SeIncBasePriorityPrivilege 3792 wmic.exe Token: SeCreatePagefilePrivilege 3792 wmic.exe Token: SeBackupPrivilege 3792 wmic.exe Token: SeRestorePrivilege 3792 wmic.exe Token: SeShutdownPrivilege 3792 wmic.exe Token: SeDebugPrivilege 3792 wmic.exe Token: SeSystemEnvironmentPrivilege 3792 wmic.exe Token: SeRemoteShutdownPrivilege 3792 wmic.exe Token: SeUndockPrivilege 3792 wmic.exe Token: SeManageVolumePrivilege 3792 wmic.exe Token: SeImpersonatePrivilege 3792 wmic.exe Token: 33 3792 wmic.exe Token: 34 3792 wmic.exe Token: 35 3792 wmic.exe Token: 36 3792 wmic.exe Token: SeIncreaseQuotaPrivilege 3792 wmic.exe Token: SeSecurityPrivilege 3792 wmic.exe Token: SeTakeOwnershipPrivilege 3792 wmic.exe Token: SeLoadDriverPrivilege 3792 wmic.exe Token: SeSystemProfilePrivilege 3792 wmic.exe Token: SeSystemtimePrivilege 3792 wmic.exe Token: SeProfSingleProcessPrivilege 3792 wmic.exe Token: SeIncBasePriorityPrivilege 3792 wmic.exe Token: SeCreatePagefilePrivilege 3792 wmic.exe Token: SeBackupPrivilege 3792 wmic.exe Token: SeRestorePrivilege 3792 wmic.exe Token: SeShutdownPrivilege 3792 wmic.exe Token: SeDebugPrivilege 3792 wmic.exe Token: SeSystemEnvironmentPrivilege 3792 wmic.exe Token: SeRemoteShutdownPrivilege 3792 wmic.exe Token: SeUndockPrivilege 3792 wmic.exe Token: SeManageVolumePrivilege 3792 wmic.exe Token: SeImpersonatePrivilege 3792 wmic.exe Token: 33 3792 wmic.exe Token: 34 3792 wmic.exe Token: 35 3792 wmic.exe Token: 36 3792 wmic.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 2092 firefox.exe 2092 firefox.exe 2092 firefox.exe 2092 firefox.exe 2092 firefox.exe 2092 firefox.exe 2092 firefox.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 2092 firefox.exe 2092 firefox.exe 2092 firefox.exe 2092 firefox.exe 2092 firefox.exe 2092 firefox.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3824 OpenWith.exe 2092 firefox.exe 2092 firefox.exe 2092 firefox.exe 2092 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3252 wrote to memory of 2092 3252 firefox.exe 93 PID 3252 wrote to memory of 2092 3252 firefox.exe 93 PID 3252 wrote to memory of 2092 3252 firefox.exe 93 PID 3252 wrote to memory of 2092 3252 firefox.exe 93 PID 3252 wrote to memory of 2092 3252 firefox.exe 93 PID 3252 wrote to memory of 2092 3252 firefox.exe 93 PID 3252 wrote to memory of 2092 3252 firefox.exe 93 PID 3252 wrote to memory of 2092 3252 firefox.exe 93 PID 3252 wrote to memory of 2092 3252 firefox.exe 93 PID 3252 wrote to memory of 2092 3252 firefox.exe 93 PID 3252 wrote to memory of 2092 3252 firefox.exe 93 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4476 2092 firefox.exe 95 PID 2092 wrote to memory of 4040 2092 firefox.exe 96 PID 2092 wrote to memory of 4040 2092 firefox.exe 96 PID 2092 wrote to memory of 4040 2092 firefox.exe 96 PID 2092 wrote to memory of 4040 2092 firefox.exe 96 PID 2092 wrote to memory of 4040 2092 firefox.exe 96 PID 2092 wrote to memory of 4040 2092 firefox.exe 96 PID 2092 wrote to memory of 4040 2092 firefox.exe 96 PID 2092 wrote to memory of 4040 2092 firefox.exe 96 PID 2092 wrote to memory of 4040 2092 firefox.exe 96 PID 2092 wrote to memory of 4040 2092 firefox.exe 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 12 IoCs
pid Process 2844 attrib.exe 6720 attrib.exe 6284 attrib.exe 7160 attrib.exe 5344 attrib.exe 1328 attrib.exe 7140 attrib.exe 6548 attrib.exe 7100 attrib.exe 6920 attrib.exe 3036 attrib.exe 7164 attrib.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\macros.exp1⤵
- Modifies registry class
PID:696
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3824
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.0.382251587\1802216569" -parentBuildID 20230214051806 -prefsHandle 1720 -prefMapHandle 1712 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2abfffd-fafd-4548-b91a-37362750fd76} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 1812 1dfd920a558 gpu3⤵PID:4476
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.1.1205856578\496853739" -parentBuildID 20230214051806 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31de479f-32ee-40d5-92f9-de363263ff1a} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 2400 1dfc5086e58 socket3⤵PID:4040
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.2.337654379\366261449" -childID 1 -isForBrowser -prefsHandle 2864 -prefMapHandle 2880 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ea70f1d-84d5-41e1-b8df-0e15900e69aa} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 2844 1dfdc111c58 tab3⤵PID:4136
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.3.1562098139\2127389140" -childID 2 -isForBrowser -prefsHandle 4036 -prefMapHandle 4032 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cae6749-db28-48a2-982f-5a2da8cf1e35} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 4048 1dfdd5a2658 tab3⤵PID:4772
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.4.1283901092\608248240" -childID 3 -isForBrowser -prefsHandle 4936 -prefMapHandle 4868 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b164e0d7-a4fa-4091-aa7f-d5dd2964423e} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 4928 1dfdfe6b458 tab3⤵PID:2988
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.5.1385643627\1145103704" -childID 4 -isForBrowser -prefsHandle 5088 -prefMapHandle 5092 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b004c09-a0be-4b3e-a8d0-84a4cd640d30} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 5076 1dfdfe6b758 tab3⤵PID:3616
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.6.557388482\398084699" -childID 5 -isForBrowser -prefsHandle 5296 -prefMapHandle 5300 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad7512be-4142-435c-9a98-c1c7c90d2348} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 4972 1dfdfe6c958 tab3⤵PID:3928
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.7.108050532\1696809827" -childID 6 -isForBrowser -prefsHandle 5952 -prefMapHandle 5944 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95f226fd-b610-4ec8-8353-42be5bef653e} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 5960 1dfe1847258 tab3⤵PID:4924
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.8.1228986513\716639778" -childID 7 -isForBrowser -prefsHandle 10072 -prefMapHandle 10088 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4194d04b-9282-4959-9b7b-0c91da5f00f6} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 10060 1dfdee7cb58 tab3⤵PID:2136
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.9.1830207837\1834363030" -childID 8 -isForBrowser -prefsHandle 9908 -prefMapHandle 9904 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d903b07-1a03-43f9-bdf1-1e9d71196141} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 10040 1dfdee7c258 tab3⤵PID:4420
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.10.1377577497\215565356" -childID 9 -isForBrowser -prefsHandle 9724 -prefMapHandle 9740 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eaf46e37-2dcd-42d6-a633-0ca13d294451} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 6152 1dfe139e258 tab3⤵PID:4576
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.11.527817869\1527999408" -childID 10 -isForBrowser -prefsHandle 9676 -prefMapHandle 5500 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f76d5d2-6304-4b6e-b478-3df3afefe2a9} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 5544 1dfe1764858 tab3⤵PID:5544
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.12.58890372\860643805" -childID 11 -isForBrowser -prefsHandle 9452 -prefMapHandle 10048 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d6c7722-81ed-412f-b27d-bacf0ccc8318} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 9912 1dfdee7c258 tab3⤵PID:5472
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.13.294966449\957006361" -childID 12 -isForBrowser -prefsHandle 9456 -prefMapHandle 9704 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19984e14-7ca1-40a8-a31d-cbe0efc5def0} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 10060 1dfdf9af158 tab3⤵PID:5512
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.14.1566034439\1555624492" -childID 13 -isForBrowser -prefsHandle 5968 -prefMapHandle 6120 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f57f2b9-eec4-404e-b6aa-468adf3763d6} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 6012 1dfdf9afa58 tab3⤵PID:5524
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.15.492968858\819171178" -childID 14 -isForBrowser -prefsHandle 4376 -prefMapHandle 4900 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59395b5e-22b0-496a-801e-d5ce2877a613} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 5252 1dfddd5c258 tab3⤵PID:1008
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.16.1007076817\851325028" -childID 15 -isForBrowser -prefsHandle 9764 -prefMapHandle 9856 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce06acee-41ef-422f-bb69-724a8a909daa} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 6068 1dfe1785858 tab3⤵PID:6060
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.17.1040154990\622717756" -childID 16 -isForBrowser -prefsHandle 10092 -prefMapHandle 9892 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d20a6f57-dc48-42a1-9426-7f8d9b973bde} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 4972 1dfd988db58 tab3⤵PID:5304
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.18.692667121\705252695" -childID 17 -isForBrowser -prefsHandle 6172 -prefMapHandle 10136 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebff75f9-b937-48bc-90fa-441b66b3a89f} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 9452 1dfdfd06858 tab3⤵PID:5312
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2092.19.34105818\1233523547" -childID 18 -isForBrowser -prefsHandle 9312 -prefMapHandle 9304 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1252 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {476ddf42-5a9f-41ae-8416-5a45836d961a} 2092 "\\.\pipe\gecko-crash-server-pipe.2092" 10040 1dfe1785b58 tab3⤵PID:5624
-
-
C:\Users\Admin\Downloads\PowerCheat free.exe"C:\Users\Admin\Downloads\PowerCheat free.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
PID:5356 -
C:\Users\Admin\AppData\Local\Temp\PowerCheat_free.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheat_free.exe"4⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5668 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/powergirlso25⤵PID:6124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa8a0646f8,0x7ffa8a064708,0x7ffa8a0647186⤵PID:6108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,7193557125099389925,17047886685571870593,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 /prefetch:26⤵PID:4512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,7193557125099389925,17047886685571870593,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:36⤵PID:5236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,7193557125099389925,17047886685571870593,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:86⤵PID:5588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7193557125099389925,17047886685571870593,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:16⤵PID:6208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7193557125099389925,17047886685571870593,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:16⤵PID:6224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7193557125099389925,17047886685571870593,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:16⤵PID:6884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,7193557125099389925,17047886685571870593,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:86⤵PID:5344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,7193557125099389925,17047886685571870593,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:86⤵PID:6408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7193557125099389925,17047886685571870593,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:16⤵PID:7100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7193557125099389925,17047886685571870593,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:16⤵PID:6996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7193557125099389925,17047886685571870593,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:16⤵PID:6800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,7193557125099389925,17047886685571870593,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:16⤵PID:6048
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
PID:5984 -
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
PID:6008 -
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
PID:3236 -
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"7⤵
- Executes dropped EXE
PID:5172 -
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"8⤵PID:5816
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"9⤵PID:6720
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"10⤵PID:6892
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"11⤵PID:7144
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"12⤵PID:6480
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"13⤵PID:6792
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"14⤵PID:6868
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"15⤵PID:6632
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"16⤵PID:5464
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"17⤵PID:6048
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"18⤵PID:6788
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"19⤵PID:6284
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"20⤵PID:6556
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"21⤵PID:6512
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"22⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"23⤵PID:6936
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"24⤵PID:6576
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"25⤵PID:6348
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"26⤵PID:3768
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"27⤵PID:6552
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"28⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"29⤵PID:1792
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"30⤵PID:5896
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"31⤵PID:7132
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"32⤵PID:6496
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"33⤵PID:6580
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"34⤵PID:6956
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"35⤵PID:6768
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"36⤵PID:6208
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"37⤵PID:6212
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"38⤵PID:6044
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"39⤵PID:6788
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"40⤵PID:5724
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"41⤵PID:7060
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"42⤵PID:6276
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"43⤵PID:6272
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"44⤵PID:6508
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"45⤵PID:7072
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"46⤵PID:6212
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"47⤵PID:1792
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"48⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"49⤵PID:5428
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"50⤵PID:6496
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"51⤵PID:5896
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"52⤵PID:5176
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"53⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"54⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"55⤵PID:6572
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"56⤵PID:6560
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"57⤵PID:6928
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"58⤵PID:6604
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"59⤵PID:6528
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"60⤵PID:7144
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"61⤵PID:6960
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"62⤵PID:5888
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"63⤵PID:6440
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"64⤵PID:6352
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"65⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"66⤵PID:6564
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"67⤵PID:6092
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"68⤵PID:6660
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"69⤵PID:6256
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"70⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"71⤵PID:6516
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"72⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"73⤵PID:3712
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"74⤵PID:6084
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"75⤵PID:6236
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"76⤵PID:6840
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"77⤵PID:6160
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"78⤵PID:2136
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"79⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"80⤵PID:6572
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"81⤵PID:6872
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"82⤵PID:6288
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"83⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"84⤵PID:7160
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"85⤵PID:3792
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"86⤵PID:5124
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"87⤵PID:6660
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"88⤵PID:6684
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"89⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"90⤵PID:6160
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"91⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"92⤵PID:7160
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"93⤵PID:6900
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"94⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"95⤵PID:6668
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"96⤵PID:6280
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"97⤵PID:6448
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"98⤵PID:1288
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"99⤵PID:6492
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"100⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"101⤵PID:6936
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"102⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"103⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"104⤵PID:6092
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"105⤵PID:6964
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"106⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"107⤵PID:6868
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"108⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"109⤵PID:6336
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"110⤵PID:6332
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"111⤵PID:6724
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"112⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"113⤵PID:6872
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"114⤵PID:7132
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"115⤵PID:6804
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"116⤵PID:6484
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"117⤵PID:6456
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"118⤵PID:6880
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"119⤵PID:1496
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"120⤵PID:7016
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"121⤵PID:6640
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"122⤵PID:7032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-