Analysis
-
max time kernel
310s -
max time network
312s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250410-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250410-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
21/04/2025, 01:20
Static task
static1
Behavioral task
behavioral1
Sample
CryptoLocker.exe
Resource
win10ltsc2021-20250410-en
General
-
Target
CryptoLocker.exe
-
Size
338KB
-
MD5
04fb36199787f2e3e2135611a38321eb
-
SHA1
65559245709fe98052eb284577f1fd61c01ad20d
-
SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
-
SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
SSDEEP
6144:sWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvC:sWkEuCaNT85I2vCMX5l+ZRv
Malware Config
Signatures
-
CryptoLocker
Ransomware family with multiple variants.
-
Cryptolocker family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file 4 IoCs
flow pid Process 288 4156 firefox.exe 288 4156 firefox.exe 288 4156 firefox.exe 288 4156 firefox.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000\Control Panel\International\Geo\Nation AdwereCleaner.exe -
Deletes itself 1 IoCs
pid Process 404 {34184A33-0407-212E-3320-09040709E2C2}.exe -
Executes dropped EXE 11 IoCs
pid Process 404 {34184A33-0407-212E-3320-09040709E2C2}.exe 4348 {34184A33-0407-212E-3320-09040709E2C2}.exe 3068 {34184A33-0407-212E-3320-09040709E2C2}.exe 5248 AdwereCleaner.exe 4960 6AdwCleaner.exe 4236 6AdwCleaner.exe 6096 WinNuke.98.exe 1672 satan.exe 5340 satan.exe 5672 waruy.exe 4964 waruy.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" {34184A33-0407-212E-3320-09040709E2C2}.exe Set value (str) \REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\6AdwCleaner.exe\" -auto" 6AdwCleaner.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 287 raw.githubusercontent.com 288 raw.githubusercontent.com 289 raw.githubusercontent.com 290 raw.githubusercontent.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4964 waruy.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1672 set thread context of 5340 1672 satan.exe 128 PID 5672 set thread context of 4964 5672 waruy.exe 132 -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\satan.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\AdwereCleaner.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier firefox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language satan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdwereCleaner.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinNuke.98.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CryptoLocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {34184A33-0407-212E-3320-09040709E2C2}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {34184A33-0407-212E-3320-09040709E2C2}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {34184A33-0407-212E-3320-09040709E2C2}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language satan.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x000800000002834a-1048.dat nsis_installer_1 behavioral1/files/0x000800000002834a-1048.dat nsis_installer_2 -
Checks processor information in registry 2 TTPs 25 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 6136 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings firefox.exe -
NTFS ADS 6 IoCs
description ioc Process File created C:\Users\Admin\Downloads\Walker.com:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\satan.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\AdwereCleaner.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Melissa.doc:Zone.Identifier firefox.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 656 WINWORD.EXE 656 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 1672 satan.exe 5672 waruy.exe 5672 waruy.exe 5672 waruy.exe 5672 waruy.exe 5672 waruy.exe 5672 waruy.exe 5672 waruy.exe 5672 waruy.exe 5672 waruy.exe 5672 waruy.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 4156 firefox.exe Token: SeDebugPrivilege 4156 firefox.exe Token: SeDebugPrivilege 4960 6AdwCleaner.exe Token: SeDebugPrivilege 4236 6AdwCleaner.exe Token: SeDebugPrivilege 4156 firefox.exe Token: SeDebugPrivilege 4156 firefox.exe Token: SeDebugPrivilege 4156 firefox.exe Token: SeDebugPrivilege 4156 firefox.exe Token: SeDebugPrivilege 4156 firefox.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe -
Suspicious use of SetWindowsHookEx 40 IoCs
pid Process 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4960 6AdwCleaner.exe 4960 6AdwCleaner.exe 4236 6AdwCleaner.exe 4236 6AdwCleaner.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1876 wrote to memory of 404 1876 CryptoLocker.exe 82 PID 1876 wrote to memory of 404 1876 CryptoLocker.exe 82 PID 1876 wrote to memory of 404 1876 CryptoLocker.exe 82 PID 404 wrote to memory of 4348 404 {34184A33-0407-212E-3320-09040709E2C2}.exe 83 PID 404 wrote to memory of 4348 404 {34184A33-0407-212E-3320-09040709E2C2}.exe 83 PID 404 wrote to memory of 4348 404 {34184A33-0407-212E-3320-09040709E2C2}.exe 83 PID 1612 wrote to memory of 3068 1612 cmd.exe 86 PID 1612 wrote to memory of 3068 1612 cmd.exe 86 PID 1612 wrote to memory of 3068 1612 cmd.exe 86 PID 5256 wrote to memory of 4156 5256 firefox.exe 100 PID 5256 wrote to memory of 4156 5256 firefox.exe 100 PID 5256 wrote to memory of 4156 5256 firefox.exe 100 PID 5256 wrote to memory of 4156 5256 firefox.exe 100 PID 5256 wrote to memory of 4156 5256 firefox.exe 100 PID 5256 wrote to memory of 4156 5256 firefox.exe 100 PID 5256 wrote to memory of 4156 5256 firefox.exe 100 PID 5256 wrote to memory of 4156 5256 firefox.exe 100 PID 5256 wrote to memory of 4156 5256 firefox.exe 100 PID 5256 wrote to memory of 4156 5256 firefox.exe 100 PID 5256 wrote to memory of 4156 5256 firefox.exe 100 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 PID 4156 wrote to memory of 3820 4156 firefox.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3900
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000002403⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exeC:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3068
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5256 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Downloads MZ/PE file
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1980 -prefsLen 27100 -prefMapHandle 1984 -prefMapSize 270279 -ipcHandle 2072 -initialChannelId {efc6e0a9-3909-4f6b-8df9-60c795d607c7} -parentPid 4156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4156" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu3⤵PID:3820
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2436 -prefsLen 27136 -prefMapHandle 2440 -prefMapSize 270279 -ipcHandle 2444 -initialChannelId {a2b182f7-5d2a-44e2-abc4-0f1eb75c550b} -parentPid 4156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket3⤵PID:3380
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3972 -prefsLen 27277 -prefMapHandle 3976 -prefMapSize 270279 -jsInitHandle 3980 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3984 -initialChannelId {5ef19e33-d59a-41c1-9fe7-a6701bb2b133} -parentPid 4156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab3⤵
- Checks processor information in registry
PID:1148
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4132 -prefsLen 27277 -prefMapHandle 4136 -prefMapSize 270279 -ipcHandle 4152 -initialChannelId {065f1a51-90d1-47a4-a61d-5305c7d47408} -parentPid 4156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4156" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd3⤵PID:4996
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3256 -prefsLen 34776 -prefMapHandle 2948 -prefMapSize 270279 -jsInitHandle 1628 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4492 -initialChannelId {40dc5a20-e4bf-47ea-80ec-1ce458352560} -parentPid 4156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab3⤵
- Checks processor information in registry
PID:492
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 3144 -prefsLen 35013 -prefMapHandle 3148 -prefMapSize 270279 -ipcHandle 3132 -initialChannelId {6786ffd1-a589-4608-adaa-8eb489bd2e7d} -parentPid 4156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility3⤵
- Checks processor information in registry
PID:2028
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5312 -prefsLen 32900 -prefMapHandle 5316 -prefMapSize 270279 -jsInitHandle 5320 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5328 -initialChannelId {ee938bcc-a075-4368-9806-753544bfd69e} -parentPid 4156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab3⤵
- Checks processor information in registry
PID:5600
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5460 -prefsLen 32952 -prefMapHandle 5352 -prefMapSize 270279 -jsInitHandle 5520 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5528 -initialChannelId {4261ce28-31e4-40b9-b302-4da78718ea6e} -parentPid 4156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab3⤵
- Checks processor information in registry
PID:980
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5704 -prefsLen 32952 -prefMapHandle 5708 -prefMapSize 270279 -jsInitHandle 5712 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5724 -initialChannelId {afa4edb6-e919-477f-8903-04862336ac44} -parentPid 4156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab3⤵
- Checks processor information in registry
PID:464
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6472 -prefsLen 33071 -prefMapHandle 6412 -prefMapSize 270279 -jsInitHandle 6248 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3820 -initialChannelId {b42d314a-fed6-4992-9de8-54d959e8013f} -parentPid 4156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab3⤵
- Checks processor information in registry
PID:3740
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6816 -prefsLen 36543 -prefMapHandle 6804 -prefMapSize 270279 -jsInitHandle 6820 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6828 -initialChannelId {ad562d3a-73c3-45c0-8bd0-c76272de8d3f} -parentPid 4156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab3⤵
- Checks processor information in registry
PID:6124
-
-
C:\Users\Admin\Downloads\AdwereCleaner.exe"C:\Users\Admin\Downloads\AdwereCleaner.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5248 -
C:\Users\Admin\AppData\Local\6AdwCleaner.exe"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4960
-
-
-
C:\Users\Admin\Downloads\WinNuke.98.exe"C:\Users\Admin\Downloads\WinNuke.98.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6096
-
-
C:\Users\Admin\Downloads\satan.exe"C:\Users\Admin\Downloads\satan.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1672 -
C:\Users\Admin\Downloads\satan.exe"C:\Users\Admin\Downloads\satan.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5340 -
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe"C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5672 -
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe"C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4964 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet7⤵
- Interacts with shadow copies
PID:6136
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_a1977cde.bat"5⤵
- System Location Discovery: System Language Discovery
PID:728 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:2204
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\6AdwCleaner.exe" -auto1⤵PID:3396
-
C:\Users\Admin\AppData\Local\6AdwCleaner.exeC:\Users\Admin\AppData\Local\6AdwCleaner.exe -auto2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4236
-
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\4696bde7c2634a31a43935c5460b53d4 /t 4204 /p 42361⤵PID:4264
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Melissa.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:656
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1932
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:3960
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:2508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:3000
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5468
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:2360
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:5092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:1648
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:4040
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:2808
-
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:2192
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:3432
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:2992
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:4428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:3068
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5844
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:5056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5180
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5028
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:5776
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:3228
-
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5564
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4524
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4480
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:276
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:3120
-
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:1980
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:5080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:2068
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:3960
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:2492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5556
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:2644
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:640
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:4620
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:5408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:1356
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:2560
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:3432
-
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:296
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:1340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5176
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:1672
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:5976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:3044
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:1156
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:3432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:2736
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:1876
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:1064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5412
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:2460
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:3260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:1504
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:2592
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:5044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:544
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:5104
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:4284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4932
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:5672
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:2920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4940
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:5064
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4528
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:4008
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:2268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5152
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:5776
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:2396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4684
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6772
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:2828
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5076
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:2872
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:1284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:284
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:5116
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:3540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:3248
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:3312
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:1888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5048
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:4596
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:3144
-
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5160
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6220
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6444
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:4812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6680
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:7056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6716
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6944
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6276
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:3272
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6960
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:7092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5904
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6388
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:7100
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:1648
-
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6488
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4960
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:3492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:2736
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5172
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6696
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6604
-
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6496
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4692
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:1592
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:7036
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:7128
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6256
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:1504
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:3952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6812
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:4820
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6620
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5184
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6860
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:1156
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:1744
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6400
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5492
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:2868
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:4596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5124
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:2224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:3068
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:5952
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5412
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:2552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:7008
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6724
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:7076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6304
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:4932
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6196
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:716
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:704
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6836
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:7116
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:3980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6796
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:5028
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:4520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6916
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:828
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4228
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5920
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6848
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6400
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6876
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:3532
-
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:1484
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:188
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:1696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:7036
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6240
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6800
-
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:860
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:640
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6724
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:3060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5488
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:3548
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6836
-
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:2424
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:1028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:284
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6560
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:5956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5704
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:5412
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6512
-
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6092
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6932
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4336
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6228
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4408
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:7084
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6920
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:5028
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:3016
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6264
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6784
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:2252
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6500
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:3576
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:4480
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5580
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:3844
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5292
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:5296
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:3860
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:1988
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:1536
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6648
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6396
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:2868
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6972
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5536
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:4688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:1172
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:5404
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5104
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6208
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:4028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4708
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:4668
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:1072
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6832
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:5848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4604
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:3620
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6928
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:5636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6936
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:1532
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:2488
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5512
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:2736
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:1172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6576
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6884
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:1004
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6688
-
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6500
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:1740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:3384
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:2856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6272
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6672
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:7156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6876
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:1940
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:1160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:3492
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6204
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:5992
-
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:1172
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:2592
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:284
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6948
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:4744
-
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6616
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5804
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:2188
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6656
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:3936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4528
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6672
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:5796
-
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:3576
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:5296
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4924
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:7140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4780
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6808
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6480
-
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:544
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4100
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:2672
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:5988
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:5256
-
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6172
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4940
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5232
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:1444
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6368
-
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6096
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:1868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:7096
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:4524
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4240
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:1504
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:2992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5364
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:7120
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:2032
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6556
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4732
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:1076
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:4520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5112
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:1244
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:544
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:4976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:2644
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6552
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:2228
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5124
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:3756
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:2976
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6920
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6432
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5296
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5360
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:5352
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:5296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5536
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:2828
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:5680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6356
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5452
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6628
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6500
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:3160
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6552
-
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:3516
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5880
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:5676
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:1504
-
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5032
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:7096
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6656
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:4228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:7156
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4440
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:5164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4604
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:6540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6872
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:3396
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe3⤵PID:6276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6176
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe2⤵PID:1504
-
-
C:\Users\Admin\AppData\Roaming\Soruo\waruy.exeC:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:6804
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:4932
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:3960
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe1⤵PID:5676
Network
MITRE ATT&CK Enterprise v16
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD587e4959fefec297ebbf42de79b5c88f6
SHA1eba50d6b266b527025cd624003799bdda9a6bc86
SHA2564f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xagz0so7.default-release\activity-stream.discovery_stream.json
Filesize26KB
MD5aa2ec91efc57292719b20af341397b7d
SHA12b611f8da82b3b54590cbf527187c8d5e98c4931
SHA2562540442b830b629b6fe47cf858043a16385f0eed01cae35d6f7d19d820286d69
SHA512582bd85912ee137a8bd4361acf8821aede7badab76845857ec1986286dd16143449ffade5f0d7c06a4ca370f8da908cc3dc9bc83400b32147789d2d64813e042
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xagz0so7.default-release\cache2\entries\73EC3764FB3BA737E60C1F3545992FF513570DA7
Filesize14KB
MD5f0313381cabf78e6bbdb3f75781db964
SHA1a6aeb51d4d2322d64d56f312449a94b9f7a5963f
SHA2566b0884a2c822f6ff29795aee6c3c72568c2e13dd0dda75768357753d86fb2d79
SHA51246a75136689c048bb3404e0a67deb4c0128e8208cc6410ebcd92a0275677e9a326c434e03fb9508cf27e9832e64e9dda64c21aea94418000ab547a9538b9746e
-
Filesize
172B
MD5e47c61f6cd9589ac67595f3f16ff8368
SHA140ad40af8908f5a7a0f67d43b0bda6e2e1e18212
SHA256e869f75d110c08c1540f23a39c5858f1f412dd6d5b282afc7fef4aceec04fd66
SHA5128f88a23afdd35306d900f18ed0b5438ed1316d9e4d0cf6d32da92c5d47ba0b6a727956b8f8980b03e0e3fe4a6e8ff05c8cd5a4e74b474d894279d265699d5a2f
-
Filesize
502KB
MD5e690f995973164fe425f76589b1be2d9
SHA1e947c4dad203aab37a003194dddc7980c74fa712
SHA25687862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171
SHA51277991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2
-
Filesize
11KB
MD525e8156b7f7ca8dad999ee2b93a32b71
SHA1db587e9e9559b433cee57435cb97a83963659430
SHA256ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986
SHA5121211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56
-
Filesize
14.0MB
MD5bcceccab13375513a6e8ab48e7b63496
SHA163d8a68cf562424d3fc3be1297d83f8247e24142
SHA256a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9
SHA512d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484
-
Filesize
350B
MD51fb803f7ffcc1d7cfef74dcf9fd28e64
SHA1eae9e565e8dff3297bd9e8061947af0327a626fd
SHA256dbdee8a238d16f7b68c8c43c17428b1d18793a46e7ce29bc8f79bddab025c31d
SHA512c00d6faf8d8723578a7480d9618bb7b445951fc3f1c991c1aa0064688de7c8ef694cf50c1b6d6db96b2d8b2f931d5c4586ea0218fb5e0b98175455fa6c9ec7fc
-
Filesize
31KB
MD5b16f4faf589dd87229be3ba4ae4ec75f
SHA18e8d4d32160808ebe5ecfd39f7ba00dc05da3bfc
SHA2568cf6aa735959da6e07569be1d74832267b4cd8c8de8f5eeeb2288cb1f6e8554a
SHA512a626efdec0914112574867e47d71e2a0690658eebee08ea77452091af112f59363f4a80abaf37a59562ca65b99f62ef8c799e79cb8576be725d5ccab986d282a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TJ1G4ZBOT4C1FRFOO2QR.temp
Filesize20KB
MD558d8722518f34c4d1c79b32939c0e269
SHA1a78171f3c8c3b2c56bbaedacc54a26f5966fb1b1
SHA256d55bef84618c117007fdeebc69fcd7eb20f7d509fdd0b49f6c04713597b803a7
SHA5121fea42d5cb3a0867129360fcc803e25d7473d4e7cd98d840cb47d41774924acca06401569797c82872e1c49add1122a350257ad147299aa4cc329ff611c2e412
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\AlternateServices.bin
Filesize8KB
MD58107dfc17c18792151ebcb129b0c448e
SHA19225567b19b5c0fe0f895d0ce4a203bd4b859a8e
SHA256b0d6bb6307ed88d1b1dda1825996abe9dae3ed8f66d00dcca243f1f07fe40afe
SHA512272a246398e06b0ff2d062b5c332b8c4fd0e441533223397ab2da77d9d2d102fd405c0bc035a60c1d972a71955197f2285fe179e70395466ef848dc87796139d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\AlternateServices.bin
Filesize11KB
MD574e4287d9f9e526549fe8a25d24761e6
SHA168ad12ea1f2387721b118a17a97f37d8679dd6d5
SHA25646916a5660fc1915bc78f2848fd484059ec94390e592407acd5e31e93c373f49
SHA5126d298edddaa41ba27e6ebdebab21dedf07119e5d23df7e84938f6e4bb903e22ed0a7c1543a0b1dbdb3caa61324e4d7f5f61868b3d3e30789148f0d556d1aefbc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\datareporting\glean\db\data.safe.tmp
Filesize105KB
MD511dc26cd224b24bd5b323c88ee2cd8d3
SHA1531c0e1b75cb9505f2d2356e271ed58105c96cf4
SHA256b8e01a1e7448d6bd756bcf586feb2909736ecf4403b4b1132c1f8dc23afbdc34
SHA51210bf2bc38bf8be3a240558f099389defeb3e43abec99947959033679eceef26f40762b1cbc7d7ffb9184b19a929a32803656a1f82dbf7544e235907b3988be52
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\datareporting\glean\db\data.safe.tmp
Filesize29KB
MD5e3febbf6a0be9745aab9c9e94647c99f
SHA19def7279f843f02223b781cfebf1ca0cd67a2bef
SHA25681f6c67029fa036ed6e64262345c247ccd22adb1d849c0a0c6f7a17d2e13ee85
SHA51201cc0fb013646a3a407b566a499b1c28ae406b38e5023cba7d8bfefe014deee1106f013753d7aa2a9736ae7017ee14e0d001fabc20c8bc1280819c201eddd743
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\datareporting\glean\db\data.safe.tmp
Filesize30KB
MD5827b3b543ce5064561360ddfc66b41b0
SHA1557aa2514cd92c529457efb9120c14ba3bbf150c
SHA25633430e9fdc17f39faba8a9af3e2b0c958d8f30619e2923ace9cf0d37b83e4be0
SHA5124fd83d985757e6928e34a637fd050c6dd7b99f1ff72023a8705f618acb237f8de3d02fd9f94001ae376b3744e861cca88764a1a975b5fadb454d54ec0e492bda
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\datareporting\glean\events\events
Filesize1KB
MD5aa61e3fb809ac45e199d7e4ea1dbec0b
SHA1b281b4cf407ea8ec5a471bf9b4356ff49feb9778
SHA256efe5284facfe84ba7090b58e58fc00bdd598faf9bc159b4a4fc20e6c58875436
SHA512ddf8a26652dfc3ea05a0b32b542dee0bb5e744e65d444de84e7ea7e30d9e9eaee0fbaade42c116392b6eb0c94fd94567e0807861cc5c801f1b9e864c8d604bcc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\datareporting\glean\events\events
Filesize4KB
MD553701664953d755f9020585b6471cc23
SHA140fc12a58d82e41fdaed825585003ce45b9f5bc0
SHA25674da83021bef675ad879e013b86eee9cc6e100a8d3f3a99918e28e75578c43db
SHA512621b407a59e0c39a10ab394576bb1d0ef9c2a0dbf6ae4630a3fdaf31b6ed7a7411b5abf00da12b98076d06af1b98d79d6e1e6c5c95c11110c10c747926206d5a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\datareporting\glean\pending_pings\04307c7c-6f85-4c25-a569-b77a463ade33
Filesize2KB
MD5b265f25ab045b2d008033f3e33e00375
SHA14f4d59850b517c4a1419b996f4f75284c769d000
SHA25643b074683e6dfb31f67e89139657f7fd9b123a618b477f1f31b3e064299028a1
SHA51235127a6ee64ec02f0c15842439f02cd135791cfde539d376c8e9bdf2f89bfb375b63a437dfb7e05038fcccadedd30f5f5494af2639c922ba129e4c97a2bfede9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\datareporting\glean\pending_pings\6923a38f-d37a-451c-88f9-24874fb47acd
Filesize235B
MD54e1467e59dc5c44a0c6cd07bf10ebcba
SHA1487414cbd8353d15f60a2de1a4c9a30c7b2e55ca
SHA2562acc904dd87d23be9cce48154419f24d2788e77723452d5a0ad66b94597c3847
SHA5120a3ded098a86a4813eee7ae7f9891eb084771288fd8f41ec0c123e82e8ed3df3c5b500d287135d7ee0d9218f9eb5a7a9b35b4ca5b83e384ec4c2796a0752b09c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\datareporting\glean\pending_pings\e5f68724-deb7-4b2e-9b07-8188a5cd233d
Filesize886B
MD50777b24a644179f03354c144ce2689ac
SHA1ad63dcbc66359f3b285f0f9f7ff375bb3e8a332c
SHA25614edc813f62948d7b3fb733cf2e3268affab68204d711d643bc5f50013238561
SHA512015cca04d5e4f5131b293e45b5f74f19f5a480cc684b5664d5b262f782118c68794cca90fb0b6bc9d099188665f3a2906823d7eb0b11e85afa9bb80aeee5718b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\datareporting\glean\pending_pings\f2c2bee5-edb8-4def-8014-2a4e2ce8aa8e
Filesize235B
MD5d671818131f1e56f5a16202a8303b656
SHA147fa828b6b3b9b0aed8deb522aa1465a02b9d2e3
SHA25618e392c905f9d4cde00c08a2834cfb112da8b978661c55060cda55d9e2148ae8
SHA512a3efc7f48ab07b8b6a02b2690dfa6d133e6a5213e622be519624eee5654d2ae07eb5eaf6b730ab95f8dc554d6efc1f57abe1ad150890049a9bad655957c3fc0a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\datareporting\glean\pending_pings\f68895bb-3155-44a6-86a5-e5f0646d747d
Filesize871B
MD5ac597de264fbbfdd94b626d43cb38ca6
SHA1b387aa9a221fcecf89e763177132d2370420389b
SHA2562c02704ec79d24e6726bf0edf4e5365c948d1d347d60635850ff30804a9bc06a
SHA5129405b3c51a1dca977eaaf4756960eabd7d4ab523e07a89c459c84d9e7d22e4e22f7261cf9e4caf309a40b9cf12dc8f3e776a392b28684054c70cd5410fb8d0f7
-
Filesize
16KB
MD567010fbb98669406aab16ce1f8697d29
SHA1e7756f9c10d1eb9f87f486af2be91109e438eb97
SHA256643d5ecddbebf6339497c61c18958c40432116a602822dbc21243653de5851ae
SHA5126f2f45432f66d7f70fe11e64aad6359db7eac64ec886492449c06be028637b0d821ce4ab5748d893b0fc3853955e8b14a81a617f5919468d4af361b8a763c8c1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
Filesize1.1MB
MD5626073e8dcf656ac4130e3283c51cbba
SHA17e3197e5792e34a67bfef9727ce1dd7dc151284c
SHA25637c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651
SHA512eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
Filesize116B
MD5ae29912407dfadf0d683982d4fb57293
SHA10542053f5a6ce07dc206f69230109be4a5e25775
SHA256fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6
SHA5126f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
Filesize1001B
MD532aeacedce82bafbcba8d1ade9e88d5a
SHA1a9b4858d2ae0b6595705634fd024f7e076426a24
SHA2564ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce
SHA51267dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
Filesize18.5MB
MD51b32d1ec35a7ead1671efc0782b7edf0
SHA18e3274b9f2938ff2252ed74779dd6322c601a0c8
SHA2563ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648
SHA512ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499
-
Filesize
6KB
MD5f2c0692c4c84341a7465ea16a27576af
SHA11d38108aa430c7fb71d0127dd864db847034ad0b
SHA256e7bfe6b0bc53262e07ff6a6cdc5528555ce2a57c371f8778c3b9703d597b74e1
SHA512f9476a243cdd8adbfc1186f6320dc536653f5219b01f470d8e9b188319687aa3d9262fc2b353f7662615d7a6f706c72b3c8cd6ed2ccef63a562a9136eddccc91
-
Filesize
8KB
MD5906eec503dd1ec4adc575be2170d90e9
SHA1911a69be799819736973037d705d6073abce8e50
SHA2560e99af32c7b28341c2a66032724e46757587851c48e219268e984140a1fa1f69
SHA51207f813881bfa57ac3c7380b0676e3c8f6b85242154dae22a2c2ee048c98d8073f8c6959f82a3dcaca917faae866917d6dcaa45f8fb476cbb4f3eca1016a20f57
-
Filesize
6KB
MD5d558e09c61c247c7a096f608f3bf5aa5
SHA19aaa0abf8b87cc74efebe768591a4d2a6bb4ff0d
SHA25665ff09723e5a3af362857a5c18830a013d17639d6347adc31833984b65d8bbab
SHA5121288bc84cec0dfee3763013ada39422878c86eb4e9834ec469438b71fdc33dc595d30dc3732e96aa27771cba3817aa0a1073e8ab6c315be5ef955cda9715ab41
-
Filesize
7KB
MD540ff74b43e11a06113badb67a525ec3d
SHA1f526fa22735313f8cf2ec4eeb6a3bfa4c0519d30
SHA256209a8cc747dc41f8e815f9b8dfa87929e702a52d6e85818ab0866822088c141a
SHA512f914addca23e1415757efbe54f77f0f05a26827db2427e6e081ac19714182286f1e2024aa6502598536b9a6ec4a8a65a25cdb5b08965c8287ab0918b762e57c2
-
Filesize
6KB
MD5dc7ee161cba91e76007f676d5dc5bfd3
SHA17515cf47a4f62131b5ebde97f6c2ac2445fd3b71
SHA2568c528151e113bb2443496dc6d6dc323d36498b90753a7617fe135fa32d9b949c
SHA51243effe0d9d90175492a03e4afddb25f770eb8b1ddafb0d1b68c89a4c02fa7902fc69872ff57fe1d8ad262e4926d8f9e50005054d7c9611b16137d0f147515280
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\sessionstore-backups\recovery.baklz4
Filesize3KB
MD5e399d6ca4ce82324c25d56865731129d
SHA1388f0f903ec63e1dc284ef33494d95b26feade42
SHA25620a907612d70533509b229fd288d6fe152a565518a8abd23198b2530a0d50f53
SHA512268a6725ca3ad48ab8daf4db78357791515f01aa637cb05d2d516a8efc80fee63da25336a91d09f8361d321a6f96beb094965d53397c1e8ee44879c021210900
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD5bbf67cac45b5952d402a3cbecb7ad4b4
SHA1f507766fb3ddabe62fffdcbe9b78b137633271b0
SHA256881bfb72f12688918d45884be9de6b08fded3ea6233c0e52e8f4b94ddfed47ef
SHA512d4bf081750ea52b861bdd816b302a85db7d928e98f2886da25f215489f41d5fecc5390d4dee1309cc949964afa341cbc0481235b1ebea120040df24eeef53391
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD58d9358a9a7a6b62f04bed88703d840c7
SHA1d3375ef3579c6f9a408dda535ff6d7a19cc86ef0
SHA25651bb0f710851b86449e55f8ec2cf585b1bbccd40a4f17c83207cc35d69a10956
SHA512242029cba813793010563f85bf1ca40da0f1b288a5faf23e57f0f804808f06e17b3ee0420c45abef22757df3d7e07cbc15456ae05d6ab5cdef3eccad3d533ea2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5c10027558c62ad670bb16baad4c966f9
SHA12b3bc9ea73a64c56abdda9e280fdfca6aa67855c
SHA256132eaa7fe5c7251989357c4f71283f3e111adcc2cf7b6373bbf9b84bde33a320
SHA512ed53f06581d06044c9a5ec3eb39afcf66c3e1b17d83dba7863638e572ca215e10e8a20a717f178eeb419cac0fc1857004b977fd7267ab8960d0d05ebac624ecd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5bae66af88a2611741323a057dfa99446
SHA1c9ce1bb988a1a77c91f33ab9adf55d86ba17989c
SHA256a228714ce3de7ae63b989ac406ebb7c5d1f9bec31cfa2a633b6558eac21f6690
SHA512567346342f2b15b8efdb9167a7356005eaec773e7b8d91dbf257c00455145263850d6c56bc6d447b1a70bf06d81a5ccde0d2e068a17b969fe630ea381626d35f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\sessionstore-backups\recovery.baklz4
Filesize7KB
MD5086de68df246f8dfc865d39517b7d49f
SHA133b68ce035a3b1fc9f9615daab25affcd9540be8
SHA2565f621579574f6072ed06183f886ff8b74f56612dddfd8f97d1c9d3fd0558a98c
SHA5122e8db2517c1fd85bff4fd6bd9165d0c113d1281388721f2dcfa174ee7e42dda4b76e50ae72546bf2cf403be93d8c03543d13ac2ab881e12e7782308e74ea6ee9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5f774d7948359c0aabc2b4bf3d28e73bf
SHA164e3ae55356d69cdf01014d20103314bf18d7600
SHA25600cf24b76b8bfff8f29a525baa87c8425b3bf9991c9619b7dbe89b25b8fcb766
SHA512b03e9adafe9bab8d09f643bcdea0c3890530c6ea36a31e6438ca3f78470aa8fd08d045b8bef3c9964bf73eadf719b37bacf3cf8cd9fbc517d2f8da839477a7a2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5ae8a2ac8c19e4d61f14d30c926f55f6c
SHA1f05d0732bc7a53d6aa4f6ceb4670dc0d03a51de4
SHA256a475f129a90242602b5b77de214e7c68d7efc3d96d8111d4c288df1d82e0fe47
SHA5124ecd3ff71a6658078cc58154a3f1ffc9817b5dc5b59d2a8b285a4fd2eeaab6552584dce15c45f4abf9f80b7478e7f7b4f84e7203f90e740fa9dde1e89023e8a4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.5MB
MD5219994701ae94dfad41c2e382e2129e4
SHA1c0360bbc40db12652b31aede77f75017231fd076
SHA256c738e15c946ce7e145f5b9daa8dea305d891ad936351d321b6f6217820cf699c
SHA51236063a36fee95ec9b56bd09fba451668406fd8889984d6298ed533e60d9db60221914d8923f639cd3c40b5f37452dc2853e73283bfb010670c80cb52026b7c29
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize3.8MB
MD572961f7cebb42f7b8a0c715affdf61e7
SHA1362bfeffbd5db83be9ba2d7030aa63ed88ee5928
SHA256ae7d231992b1c90071a390a854191b27a56cd42bae71c9aef7e6858540a5fa9b
SHA51211b0fc73d127f7f220baadea96bf0a174b2ca46a4a6758af4e091fad24934d56d88fce891efb4ebe970cc66149e7fa4bdb166983e69e7c97c982859434b76e14
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize3.8MB
MD5029727d8607ef95a0e51bf3e2277ec34
SHA1e3b8f74047eaf83671e0bb4e146ff10a38591aaa
SHA256340ac529baead9aa4edd81985c7933c84279cffd133e8ce3a466ab1501c38069
SHA5125774f3d2a2529b5d3a724afbd7ec3490480c6fc965c0d92584c00c54a910d4919539154fb2bada44e3d653a97f16fe393dd07d3dada6e9b04a2e9bc13ff2720b
-
Filesize
67KB
MD5091371cf4a30d31c676e0db0c061f9e8
SHA1c2d08a982ff708e4d5c2557c063ef6289dc7a238
SHA256a7377e6613d950ba1e9a8f4a995e6170220cd66ee18d9dd317334384dcc294bc
SHA5123d056e01e17cd82e3d8356c7e2ec201ddc4e9774e14fc8e9db28d87eb68c2066da23ba7008bca767447cb1c0237a8844213e8f813523643a36bf263997ceaaa2
-
Filesize
338KB
MD504fb36199787f2e3e2135611a38321eb
SHA165559245709fe98052eb284577f1fd61c01ad20d
SHA256d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
Filesize
190KB
MD5248aadd395ffa7ffb1670392a9398454
SHA1c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5
SHA25651290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc
SHA512582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e
-
Filesize
40KB
MD54b68fdec8e89b3983ceb5190a2924003
SHA145588547dc335d87ea5768512b9f3fc72ffd84a3
SHA256554701bc874da646285689df79e5002b3b1a1f76daf705bea9586640026697ca
SHA512b2205ad850301f179a078219c6ce29da82f8259f4ec05d980c210718551de916df52c314cb3963f3dd99dcfb9de188bd1c7c9ee310662ece426706493500036f
-
Filesize
4KB
MD593ceffafe7bb69ec3f9b4a90908ece46
SHA114c85fa8930f8bfbe1f9102a10f4b03d24a16d02
SHA256b87b48dcbf779b06c6ca6491cd31328cf840578d29a6327b7a44f9043ce1eb07
SHA512c1cb5f15e2487f42d57ae0fa340e29c677fe24b44c945615ef617d77c2737ce4227d5a571547714973d263ed0a69c8893b6c51e89409261cdbedff612339d144
-
Filesize
50B
MD5dce5191790621b5e424478ca69c47f55
SHA1ae356a67d337afa5933e3e679e84854deeace048
SHA25686a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8
SHA512a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641
-
Filesize
32KB
MD5eb9324121994e5e41f1738b5af8944b1
SHA1aa63c521b64602fa9c3a73dadd412fdaf181b690
SHA2562f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a
SHA5127f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2
-
Filesize
184KB
MD5c9c341eaf04c89933ed28cbc2739d325
SHA1c5b7d47aef3bd33a24293138fcba3a5ff286c2a8
SHA2561a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7
SHA5127cfa6ec0be0f5ae80404c6c709a6fd00ca10a18b6def5ca746611d0d32a9552f7961ab0ebf8a336b27f7058d700205be7fcc859a30d7d185aa9457267090f99b