amadey | a6ee6130d83bbe55e9dacdff2005950d69fc2d3c54e28467b82c148e274d90da

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	0c80a0ef434aaecd6b1c888567935b97.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	0c80a0ef434aaecd6b1c888567935b97.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\Desktop\0c80a0ef434aaecd6b1c888567935b97.exe = "C:\\Users\\Admin\\Desktop\\0c80a0ef434aaecd6b1c888567935b97.exe:*:enabled:@shell32.dll,-1"	0c80a0ef434aaecd6b1c888567935b97.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	0c80a0ef434aaecd6b1c888567935b97.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0bb3e9c660f99967ca4c8e21bc46e940.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	nolew.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
99	4780	chrome.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000500000001e604-1448.dat	acprotect

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	0da5b00e8e941ac4be29830e6040cb5f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	rgbux.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	0bb3e9c660f99967ca4c8e21bc46e940.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 32 IoCs

pid	Process
5608	7z2409-x64.exe
5684	7zG.exe
2520	7z.exe
4464	7zFM.exe
3280	7zG.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
6128	0c80a0ef434aaecd6b1c888567935b97.exe
1540	0cae2144249cca11917ce26657fc0281.exe
2712	wosaom.exe
5284	0d83a54f6bb735aa81496e24932f448c.exe
3040	0da5b00e8e941ac4be29830e6040cb5f.exe
392	rgbux.exe
6040	00dbc74e3561adf15cb078b0b5f96860.exe
4300	00dbc74e3561adf15cb078b0b5f96860.exe
6068	00dbc74e3561adf15cb078b0b5f96860.exe
2604	0bb3e9c660f99967ca4c8e21bc46e940.exe
4940	0bb3e9c660f99967ca4c8e21bc46e940.exe
3748	0bb3e9c660f99967ca4c8e21bc46e940.exe
432	nolew.exe
4276	nolew.exe
4440	nolew.exe
1688	nolew.exe
5636	0bb3e9c660f99967ca4c8e21bc46e940.exe
1692	0bb3e9c660f99967ca4c8e21bc46e940.exe
4956	0bb3e9c660f99967ca4c8e21bc46e940.exe
5700	nolew.exe
844	0bb3e9c660f99967ca4c8e21bc46e940.exe
1628	0bb3e9c660f99967ca4c8e21bc46e940.exe
4552	0bb3e9c660f99967ca4c8e21bc46e940.exe
448	0bb3e9c660f99967ca4c8e21bc46e940.exe
964	0bb3e9c660f99967ca4c8e21bc46e940.exe
920	nolew.exe

Loads dropped DLL 50 IoCs

pid	Process
3548	Explorer.EXE
3548	Explorer.EXE
3280	7zG.exe
4464	7zFM.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
6128	0c80a0ef434aaecd6b1c888567935b97.exe
6128	0c80a0ef434aaecd6b1c888567935b97.exe
3040	0da5b00e8e941ac4be29830e6040cb5f.exe
3040	0da5b00e8e941ac4be29830e6040cb5f.exe
392	rgbux.exe
392	rgbux.exe
6040	00dbc74e3561adf15cb078b0b5f96860.exe
6040	00dbc74e3561adf15cb078b0b5f96860.exe
4300	00dbc74e3561adf15cb078b0b5f96860.exe
4300	00dbc74e3561adf15cb078b0b5f96860.exe
6068	00dbc74e3561adf15cb078b0b5f96860.exe
6068	00dbc74e3561adf15cb078b0b5f96860.exe
2604	0bb3e9c660f99967ca4c8e21bc46e940.exe
2604	0bb3e9c660f99967ca4c8e21bc46e940.exe
4940	0bb3e9c660f99967ca4c8e21bc46e940.exe
4940	0bb3e9c660f99967ca4c8e21bc46e940.exe
3748	0bb3e9c660f99967ca4c8e21bc46e940.exe
3748	0bb3e9c660f99967ca4c8e21bc46e940.exe
432	nolew.exe
432	nolew.exe
4276	nolew.exe
4276	nolew.exe
4440	nolew.exe
4440	nolew.exe
1688	nolew.exe
1688	nolew.exe
5636	0bb3e9c660f99967ca4c8e21bc46e940.exe
5636	0bb3e9c660f99967ca4c8e21bc46e940.exe
1692	0bb3e9c660f99967ca4c8e21bc46e940.exe
1692	0bb3e9c660f99967ca4c8e21bc46e940.exe
4956	0bb3e9c660f99967ca4c8e21bc46e940.exe
4956	0bb3e9c660f99967ca4c8e21bc46e940.exe
5700	nolew.exe
5700	nolew.exe
844	0bb3e9c660f99967ca4c8e21bc46e940.exe
844	0bb3e9c660f99967ca4c8e21bc46e940.exe
1628	0bb3e9c660f99967ca4c8e21bc46e940.exe
1628	0bb3e9c660f99967ca4c8e21bc46e940.exe
4552	0bb3e9c660f99967ca4c8e21bc46e940.exe
4552	0bb3e9c660f99967ca4c8e21bc46e940.exe
448	0bb3e9c660f99967ca4c8e21bc46e940.exe
448	0bb3e9c660f99967ca4c8e21bc46e940.exe
964	0bb3e9c660f99967ca4c8e21bc46e940.exe
964	0bb3e9c660f99967ca4c8e21bc46e940.exe

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\O:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\T:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\U:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\V:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\Y:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\Z:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\P:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\G:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\H:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\I:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\X:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\J:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\N:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\S:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\W:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\Q:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\R:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\E:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\K:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\L:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\M:	0c80a0ef434aaecd6b1c888567935b97.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
126	raw.githubusercontent.com
129	raw.githubusercontent.com
155	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wosaom.exe	0cae2144249cca11917ce26657fc0281.exe
File opened for modification	C:\Windows\SysWOW64\wosaom.exe	0cae2144249cca11917ce26657fc0281.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0da5b00e8e941ac4be29830e6040cb5f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nolew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bb3e9c660f99967ca4c8e21bc46e940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2409-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wosaom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nolew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bb3e9c660f99967ca4c8e21bc46e940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nolew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bb3e9c660f99967ca4c8e21bc46e940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c80a0ef434aaecd6b1c888567935b97.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00dbc74e3561adf15cb078b0b5f96860.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00dbc74e3561adf15cb078b0b5f96860.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nolew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bb3e9c660f99967ca4c8e21bc46e940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker-3.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d83a54f6bb735aa81496e24932f448c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bb3e9c660f99967ca4c8e21bc46e940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgbux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bb3e9c660f99967ca4c8e21bc46e940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bb3e9c660f99967ca4c8e21bc46e940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bb3e9c660f99967ca4c8e21bc46e940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nolew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c80a0ef434aaecd6b1c888567935b97.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nolew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bb3e9c660f99967ca4c8e21bc46e940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bb3e9c660f99967ca4c8e21bc46e940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cae2144249cca11917ce26657fc0281.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00dbc74e3561adf15cb078b0b5f96860.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bb3e9c660f99967ca4c8e21bc46e940.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133884083834121575"	chrome.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2409-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Users\\Admin\\Desktop\\7-Zip\\7-zip.dll"	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Users\\Admin\\Desktop\\7-Zip\\7-zip32.dll"	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
1540	0cae2144249cca11917ce26657fc0281.exe
1540	0cae2144249cca11917ce26657fc0281.exe
2712	wosaom.exe
2712	wosaom.exe
6040	00dbc74e3561adf15cb078b0b5f96860.exe
6040	00dbc74e3561adf15cb078b0b5f96860.exe
4300	00dbc74e3561adf15cb078b0b5f96860.exe
4300	00dbc74e3561adf15cb078b0b5f96860.exe
6068	00dbc74e3561adf15cb078b0b5f96860.exe
6068	00dbc74e3561adf15cb078b0b5f96860.exe
6040	00dbc74e3561adf15cb078b0b5f96860.exe
6040	00dbc74e3561adf15cb078b0b5f96860.exe
4300	00dbc74e3561adf15cb078b0b5f96860.exe
4300	00dbc74e3561adf15cb078b0b5f96860.exe
6068	00dbc74e3561adf15cb078b0b5f96860.exe
6068	00dbc74e3561adf15cb078b0b5f96860.exe
6040	00dbc74e3561adf15cb078b0b5f96860.exe
6040	00dbc74e3561adf15cb078b0b5f96860.exe
4300	00dbc74e3561adf15cb078b0b5f96860.exe
4300	00dbc74e3561adf15cb078b0b5f96860.exe
6068	00dbc74e3561adf15cb078b0b5f96860.exe
6068	00dbc74e3561adf15cb078b0b5f96860.exe
6040	00dbc74e3561adf15cb078b0b5f96860.exe
6040	00dbc74e3561adf15cb078b0b5f96860.exe
4300	00dbc74e3561adf15cb078b0b5f96860.exe
4300	00dbc74e3561adf15cb078b0b5f96860.exe
6068	00dbc74e3561adf15cb078b0b5f96860.exe
6068	00dbc74e3561adf15cb078b0b5f96860.exe
6040	00dbc74e3561adf15cb078b0b5f96860.exe
6040	00dbc74e3561adf15cb078b0b5f96860.exe
4300	00dbc74e3561adf15cb078b0b5f96860.exe
4300	00dbc74e3561adf15cb078b0b5f96860.exe
6068	00dbc74e3561adf15cb078b0b5f96860.exe
6068	00dbc74e3561adf15cb078b0b5f96860.exe
6040	00dbc74e3561adf15cb078b0b5f96860.exe
6040	00dbc74e3561adf15cb078b0b5f96860.exe
4300	00dbc74e3561adf15cb078b0b5f96860.exe
4300	00dbc74e3561adf15cb078b0b5f96860.exe
2604	0bb3e9c660f99967ca4c8e21bc46e940.exe
2604	0bb3e9c660f99967ca4c8e21bc46e940.exe
6068	00dbc74e3561adf15cb078b0b5f96860.exe
6068	00dbc74e3561adf15cb078b0b5f96860.exe
432	nolew.exe
432	nolew.exe
432	nolew.exe
432	nolew.exe
6040	00dbc74e3561adf15cb078b0b5f96860.exe
6040	00dbc74e3561adf15cb078b0b5f96860.exe
2604	0bb3e9c660f99967ca4c8e21bc46e940.exe
2604	0bb3e9c660f99967ca4c8e21bc46e940.exe
2604	0bb3e9c660f99967ca4c8e21bc46e940.exe
2604	0bb3e9c660f99967ca4c8e21bc46e940.exe
432	nolew.exe
432	nolew.exe
2604	0bb3e9c660f99967ca4c8e21bc46e940.exe
2604	0bb3e9c660f99967ca4c8e21bc46e940.exe
2604	0bb3e9c660f99967ca4c8e21bc46e940.exe
2604	0bb3e9c660f99967ca4c8e21bc46e940.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5608	7z2409-x64.exe
1804	OpenWith.exe
4464	7zFM.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4464	7zFM.exe
4464	7zFM.exe
3280	7zG.exe
4464	7zFM.exe
4464	7zFM.exe
4464	7zFM.exe
4464	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
1804	OpenWith.exe
1804	OpenWith.exe
1804	OpenWith.exe
4376	0c80a0ef434aaecd6b1c888567935b97.exe
6128	0c80a0ef434aaecd6b1c888567935b97.exe
2604	0bb3e9c660f99967ca4c8e21bc46e940.exe
4940	0bb3e9c660f99967ca4c8e21bc46e940.exe
3748	0bb3e9c660f99967ca4c8e21bc46e940.exe
432	nolew.exe
4276	nolew.exe
4440	nolew.exe
1688	nolew.exe
5636	0bb3e9c660f99967ca4c8e21bc46e940.exe
1692	0bb3e9c660f99967ca4c8e21bc46e940.exe
4956	0bb3e9c660f99967ca4c8e21bc46e940.exe
5700	nolew.exe
844	0bb3e9c660f99967ca4c8e21bc46e940.exe
1628	0bb3e9c660f99967ca4c8e21bc46e940.exe
4552	0bb3e9c660f99967ca4c8e21bc46e940.exe
448	0bb3e9c660f99967ca4c8e21bc46e940.exe
964	0bb3e9c660f99967ca4c8e21bc46e940.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 4680	4608	chrome.exe	91
PID 4608 wrote to memory of 4680	4608	chrome.exe	91
PID 4608 wrote to memory of 4780	4608	chrome.exe	92
PID 4608 wrote to memory of 4780	4608	chrome.exe	92
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 4808	4608	chrome.exe	93
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95
PID 4608 wrote to memory of 3064	4608	chrome.exe	95

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:788
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:376

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:804
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3112
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3876
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3984
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4044
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:736
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3620
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:1580
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:5244
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:5056
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3220
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4292
- C:\Windows\System32\rundll32.exe
  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
  2⤵
  PID:1908
- C:\Windows\system32\OpenWith.exe
  C:\Windows\system32\OpenWith.exe -Embedding
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1804
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
  2⤵
  PID:5436
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:5676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:332

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1220
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2896
- C:\Users\Admin\AppData\Local\Temp\152c6d54a1\rgbux.exe
  C:\Users\Admin\AppData\Local\Temp\152c6d54a1\rgbux.exe
  2⤵
  PID:3788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1548
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2128

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2276

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2304

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2808

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3464

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
PID:3548
- C:\Users\Admin\AppData\Local\Temp\AutoClicker-3.1.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoClicker-3.1.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9d905dcf8,0x7ff9d905dd04,0x7ff9d905dd10
    3⤵
    PID:4680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1560,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2056 /prefetch:3
    3⤵
    - Downloads MZ/PE file
    PID:4780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2028,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2024 /prefetch:2
    3⤵
    PID:4808
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2324,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2476 /prefetch:8
    3⤵
    PID:3064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3116 /prefetch:1
    3⤵
    PID:4164
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3144 /prefetch:1
    3⤵
    PID:5284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4252,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4220 /prefetch:2
    3⤵
    PID:3824
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4664,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4748 /prefetch:1
    3⤵
    PID:4516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5004,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5336 /prefetch:8
    3⤵
    PID:1016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5544,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5360 /prefetch:8
    3⤵
    PID:396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5548,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5692 /prefetch:8
    3⤵
    PID:3248
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5332,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5748 /prefetch:8
    3⤵
    PID:2416
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5628,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5848 /prefetch:8
    3⤵
    PID:4040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5832,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5872 /prefetch:8
    3⤵
    PID:2248
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5956,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5980 /prefetch:1
    3⤵
    PID:3744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3324,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:2556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5784,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3076 /prefetch:1
    3⤵
    PID:5552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=6116,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3124 /prefetch:1
    3⤵
    PID:2056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=6004,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5772 /prefetch:1
    3⤵
    PID:1316
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6176,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6168 /prefetch:8
    3⤵
    PID:468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5616,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5472 /prefetch:8
    3⤵
    PID:4724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6160,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3416 /prefetch:8
    3⤵
    PID:1180
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3200,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6220 /prefetch:8
    3⤵
    PID:6084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=4244,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6224 /prefetch:1
    3⤵
    PID:3036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=3368,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4332 /prefetch:2
    3⤵
    PID:2452
- - C:\Users\Admin\Downloads\7z2409-x64.exe
    "C:\Users\Admin\Downloads\7z2409-x64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    PID:5608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4788,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6128 /prefetch:8
    3⤵
    PID:3204
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5852,i,8896480760181085762,5730977878808502459,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4948 /prefetch:8
    3⤵
    PID:4676
- C:\Users\Admin\Desktop\7-Zip\7zG.exe
  "C:\Users\Admin\Desktop\7-Zip\7zG.exe"
  2⤵
  - Executes dropped EXE
  PID:5684
- C:\Users\Admin\Desktop\7-Zip\7z.exe
  "C:\Users\Admin\Desktop\7-Zip\7z.exe"
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Users\Admin\Desktop\7-Zip\7zFM.exe
  "C:\Users\Admin\Desktop\7-Zip\7zFM.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4464
- - C:\Users\Admin\Desktop\7-Zip\7zG.exe
    "C:\Users\Admin\Desktop\7-Zip\7zG.exe" a -i#7zMap20676:72:7zEvent30270 -ad -saa -- "C:\infected_2"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:3280
- C:\Users\Admin\Desktop\0c80a0ef434aaecd6b1c888567935b97.exe
  "C:\Users\Admin\Desktop\0c80a0ef434aaecd6b1c888567935b97.exe"
  2⤵
  - Modifies firewall policy service
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:4376
- C:\Users\Admin\Desktop\0c80a0ef434aaecd6b1c888567935b97.exe
  "C:\Users\Admin\Desktop\0c80a0ef434aaecd6b1c888567935b97.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6128
- C:\Users\Admin\Desktop\0cae2144249cca11917ce26657fc0281.exe
  "C:\Users\Admin\Desktop\0cae2144249cca11917ce26657fc0281.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1540
- C:\Users\Admin\Desktop\0d83a54f6bb735aa81496e24932f448c.exe
  "C:\Users\Admin\Desktop\0d83a54f6bb735aa81496e24932f448c.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5284
- C:\Users\Admin\Desktop\0da5b00e8e941ac4be29830e6040cb5f.exe
  "C:\Users\Admin\Desktop\0da5b00e8e941ac4be29830e6040cb5f.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\152c6d54a1\rgbux.exe
    "C:\Users\Admin\AppData\Local\Temp\152c6d54a1\rgbux.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:392
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\152c6d54a1\
      4⤵
      System Location Discovery: System Language Discovery
      PID:5052
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\152c6d54a1\
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rgbux.exe /TR "C:\Users\Admin\AppData\Local\Temp\152c6d54a1\rgbux.exe" /F
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5040
- C:\Users\Admin\Desktop\00dbc74e3561adf15cb078b0b5f96860.exe
  "C:\Users\Admin\Desktop\00dbc74e3561adf15cb078b0b5f96860.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:6040
- C:\Users\Admin\Desktop\00dbc74e3561adf15cb078b0b5f96860.exe
  "C:\Users\Admin\Desktop\00dbc74e3561adf15cb078b0b5f96860.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4300
- C:\Users\Admin\Desktop\00dbc74e3561adf15cb078b0b5f96860.exe
  "C:\Users\Admin\Desktop\00dbc74e3561adf15cb078b0b5f96860.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:6068
- C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
  "C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2604
- - C:\Users\Admin\nolew.exe
    "C:\Users\Admin\nolew.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:432
- C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
  "C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4940
- C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
  "C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /r
  2⤵
  PID:2736
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /r
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /g
  2⤵
  PID:5440
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /g
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /v
  2⤵
  PID:4576
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /v
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
  2⤵
  PID:60
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
  2⤵
  PID:4164
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /y
  2⤵
  PID:5156
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /y
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
  2⤵
  PID:5064
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
  2⤵
  PID:5996
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
  2⤵
  PID:1520
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
  2⤵
  PID:5000
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
  2⤵
  PID:984
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
  2⤵
  PID:4404
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /u
  2⤵
  PID:3768
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /u
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
  2⤵
  PID:4372
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
    3⤵
    PID:2156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
  2⤵
  PID:3064
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
    3⤵
    PID:4512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
  2⤵
  PID:1812
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
    3⤵
    PID:4500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /p
  2⤵
  PID:5708
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /p
    3⤵
    PID:4972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
  2⤵
  PID:1240
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
    3⤵
    PID:4560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /f
  2⤵
  PID:3224
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /f
    3⤵
    PID:1176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
  2⤵
  PID:5196
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
    3⤵
    PID:3060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /f
  2⤵
  PID:5664
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /f
    3⤵
    PID:3544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
  2⤵
  PID:6028
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
    3⤵
    PID:5928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
  2⤵
  PID:3308
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
    3⤵
    PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
  2⤵
  PID:4172
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
    3⤵
    PID:2492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
  2⤵
  PID:5576
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
    3⤵
    PID:748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
  2⤵
  PID:4628
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
    3⤵
    PID:3348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
  2⤵
  PID:1200
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
    3⤵
    PID:6084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /g
  2⤵
  PID:464
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /g
    3⤵
    PID:5336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
  2⤵
  PID:5696
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
    3⤵
    PID:3608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
  2⤵
  PID:6136
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
    3⤵
    PID:3372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
  2⤵
  PID:1448
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
    3⤵
    PID:4924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
  2⤵
  PID:2268
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
    3⤵
    PID:1036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
  2⤵
  PID:5524
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
    3⤵
    PID:5724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
  2⤵
  PID:3484
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
    3⤵
    PID:3544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /q
  2⤵
  PID:3384
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /q
    3⤵
    PID:5008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
  2⤵
  PID:5804
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
    3⤵
    PID:5324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
  2⤵
  PID:1236
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
    3⤵
    PID:5192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
  2⤵
  PID:4624
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
    3⤵
    PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
  2⤵
  PID:1108
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:844
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
    3⤵
    PID:5704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
  2⤵
  PID:4900
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
    3⤵
    PID:4760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
  2⤵
  PID:3528
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
    3⤵
    PID:3304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /h
  2⤵
  PID:448
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /h
    3⤵
    PID:3136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
  2⤵
  PID:1532
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
    3⤵
    PID:2536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
  2⤵
  PID:4400
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
    3⤵
    PID:2912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
  2⤵
  PID:1440
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
    3⤵
    PID:5072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
  2⤵
  PID:3184
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
    3⤵
    PID:1656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
  2⤵
  PID:5904
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
    3⤵
    PID:5392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
  2⤵
  PID:1316
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
    3⤵
    PID:4304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /f
  2⤵
  PID:1504
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /f
    3⤵
    PID:1824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /j
  2⤵
  PID:5548
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /j
    3⤵
    PID:3280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
  2⤵
  PID:4100
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
    3⤵
    PID:4224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
  2⤵
  PID:404
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
    3⤵
    PID:2552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
  2⤵
  PID:5832
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
    3⤵
    PID:4432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
  2⤵
  PID:3240
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
    3⤵
    PID:3588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
  2⤵
  PID:4632
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
    3⤵
    PID:2576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
  2⤵
  PID:5588
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
    3⤵
    PID:952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /k
  2⤵
  PID:5980
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /k
    3⤵
    PID:5448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
  2⤵
  PID:4844
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
    3⤵
    PID:3288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /f
  2⤵
  PID:1888
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /f
    3⤵
    PID:4644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
  2⤵
  PID:4588
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
    3⤵
    PID:4480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
  2⤵
  PID:4276
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
    3⤵
    PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /l
  2⤵
  PID:5768
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /l
    3⤵
    PID:5412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
  2⤵
  PID:112
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
    3⤵
    PID:2792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /s
  2⤵
  PID:516
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /s
    3⤵
    PID:5040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
  2⤵
  PID:3372
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
    3⤵
    PID:3724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
  2⤵
  PID:4496
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
    3⤵
    PID:448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
  2⤵
  PID:3768
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
    3⤵
    PID:812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
  2⤵
  PID:2520
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
    3⤵
    PID:1520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
  2⤵
  PID:5664
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
    3⤵
    PID:4612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /l
  2⤵
  PID:5624
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /l
    3⤵
    PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /a
  2⤵
  PID:3232
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /a
    3⤵
    PID:1100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
  2⤵
  PID:4120
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
    3⤵
    PID:5660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
  2⤵
  PID:2592
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
    3⤵
    PID:4976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
  2⤵
  PID:2064
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
    3⤵
    PID:4372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
  2⤵
  PID:5104
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
    3⤵
    PID:2200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
  2⤵
  PID:4760
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
    3⤵
    PID:4832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
  2⤵
  PID:3144
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
    3⤵
    PID:2952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /v
  2⤵
  PID:4788
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /v
    3⤵
    PID:1840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
  2⤵
  PID:5456
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
    3⤵
    PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
  2⤵
  PID:3036
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
    3⤵
    PID:5840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
  2⤵
  PID:992
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
    3⤵
    PID:6236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /o
  2⤵
  PID:4896
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /o
    3⤵
    PID:6220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
  2⤵
  PID:1976
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
    3⤵
    PID:6420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
  2⤵
  PID:6072
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
    3⤵
    PID:6840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /h
  2⤵
  PID:5140
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /h
    3⤵
    PID:6204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
  2⤵
  PID:3688
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
    3⤵
    PID:3692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
  2⤵
  PID:1040
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
    3⤵
    PID:6428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
  2⤵
  PID:4744
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
    3⤵
    PID:6900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
  2⤵
  PID:2224
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
    3⤵
    PID:6240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
  2⤵
  PID:1376
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
    3⤵
    PID:6732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
  2⤵
  PID:2140
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
    3⤵
    PID:6824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /j
  2⤵
  PID:4972
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /j
    3⤵
    PID:3136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
  2⤵
  PID:1812
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
    3⤵
    PID:7124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
  2⤵
  PID:116
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
    3⤵
    PID:6668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
  2⤵
  PID:4876
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
    3⤵
    PID:6520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
  2⤵
  PID:952
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
    3⤵
    PID:4076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
  2⤵
  PID:1704
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
    3⤵
    PID:6536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
  2⤵
  PID:4632
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
    3⤵
    PID:6576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
  2⤵
  PID:1188
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
    3⤵
    PID:1860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /y
  2⤵
  PID:1440
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /y
    3⤵
    PID:4120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
  2⤵
  PID:3284
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
    3⤵
    PID:1800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
  2⤵
  PID:5360
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
    3⤵
    PID:6204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
  2⤵
  PID:2396
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
    3⤵
    PID:6432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
  2⤵
  PID:5052
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
    3⤵
    PID:4120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
  2⤵
  PID:4172
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
    3⤵
    PID:6564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
  2⤵
  PID:5256
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
    3⤵
    PID:1812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /y
  2⤵
  PID:5184
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /y
    3⤵
    PID:4432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
  2⤵
  PID:888
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
    3⤵
    PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
  2⤵
  PID:4440
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
    3⤵
    PID:5148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
  2⤵
  PID:3820
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
    3⤵
    PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
  2⤵
  PID:5748
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
    3⤵
    PID:2816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
  2⤵
  PID:5768
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
    3⤵
    PID:4888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
  2⤵
  PID:5484
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
    3⤵
    PID:5392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /k
  2⤵
  PID:1236
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /k
    3⤵
    PID:5652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
  2⤵
  PID:4784
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
    3⤵
    PID:4060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
  2⤵
  PID:4392
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
    3⤵
    PID:5892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
  2⤵
  PID:5192
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
    3⤵
    PID:5272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
  2⤵
  PID:6096
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
    3⤵
    PID:1072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
  2⤵
  PID:5388
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
    3⤵
    PID:3688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /p
  2⤵
  PID:6248
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /p
    3⤵
    PID:812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /o
  2⤵
  PID:6316
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /o
    3⤵
    PID:6564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
  2⤵
  PID:6404
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
    3⤵
    PID:5328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
  2⤵
  PID:6484
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
    3⤵
    PID:1704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
  2⤵
  PID:6612
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
    3⤵
    PID:5484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /l
  2⤵
  PID:6624
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /l
    3⤵
    PID:888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
  2⤵
  PID:6672
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
    3⤵
    PID:7716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
  2⤵
  PID:6720
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
    3⤵
    PID:452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /v
  2⤵
  PID:6788
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /v
    3⤵
    PID:7616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
  2⤵
  PID:6860
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
    3⤵
    PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /f
  2⤵
  PID:6920
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /f
    3⤵
    PID:7608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
  2⤵
  PID:7060
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
    3⤵
    PID:1072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
  2⤵
  PID:7088
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
    3⤵
    PID:6440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
  2⤵
  PID:3236
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
    3⤵
    PID:7768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
  2⤵
  PID:2064
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
    3⤵
    PID:7656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /t
  2⤵
  PID:3060
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /t
    3⤵
    PID:4172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
  2⤵
  PID:2596
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
    3⤵
    PID:7352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
  2⤵
  PID:4052
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
    3⤵
    PID:7476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
  2⤵
  PID:400
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
    3⤵
    PID:7664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
  2⤵
  PID:4492
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
    3⤵
    PID:7216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
  2⤵
  PID:2336
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
    3⤵
    PID:5104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
  2⤵
  PID:6764
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
    3⤵
    PID:644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /r
  2⤵
  PID:6800
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /r
    3⤵
    PID:5256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
  2⤵
  PID:7020
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
    3⤵
    PID:6320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
  2⤵
  PID:6732
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
    3⤵
    PID:7744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
  2⤵
  PID:6908
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
    3⤵
    PID:7296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
  2⤵
  PID:2412
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
    3⤵
    PID:7260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
  2⤵
  PID:5972
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
    3⤵
    PID:5748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
  2⤵
  PID:5928
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
    3⤵
    PID:6916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
  2⤵
  PID:5896
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
    3⤵
    PID:4760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /h
  2⤵
  PID:6816
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /h
    3⤵
    PID:1540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
  2⤵
  PID:2000
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
    3⤵
    PID:3492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
  2⤵
  PID:6840
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
    3⤵
    PID:6128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
  2⤵
  PID:5064
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
    3⤵
    PID:3060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
  2⤵
  PID:4664
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
    3⤵
    PID:6856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
  2⤵
  PID:6544
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
    3⤵
    PID:4172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
  2⤵
  PID:6084
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
    3⤵
    PID:4540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /n
  2⤵
  PID:5824
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /n
    3⤵
    PID:5052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
  2⤵
  PID:5904
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
    3⤵
    PID:7156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
  2⤵
  PID:2796
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
    3⤵
    PID:2412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /p
  2⤵
  PID:3948
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /p
    3⤵
    PID:7804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
  2⤵
  PID:4692
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
    3⤵
    PID:6780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /l
  2⤵
  PID:2792
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /l
    3⤵
    PID:3236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
  2⤵
  PID:5876
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
    3⤵
    PID:6740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /u
  2⤵
  PID:3208
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /u
    3⤵
    PID:4492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
  2⤵
  PID:5332
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
    3⤵
    PID:2536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
  2⤵
  PID:3588
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
    3⤵
    PID:6788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /f
  2⤵
  PID:5588
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /f
    3⤵
    PID:7128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
  2⤵
  PID:4972
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
    3⤵
    PID:6320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
  2⤵
  PID:1016
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
    3⤵
    PID:6952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
  2⤵
  PID:4904
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
    3⤵
    PID:5020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /f
  2⤵
  PID:1516
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /f
    3⤵
    PID:6676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
  2⤵
  PID:1076
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
    3⤵
    PID:6720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
  2⤵
  PID:6352
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
    3⤵
    PID:5748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
  2⤵
  PID:448
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
    3⤵
    PID:3348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
  2⤵
  PID:4420
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
    3⤵
    PID:3584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
  2⤵
  PID:4448
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
    3⤵
    PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
  2⤵
  PID:5276
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
    3⤵
    PID:5844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /g
  2⤵
  PID:1812
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /g
    3⤵
    PID:8368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /p
  2⤵
  PID:5624
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /p
    3⤵
    PID:8960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
  2⤵
  PID:6896
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
    3⤵
    PID:7724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /l
  2⤵
  PID:7232
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /l
    3⤵
    PID:4644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
  2⤵
  PID:7304
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
    3⤵
    PID:5636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
  2⤵
  PID:7332
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
    3⤵
    PID:8672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /f
  2⤵
  PID:7432
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /f
    3⤵
    PID:9128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /v
  2⤵
  PID:7528
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /v
    3⤵
    PID:8692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /p
  2⤵
  PID:7540
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /p
    3⤵
    PID:9056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
  2⤵
  PID:7628
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
    3⤵
    PID:8492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
  2⤵
  PID:7688
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
    3⤵
    PID:5540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
  2⤵
  PID:7760
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
    3⤵
    PID:2880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
  2⤵
  PID:7892
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
    3⤵
    PID:6844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
  2⤵
  PID:7956
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
    3⤵
    PID:7576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
  2⤵
  PID:7968
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
    3⤵
    PID:4004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /q
  2⤵
  PID:7976
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /q
    3⤵
    PID:5696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
  2⤵
  PID:8000
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
    3⤵
    PID:8076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
  2⤵
  PID:8120
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
    3⤵
    PID:8496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
  2⤵
  PID:8176
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
    3⤵
    PID:5892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
  2⤵
  PID:7172
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
    3⤵
    PID:7484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
  2⤵
  PID:1392
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
    3⤵
    PID:5076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
  2⤵
  PID:2196
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
    3⤵
    PID:3584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /w
  2⤵
  PID:3368
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /w
    3⤵
    PID:2520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
  2⤵
  PID:1236
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
    3⤵
    PID:6896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
  2⤵
  PID:7476
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
    3⤵
    PID:5360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
  2⤵
  PID:6988
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
    3⤵
    PID:7344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
  2⤵
  PID:2060
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
    3⤵
    PID:7056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
  2⤵
  PID:1992
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
    3⤵
    PID:7996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /h
  2⤵
  PID:3564
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /h
    3⤵
    PID:4248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
  2⤵
  PID:8100
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
    3⤵
    PID:7984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
  2⤵
  PID:6604
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
    3⤵
    PID:3736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
  2⤵
  PID:6480
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
    3⤵
    PID:6544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
  2⤵
  PID:3176
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
    3⤵
    PID:4832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
  2⤵
  PID:6620
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
    3⤵
    PID:3644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
  2⤵
  PID:6584
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
    3⤵
    PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /h
  2⤵
  PID:6196
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /h
    3⤵
    PID:3032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
  2⤵
  PID:6404
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
    3⤵
    PID:5464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
  2⤵
  PID:7640
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
    3⤵
    PID:2644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
  2⤵
  PID:5324
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
    3⤵
    PID:7384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
  2⤵
  PID:6928
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
    3⤵
    PID:5688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
  2⤵
  PID:3528
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
    3⤵
    PID:5380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /f
  2⤵
  PID:3664
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /f
    3⤵
    PID:7556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /z
  2⤵
  PID:6416
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /z
    3⤵
    PID:7956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
  2⤵
  PID:528
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
    3⤵
    PID:4940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
  2⤵
  PID:400
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
    3⤵
    PID:7248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
  2⤵
  PID:5812
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
    3⤵
    PID:7800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
  2⤵
  PID:6392
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
    3⤵
    PID:7192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
  2⤵
  PID:3904
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
    3⤵
    PID:4784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
  2⤵
  PID:640
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
    3⤵
    PID:8472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /e
  2⤵
  PID:5656
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /e
    3⤵
    PID:5156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
  2⤵
  PID:2924
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
    3⤵
    PID:6620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
  2⤵
  PID:6160
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
    3⤵
    PID:7200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
  2⤵
  PID:7144
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
    3⤵
    PID:468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
  2⤵
  PID:4584
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
    3⤵
    PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
  2⤵
  PID:8236
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
    3⤵
    PID:6896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
  2⤵
  PID:8308
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
    3⤵
    PID:7812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /i
  2⤵
  PID:8456
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /i
    3⤵
    PID:512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
  2⤵
  PID:8480
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
    3⤵
    PID:3340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
  2⤵
  PID:8552
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
    3⤵
    PID:3176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
  2⤵
  PID:8608
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
    3⤵
    PID:1640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
  2⤵
  PID:8796
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
    3⤵
    PID:7616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
  2⤵
  PID:8872
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:964
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
    3⤵
    PID:5024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
  2⤵
  PID:8900
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
    3⤵
    PID:6184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /b
  2⤵
  PID:9008
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /b
    3⤵
    PID:8852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
  2⤵
  PID:9020
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
    3⤵
    PID:7704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
  2⤵
  PID:9080
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
    3⤵
    PID:6640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
  2⤵
  PID:9208
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
    3⤵
    PID:4496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
  2⤵
  PID:6088
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
    3⤵
    PID:6100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
  2⤵
  PID:4120
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
    3⤵
    PID:6792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /p
  2⤵
  PID:3144
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /p
    3⤵
    PID:8644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
  2⤵
  PID:2948
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
    3⤵
    PID:5844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /l
  2⤵
  PID:4568
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /l
    3⤵
    PID:8380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
  2⤵
  PID:6900
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
    3⤵
    PID:6316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
  2⤵
  PID:8568
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
    3⤵
    PID:5532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
  2⤵
  PID:3956
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
    3⤵
    PID:7352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
  2⤵
  PID:2084
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
    3⤵
    PID:6880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
  2⤵
  PID:8356
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
    3⤵
    PID:2912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
  2⤵
  PID:8908
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
    3⤵
    PID:5792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /w
  2⤵
  PID:7312
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /w
    3⤵
    PID:5660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
  2⤵
  PID:6948
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
    3⤵
    PID:6572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
  2⤵
  PID:7268
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
    3⤵
    PID:7336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
  2⤵
  PID:8936
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
    3⤵
    PID:7920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
  2⤵
  PID:6956
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
    3⤵
    PID:220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
  2⤵
  PID:7724
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
    3⤵
    PID:5808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
  2⤵
  PID:2120
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
    3⤵
    PID:6164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
  2⤵
  PID:4308
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
    3⤵
    PID:8736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /e
  2⤵
  PID:2748
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /e
    3⤵
    PID:6288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
  2⤵
  PID:8136
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
    3⤵
    PID:4588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
  2⤵
  PID:112
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
    3⤵
    PID:8368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
  2⤵
  PID:4904
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
    3⤵
    PID:5264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
  2⤵
  PID:948
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
    3⤵
    PID:3528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
  2⤵
  PID:4256
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
    3⤵
    PID:6912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /r
  2⤵
  PID:5212
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /r
    3⤵
    PID:7384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
  2⤵
  PID:1516
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
    3⤵
    PID:8260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
  2⤵
  PID:3972
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
    3⤵
    PID:1476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /f
  2⤵
  PID:5928
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /f
    3⤵
    PID:7504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
  2⤵
  PID:2000
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
    3⤵
    PID:8104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
  2⤵
  PID:1016
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
    3⤵
    PID:1656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
  2⤵
  PID:6968
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
    3⤵
    PID:1160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /u
  2⤵
  PID:6536
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /u
    3⤵
    PID:9036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /p
  2⤵
  PID:712
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /p
    3⤵
    PID:8272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
  2⤵
  PID:5200
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
    3⤵
    PID:5404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
  2⤵
  PID:5272
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
    3⤵
    PID:6780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
  2⤵
  PID:2656
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
    3⤵
    PID:5844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
  2⤵
  PID:7948
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
    3⤵
    PID:6164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
  2⤵
  PID:3688
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
    3⤵
    PID:7720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /p
  2⤵
  PID:3612
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /p
    3⤵
    PID:6716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
  2⤵
  PID:5224
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
    3⤵
    PID:8316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
  2⤵
  PID:7928
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
    3⤵
    PID:8504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
  2⤵
  PID:3212
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
    3⤵
    PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
  2⤵
  PID:4628
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
    3⤵
    PID:4956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
  2⤵
  PID:6208
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
    3⤵
    PID:8216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /l
  2⤵
  PID:7856
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /l
    3⤵
    PID:8524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /o
  2⤵
  PID:4328
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /o
    3⤵
    PID:7896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
  2⤵
  PID:5108
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
    3⤵
    PID:8696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
  2⤵
  PID:7420
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
    3⤵
    PID:8528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
  2⤵
  PID:2400
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
    3⤵
    PID:1240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
  2⤵
  PID:7576
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
    3⤵
    PID:8276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
  2⤵
  PID:7880
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
    3⤵
    PID:4492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /l
  2⤵
  PID:2672
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /l
    3⤵
    PID:2520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
  2⤵
  PID:7488
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
    3⤵
    PID:6672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /a
  2⤵
  PID:3140
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /a
    3⤵
    PID:7820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
  2⤵
  PID:5796
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
    3⤵
    PID:7100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /p
  2⤵
  PID:6984
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /p
    3⤵
    PID:7124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
  2⤵
  PID:7844
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
    3⤵
    PID:6168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
  2⤵
  PID:8124
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
    3⤵
    PID:7992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
  2⤵
  PID:7500
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
    3⤵
    PID:5148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
  2⤵
  PID:6700
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
    3⤵
    PID:8620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /g
  2⤵
  PID:7564
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /g
    3⤵
    PID:1136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
  2⤵
  PID:3996
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
    3⤵
    PID:4232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
  2⤵
  PID:7480
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
    3⤵
    PID:6744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
  2⤵
  PID:3888
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
    3⤵
    PID:6592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
  2⤵
  PID:1992
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
    3⤵
    PID:6360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
  2⤵
  PID:6932
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
    3⤵
    PID:8844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
  2⤵
  PID:6552
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
    3⤵
    PID:9124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /n
  2⤵
  PID:6196
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /n
    3⤵
    PID:5800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
  2⤵
  PID:1376
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
    3⤵
    PID:7508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
  2⤵
  PID:8072
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
    3⤵
    PID:9568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
  2⤵
  PID:6348
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
    3⤵
    PID:9436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
  2⤵
  PID:6236
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
    3⤵
    PID:7236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
  2⤵
  PID:7288
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
    3⤵
    PID:6404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
  2⤵
  PID:3592
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
    3⤵
    PID:9952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /m
  2⤵
  PID:512
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /m
    3⤵
    PID:8368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
  2⤵
  PID:4440
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
    3⤵
    PID:7532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
  2⤵
  PID:6520
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
    3⤵
    PID:10016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
  2⤵
  PID:7752
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
    3⤵
    PID:7152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
  2⤵
  PID:8956
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
    3⤵
    PID:888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
  2⤵
  PID:7092
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
    3⤵
    PID:9944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
  2⤵
  PID:8536
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
    3⤵
    PID:10236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /d
  2⤵
  PID:516
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /d
    3⤵
    PID:1888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
  2⤵
  PID:6136
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
    3⤵
    PID:7128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
  2⤵
  PID:3732
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
    3⤵
    PID:7224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
  2⤵
  PID:4124
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
    3⤵
    PID:6576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
  2⤵
  PID:5636
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
    3⤵
    PID:7512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
  2⤵
  PID:1820
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
    3⤵
    PID:9396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
  2⤵
  PID:9040
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
    3⤵
    PID:9840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /k
  2⤵
  PID:6388
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /k
    3⤵
    PID:1136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
  2⤵
  PID:528
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
    3⤵
    PID:9616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
  2⤵
  PID:8744
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
    3⤵
    PID:5224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
  2⤵
  PID:8776
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
    3⤵
    PID:1172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
  2⤵
  PID:6020
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
    3⤵
    PID:7740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
  2⤵
  PID:5304
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
    3⤵
    PID:7036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /o
  2⤵
  PID:8472
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /o
    3⤵
    PID:7220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
  2⤵
  PID:4456
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
    3⤵
    PID:6292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /s
  2⤵
  PID:6344
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /s
    3⤵
    PID:8904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
  2⤵
  PID:6640
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
    3⤵
    PID:9580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
  2⤵
  PID:9092
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
    3⤵
    PID:2140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /p
  2⤵
  PID:8344
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /p
    3⤵
    PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /p
  2⤵
  PID:456
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /p
    3⤵
    PID:8340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
  2⤵
  PID:8756
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
    3⤵
    PID:8308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
  2⤵
  PID:5812
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
    3⤵
    PID:10168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /b
  2⤵
  PID:8548
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /b
    3⤵
    PID:4560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /f
  2⤵
  PID:5532
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /f
    3⤵
    PID:8552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
  2⤵
  PID:2904
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
    3⤵
    PID:5184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
  2⤵
  PID:8968
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
    3⤵
    PID:3280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
  2⤵
  PID:6392
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
    3⤵
    PID:9872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /o
  2⤵
  PID:6872
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /o
    3⤵
    PID:4252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
  2⤵
  PID:7112
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
    3⤵
    PID:6848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /k
  2⤵
  PID:7604
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /k
    3⤵
    PID:3368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
  2⤵
  PID:6288
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
    3⤵
    PID:8916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
  2⤵
  PID:8768
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
    3⤵
    PID:3944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
  2⤵
  PID:844
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
    3⤵
    PID:7740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
  2⤵
  PID:8668
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
    3⤵
    PID:7880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
  2⤵
  PID:8312
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
    3⤵
    PID:3784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
  2⤵
  PID:5704
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
    3⤵
    PID:4108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /z
  2⤵
  PID:8264
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /z
    3⤵
    PID:6944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
  2⤵
  PID:8980
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
    3⤵
    PID:7736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /o
  2⤵
  PID:5964
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /o
    3⤵
    PID:1592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
  2⤵
  PID:8688
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
    3⤵
    PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
  2⤵
  PID:5896
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
    3⤵
    PID:8156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
  2⤵
  PID:3288
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
    3⤵
    PID:7396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
  2⤵
  PID:8540
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
    3⤵
    PID:6496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /o
  2⤵
  PID:8320
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /o
    3⤵
    PID:7868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
  2⤵
  PID:6920
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
    3⤵
    PID:4256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
  2⤵
  PID:4540
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
    3⤵
    PID:4424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
  2⤵
  PID:1876
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
    3⤵
    PID:8272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
  2⤵
  PID:6992
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
    3⤵
    PID:8412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
  2⤵
  PID:8112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
  2⤵
  PID:4060
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
    3⤵
    PID:8632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /x
  2⤵
  PID:8148
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /x
    3⤵
    PID:8856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
  2⤵
  PID:7308
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
    3⤵
    PID:5732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
  2⤵
  PID:7544
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
    3⤵
    PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
  2⤵
  PID:8224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
  2⤵
  PID:3240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
  2⤵
  PID:5196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /l
  2⤵
  PID:4800
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /l
    3⤵
    PID:228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /o
  2⤵
  PID:8248
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /o
    3⤵
    PID:984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
  2⤵
  PID:8524
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
    3⤵
    PID:6496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
  2⤵
  PID:7732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
  2⤵
  PID:8104
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
    3⤵
    PID:8640
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  PID:7384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
  2⤵
  PID:6968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
  2⤵
  PID:4368
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
    3⤵
    PID:5688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /o
  2⤵
  PID:6840
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /o
    3⤵
    PID:8856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
  2⤵
  PID:8620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /x
  2⤵
  PID:8832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
  2⤵
  PID:9296
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
    3⤵
    PID:8328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /f
  2⤵
  PID:9352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
  2⤵
  PID:9428
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
    3⤵
    PID:3312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
  2⤵
  PID:9480
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
    3⤵
    PID:5504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
  2⤵
  PID:9608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
  2⤵
  PID:9700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /e
  2⤵
  PID:9720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
  2⤵
  PID:9764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
  2⤵
  PID:9852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
  2⤵
  PID:9896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
  2⤵
  PID:9988
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
    3⤵
    PID:7776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
  2⤵
  PID:10128
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
    3⤵
    PID:5732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
  2⤵
  PID:10184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /o
  2⤵
  PID:10228
- - C:\Users\Admin\nolew.exe
    C:\Users\Admin\nolew.exe /o
    3⤵
    PID:5624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
  2⤵
  PID:8860
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
    3⤵
    PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
  2⤵
  PID:6160
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
    3⤵
    PID:2588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
  2⤵
  PID:9252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
  2⤵
  PID:9332
- - C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe
    C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
    3⤵
    PID:10252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
  2⤵
  PID:9472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /l
  2⤵
  PID:2520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /z
  2⤵
  PID:6380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
  2⤵
  PID:4748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
  2⤵
  PID:7660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
  2⤵
  PID:5108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
  2⤵
  PID:8460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
  2⤵
  PID:4628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
  2⤵
  PID:8684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /v
  2⤵
  PID:6208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
  2⤵
  PID:6536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /b
  2⤵
  PID:7376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
  2⤵
  PID:6712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
  2⤵
  PID:4784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
  2⤵
  PID:5464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
  2⤵
  PID:6884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /a
  2⤵
  PID:10096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /a
  2⤵
  PID:8752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /o
  2⤵
  PID:8096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /k
  2⤵
  PID:8260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
  2⤵
  PID:7080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
  2⤵
  PID:7344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
  2⤵
  PID:368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /m
  2⤵
  PID:3724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /u
  2⤵
  PID:9140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
  2⤵
  PID:4600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
  2⤵
  PID:4184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
  2⤵
  PID:7488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
  2⤵
  PID:8108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /e
  2⤵
  PID:2416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /q
  2⤵
  PID:8680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
  2⤵
  PID:6888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
  2⤵
  PID:7656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
  2⤵
  PID:8728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /p
  2⤵
  PID:4996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
  2⤵
  PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /g
  2⤵
  PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
  2⤵
  PID:5148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /i
  2⤵
  PID:3824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /o
  2⤵
  PID:7548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
  2⤵
  PID:7236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
  2⤵
  PID:9512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
  2⤵
  PID:10156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
  2⤵
  PID:8020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /x
  2⤵
  PID:3592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
  2⤵
  PID:7092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
  2⤵
  PID:5232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
  2⤵
  PID:6520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
  2⤵
  PID:1868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
  2⤵
  PID:9492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /m
  2⤵
  PID:992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /i
  2⤵
  PID:8452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /l
  2⤵
  PID:6584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
  2⤵
  PID:8380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /n
  2⤵
  PID:6820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
  2⤵
  PID:3736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
  2⤵
  PID:536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /p
  2⤵
  PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /w
  2⤵
  PID:8792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /x
  2⤵
  PID:3664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /o
  2⤵
  PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /o
  2⤵
  PID:2912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /z
  2⤵
  PID:5336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
  2⤵
  PID:8028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /o
  2⤵
  PID:6600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
  2⤵
  PID:7456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /k
  2⤵
  PID:7740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
  2⤵
  PID:7252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
  2⤵
  PID:7596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /v
  2⤵
  PID:8788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
  2⤵
  PID:5768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
  2⤵
  PID:8776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /l
  2⤵
  PID:7880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /m
  2⤵
  PID:10048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /f
  2⤵
  PID:3232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /c
  2⤵
  PID:10076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /h
  2⤵
  PID:7524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
  2⤵
  PID:6156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /d
  2⤵
  PID:4108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /y
  2⤵
  PID:6136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /r
  2⤵
  PID:696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\nolew.exe /l
  2⤵
  PID:3784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /t
  2⤵
  PID:3608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /j
  2⤵
  PID:7888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /x
  2⤵
  PID:4252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /s
  2⤵
  PID:7752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\0bb3e9c660f99967ca4c8e21bc46e940.exe /q
  2⤵
  PID:884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:4912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:5960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:556

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:4648

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:5444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3896

C:\Windows\SysWOW64\wosaom.exe
C:\Windows\SysWOW64\wosaom.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery